CanSecWest: Security Masters Dojo Vancouver
Introduction to Windows Analysis, Forensics and Reverse Engineering with WinDBG
Register for the March 12-13, 2-day Course
Instructor(s):
Alex Ionescu
Description:
The Windows Debugger (WinDBG) is an invaluable tool for troubleshooting, analyzing, forensics, reverse engineering, and learning about a wide variety of Microsoft Operating Systems-based code, including XBOX Games, Windows Phone Applications, Kernel Rootkits, User-Mode Malware and the Azure Hypervisor. Powered by a wide variety of extensions and access to public symbol files, it can be a powerful tool in the arsenal of both an attacker and defender. Yet, decades of abandonment led to an arcane scripting and automation language, painfully slow serial port-based connectivity, and a GUI straight out of Windows 3.1 MDI.
With a refreshed passion and renewed development effort, the WinDBG team has made significant changes to the entire debugging architecture and platform, providing 10Gbit/s connectivity for Virtual Machine and Remote System debugging, an entirely new rewritten user interface, a powerful debugger data model for visualizing code and data structures in agnostic ways, and an ES6 JavaScript scripting language that can imperatively hunt in memory, conditionalize breakpoints, and even extend the namespace, model, and data structures shown in the debugger and its symbols.
If the thought of bridging a JavaScript routine with a public symbol data type to hunt for a rootkit using a LINQ query with a predicate based on a lambda expression sounds like kind of reversing and forensics you'd like to be doing instead of relying on 3rd party tools or learning what .block { @@C++((*(int*)@@MASM(nt!Foo))[0n10]) } means or which devil spawn it will form in your kernel.
Key Learning Objectives:
Upon completion of this training, participants will be able to:
- Understand how to effectively and quickly setup a remote debugger connection to a Windows 8 target or later, including in a Virtual Machine.
- Learn how to setup Windows 8 and later local kernel debugging appropriately and safely, and the use cases for doing so.
- Learn the basic principles behind lambda expressions, predicates, closures, LINQ, anonymous types, and more
- Learn NatVis-based programming with the XML NatVis file language
- Become proficient with the Debugger Data Model for a variety of tasks such as process enumeration, memory scanning and structure carving, library/module enumeration
- Learn the JavaScript Host-extension model for both imperative programming and model/type extensions
- Write a few sample extension scripts such as converting a Red Black Tree of loaded DLLs or an AVL Tree of memory allocations into an iterable LINQ Container type for hunting on interesting artifacts and IoCs.
- Write simple scripts such as dumping the 64-bit system call table and identifying oddities
- Write advanced scripts combining their knowledge to performing complex tasks such as "netstat" on a kernel memory dump; or enumerate the root directory of their C drive from a kernel memory dump.
- Get an initial understanding of Time Travel Debugging (TTD) and the future of symbolic code analysis and runtime fuzzing capabilities when combined with LINQ, JS and NatVis capabilities.
- All of the above without resorting to 3rd party tools such as Python or Volatility, nor arcane understanding of internals or legacy WinDBG syntax.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Pre-requisites:
To get the most out of this training, knowledge of computer science concepts such as memory, registers, processes, threads, and basic programming knowledge (functions and basic data structures) is highly recommended. Students should be common with basic Windows OS knowledge (kernel mode vs. user mode, processes vs. threads, heap, stack, pool, drivers, etc.). A reading of Windows Internals 7th Edition, Part 1 is optional but would be helpful to maximize knowledge absorption.
What you will need to bring:
Students will need a laptop with the ability to run a 64-bit version of Windows 10 1803 (Redstone 4) and a wireless network adapter. Full administrative access and the ability to turn off BitLocker/SecureBoot is needed, otherwise a Virtual Machine such as VMWare Workstation and/or Oracle Virtual Box needs to be installed with a Windows 10 1803 x64 build and the appropriate software, which can be obtained from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. Additionally, the latest Windows 10 RS4 SDK as of March 10th must be installed. Final download links and software information will be sent by e-mail to all attendees.
Who Should Attend:
Windows Kernel Exploitation/Internals/Rootkit analysis-course attendees, Bug Hunters & Red Teamers, User Mode Exploit Developers, Windows Driver Developers & Testers, Windows Forensic analysts, anyone with an interest in understanding Windows Kernel and User forensics and data structures, Ethical Hackers, Security Researchers and Penetration Testers looking to upgrade their skill-set and toolkit with the new Windows Debugger capabilities.