Here’s where you’ll find our exclusive video coverage of select cyber security related events, as well as original productions from our CyberWire team.

For the latest updates on our videos subscribe to our video RSS feed, and follow us on Vimeo.

Alexei Bulazel — Inside MpEngine.dll: Reverse Engineering Windows Defender's JavaScript Engine

Windows Defender’s MpEngine.dll implements the core of Defender’s functionality in an enormous ~11 MB, 45,000+ function DLL. In this presentation, we’ll look at the ~1,200 functions that comprise Defender’s proprietary JavaScript engine, which is used for analyzing potentially malicious JS code. Defender implements a full JS engine, though it is significantly simpler than the engines found in modern web browsers, so it is a tractable target for reverse engineering from binary.

We’ll cover reverse engineering the JS engine, including how it works (types, memory management, JS/ECMAScript features, integration with Defender’s antivirus system, etc.), building tooling to interact with it, non-security JS runtime bugs, anti-analysis tricks for malicious scripts, and a bit on the engine’s attack surface for exploitation.

We’ll conclude by considering other subsystems within the remaining 98% of this enormous binary. (Source: Jailbreak Brewing Company)