lecture: A WinDbg full of tricks
Malware analysis tricks using WinDbg
WinDbg is a powerful debugging environment allowing an analyst to dig into the Windows internals to analyse code and data in order to find presence of sophisticated threats, including rootkits and other kernel malware.
This session is developed as a refresher for one of the core reversing skills - dynamic kernel mode manual analysis using WinDbg and should provide attendees with tips and trick which should allow them to minimise the steep WinDbg learning curve.
In our day jobs we are faced with ever increasing quantities of threat data, IOCs and actual malware samples that must be analysed in order to make decisions for classification and further processing.
Millions of malware samples a day can only be processed in an automated fashion and we developed systems that can successfully address that challenge.
However, the fact that we developed massive automated analysis systems did not eliminate the need for old school skill of deep malware understanding, which is still required to analyse more advanced and immediate threats affecting our networks.
Unfortunately, over time, we learned to rely more on automated analysis tools and begun to lose the ability to manually analyse and understand every aspect of a threat.
This session is developed as a refresher for one of the core reversing skills - dynamic kernel mode manual analysis using WinDbg.
WinDbg (running on top of user and kernel mode WIndows debuggers) is a powerful debugging environment allowing an analyst to dig into the Windows internals to analyze code and find presence of sophisticated threats, including rootkits and other kernel malware. WinDbg can be set to debug local or remote systems as well as user or kernel mode code.
It is integrated with static reversing tools such as IDAPro, scripting languages such as Python and Windows symbol server which allows the analyst to develop a more complete understanding of the problem.
Many extensions and scripts are available to help with analyzing malware and vulnerabilities, either on a live system or by analyzing a crash dump - an image of memory frozen in time.
Unfortunately, commanding an environment as powerful as WinDBG is rather complex and the learning curve is pretty steep despite a wealth of documentation shipped with the Windows debuggers.
This session will help the attendee to overcome the steep learning WinDbg curve with a minimum effort.
Start time: 18:00