Accelerating Malware Analysis with WinDbg Time Travel Debugging

Presented at DEF CON 33 (2025), Aug. 8, 2025, 9 a.m. (240 minutes).

Malware analysis and reverse engineering involve intricate execution, obfuscation, and anti-analysis techniques that hinder traditional debugging. This intensive, hands-on workshop introduces WinDbg's powerful Time Travel Debugging (TTD), allowing you to record a complete execution trace and replay it forwards and backwards. Designed for reverse engineers and malware analysts, this workshop provides practical skills to harness TTD, significantly cutting analysis time compared to traditional methods. Throughout this 4-hour session, dive directly into practical application. Start with TTD essentials and capturing traces (GUI/CLI), then quickly progress to navigating timelines efficiently. Gain proficiency using the Debugger Data Model and LINQ queries to rapidly locate key events, API usage, and suspicious memory patterns within large traces. Crucially, learn to automate analysis by creating powerful JavaScript extensions for WinDbg, applying these skills in hands-on labs focused on tasks like extracting dynamically deobfuscated strings from malware. Leave equipped to confidently integrate WinDbg TTD into your workflow, accelerating your triage and deep-dive analysis capabilities.

Presenters:

• Jae Young Kim - Google
  Jae Young Kim is a Senior Reverse Engineer on Mandiant's FLARE Team where he reverses malware and contributes to FLARE's automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.
• Joshua "jstrosch" Stroschein - Google
  Joshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

Similar Presentations:

• VB2018 / Workshop: Manual kernel mode malware analysis
• DEF CON 30 (2022) / Master Class: Delivering a New Construct in Advanced Volatile Memory Analysis for Fun and Profit Workshop
• DEF CON 31 (2023) / The Joy of Reverse Engineering: Learning With Ghidra and WinDbg Workshop