Automated Debugging Under The Hood - Building A Programmable Windows Debugger From Scratch (In Python)

Presented at DEF CON 30 (2022), Aug. 13, 2022, 2 p.m. (240 minutes).

How do anti-debug tricks actually work? Is there a way to automate tedious debugging tasks like unpacking malware? Have you ever wondered what is happening under the hood of a debugger? In this workshop you will build your own programmable Windows debugger from scratch (using Python). Each component in the debugger will be built as a separate module with an accompanying lab used to explain the concepts and Windows internals that support the component. In the final lab you will have the chance to test your new debugger against various malware samples and attempt to automatically unpack them, and extract IOCs. This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about debuggers and how programmable debuggers can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS. You will be provided with a VirtualMachine to use during the workshop. Please make sure to bring a laptop that meets the following requirements. - Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course. - Your laptop must have at least 60GB of disk space free. - Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.) Materials: Students will be provided with a VirtualMachine to use during the workshop. They will need to bring a laptop that meets the following requirements; - The laptop must have VirtualBox or VMWare installed and working prior to class. - The laptop must have at least 60GB of disk space free. - The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one). Prereq: Students must be able to write basic Python scripts and have a basic understanding of the Windows operating system. Familiarity with a Windows user space debugger like x64dbg would also be a benefit.

Presenters:

  • Sergei Frankoff - Co-Founder, OpenAnalysis Inc.
    Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.
  • Sean Wilson - Co-Founder, OpenAnalysis Inc.
    Sean is a co-founder of OpenAnalysis Inc. He splits his time between reverse engineering malware and building automation tools for incident response. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Similar Presentations: