In Memory of In-Memory Detection
2025-09-05 , Main track

Pack, obfuscate, or encrypt your malware as much as you want to prevent detection. This works reasonably well, but ultimately your malware always runs somewhere in the memory of a computer. This is an inherent problem with all of the aforementioned techniques. At some point during execution, the payload that you have tried to hide as much as possible is decrypted to plain text, because only then can it be executed properly.

In this presentation, you will learn more about the hurdles of such polymorphic malware and how to detect it. I then introduce you to the concept of modern metamorphic malware and how this type of malware circumvents static and in-memory detection. I demonstrate that static in-memory detection is now completely dead, and we can no longer rely on it, especially when practical implementations of metamorphic malware become publicly available.

As the icing on the cake, I publish such a practical implementation: Dittobytes. Dittobytes is a project for true metamorphic cross-compilation of C-code to Truly Position Independent Code (PIC). Malware compiled with Dittobytes runs everywhere natively — in any process, on Windows, Mac, and Linux, and both on X86 and ARM64. The best part? It's different every time you compile it!

As reverse engineer & red teamer, Tijme supports in the development of adversary simulation & security testing services. The research he did in the past years mainly focused on (nation-state) adversary tactics, and converting this research into useful tools for TIBER & ART (adversary simulation) engagements. His current and primary professional occupation is his role as Offensive Security Expert at ABN AMRO Bank.