1. InfoconDB
  2. REcon
  3. REcon 2019
  4. Using WPP and TraceLogging Tracing to Facilitate Dynamic and Static Windows RE

Using WPP and TraceLogging Tracing to Facilitate Dynamic and Static Windows RE

Presented at REcon 2019, June 30, 2019, 4 p.m. (60 minutes)

WPP and TraceLogging, tracing facilities built on top of Event Tracing for Windows (ETW) have been available in most Windows binaries for a long time but until recently have been underutilized for tasks other than debugging. Reverse engineers, vulnerability researchers, and detection engineers have an opportunity to take of advantage of these rich data sources, however. In this talk, the following concepts will be introduced: * Introduction to WPP and TraceLogging * The importance of the ETW security model and how common software subverts ETW security * Methodology for identifying internal user and kernel trace sources * How some security products build detections from TraceLogging data sources * Real-world applications including collection of sample traces against well-known security products Upon gaining a more complete understanding of WPP and TraceLogging, attendees will, at a minimum, gain sufficient background to safely ignore one of the more common code constructs found in Windows code. WPP and TraceLogging, tracing facilities built on top of Event Tracing for Windows (ETW) have been available in most Windows binaries for a long time but until recently have been underutilized for tasks other than debugging. Reverse engineers, vulnerability researchers, and detection engineers have an opportunity to take of advantage of these rich data sources, however. In this talk, the following concepts will be introduced: * Introduction to WPP and TraceLogging * The importance of the ETW security model and how common software subverts ETW security * Methodology for identifying internal user and kernel trace sources * How some security products build detections from TraceLogging data sources * Real-world applications including collection of sample traces against well-known security products Upon gaining a more complete understanding of WPP and TraceLogging, attendees will, at a minimum, gain sufficient background to safely ignore one of the more common code constructs found in Windows code.

Presenters:

  • Matt Graeber
    Matt Graeber (@mattifestation) likes to understand Windows internals and regularly ponders the concept of trust. He is a security researcher at SpecterOps.

Links:

Similar Presentations: