Presented at
VB2018,
Oct. 3, 2018, 4 p.m.
(90 minutes).
In our day jobs we are faced with ever increasing quantities of threat data, IOCs and malware samples that have to be analysed in order to make decisions about classification and further processing. Millions of malware samples a day can only be processed in an automated fashion and we have developed systems and processes that can successfully address that challenge.
Unfortunately, over time, we have learned to rely more on automated analysis tools and have begun to lose the ability to analyse manually and understand all aspects of a threat.
This workshop will attempt to emphasise the importance of manual malware analysis, its core components, and the consequences for our community of losing this skill.
Specifically, the focus of the workshop is on dynamic manual analysis of kernel-mode malware using *WinDbg*. *WinDbg* (running on top of user- and kernel-mode *Windows* debuggers) is a powerful debugging environment allowing an analyst to dig into the *Windows* internals to analyse code and find the presence of sophisticated threats, including rootkits and other kernel malware.
*WinDbg* can be set to debug local or remote systems as well as user- or kernel-mode code. It is integrated with static reversing tools such as *IDAPro*, scripting languages such as Python and *Windows* symbol server, which allows the analyst to develop a more complete understanding of the problem.
Many extensions and scripts are available to help with analysing malware and vulnerabilities, either on a live system or by analysing a crash dump - an image of memory frozen in time. Unfortunately, commanding an environment as powerful as *WinDBG* is rather complex and the learning curve is pretty steep, despite a wealth of documentation shipped with the default distribution of debugging tools for *Windows*.
The workshop will provide less experienced attendees with a systematic way to approach kernel-mode analysis using *WinDbg*, and hopefully allow more experienced ones to improve their *WinDbg*-Fu.
We will describe key techniques required for conducting successful manual kernel-mode analysis and discuss minimal number of operating system objects, structures and mechanisms that we need to understand before attempting the analysis. All examples will include functionality observed by analysing recent kernel-mode malware.
The workshop will cover:
* *WinDbg* Setup
* Basic commands
* Taking it to the next level with more advanced commands
* Scripting with standard scripting, JavaScript and pykd
* Extensions for malware analysis
* Pointers for further investigation
We will conclude by providing a list of resources which should help the attendee to close a potential *Windows* kernel-mode analysis skills gap.
There are no special requirements for attendees but they will benefit from the hands-on examples if they are be able to bring a laptop set up with *Windows* Debugging tools.
The attendees can choose to set up *WinDbg* for kernel-mode debugging either in a host-to-VM, or VM-to-VM scenario, as documented in the *Microsoft WinDbg* setup instructions page . The host (debugger) operating system should be *Windows 7 SP1* or later and the target (debuggee) operating system should be *Windows 8.1* or later.
Presenters:
-
Vanja Svajcer
- Cisco Talos
Vanja Svajcer Vanja Svajcer works as a technical leader at the Cisco Talos Threat Intelligence organisation. He is a security researcher with more than 15 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked for SophosLabs and led a security research team at Hewlett Packard Enterprise. Vanja enjoys tinkering with automated analysis systems, reversing binaries and Android malware. He thinks time spent scraping telemetry data for signs of new attacks is well worth the effort. In his free time, he is trying to improve his acoustic guitar skills and often plays basketball, which at his age is not a recommended activity. @vanjasvajcer
Links:
Similar Presentations: