Using Antlr In Cybersecurity


Another Tool for Language Recognition (Antlr) is a Java-based parser generator. You define your language grammar and out pops a parser! In addition to designing your own languages, Antlr grammars for many existing programming languages are available, including C. Using Antlr and StringTemplate, a templating engine also from the Antlr camp, we can do source-to-source translation of C code automagically. We'll then combine this C code with an API hooking technology, such as MS Detours. The result is a tool for real-time program behavior monitoring, as used in malware analysis and digital forensics.

Speaker: Stuart Maclean

Stuart Maclean's day job is all embedded software for ocean instruments, but he also dabbles in building cybersecurity tools using Java. He thinks API hooking systems like Cuckoo Sandbox are way cool. In goes a malicious program and out comes a description of that program's interaction with the system -- files opened, registry keys deleted, network connections made, etc. Yet Cuckoo hooks only a small subset of the vast Windows API. Stuart used Antlr and StringTemplate to auto-generate API hooking routines, so increasing program code coverage. In doing this work, Stuart has learned that there's only one thing more tortuous that parsing C, and that's parsing .... come to SeaJUG to find out!