BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsides-canberra-2025//speaker//9YMUKK BEGIN:VTIMEZONE TZID:AEST BEGIN:STANDARD DTSTART:20000326T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20060402T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20070325T040000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20080406T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000827T030000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20011028T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20081005T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10 TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsides-canberra-2025-JSWTRE@pretalx.com DTSTART;TZID=AEST:20250926T143000 DTEND;TZID=AEST:20250926T152500 DESCRIPTION:API Obfuscation is a common technique employed by malware autho rs to conceal the capabilities and behaviour of their malware from reverse engineers. Usually\, such obfuscation is overcome via decoding obfuscated API names during static analysis or observing the API calls during dynami c execution. But what can a reverse engineer do if even the obfuscated API names are removed from the binary? In this presentation we’ll discuss t he analysis of “TCP Listener”\, an implant encountered by the ACSC dur ing incident response. In a novel approach this implant receives its obfus cated API references with its command and control payloads\, which made an alysis difficult – but not impossible. Gathering our clues (strings\, co nstants\, function prototypes\, and call structure)\, and armed with our t ools (IDA\, Yara\, and the MSDN documentation)\, we’ll go on a journey o f deductive reasoning (along with a tiny bit of speculative imagination) t o reverse engineer this implant and fully understand its functionality. DTSTAMP:20260603T235406Z LOCATION:Main Track SUMMARY:Reverse Engineering Sherlock Holmes Style: Obfuscated APIs & The Ar t of Deduction. - Katie Deakin-Sharpe URL:https://pretalx.com/bsides-canberra-2025/talk/JSWTRE/ END:VEVENT END:VCALENDAR