Reverse Engineering++ For Exploit Analysis
  • Exploit Analysis methods using RCA/DBI and practical reverse engineering tools and tactics on Windows Platform
  • Next training will be held in Seoul, Korea on 11/18/2019 ~ 11/22/2019. You can reserve your seat with OnOffMix

Day 1 - Reverse Engineering - Dynamic and Static Analysis

  • Objectives:
    • Learning basics of Windows internals
    • Learning basics of dynamic and static analysis methods
  • Contents:
    • WinDbg Automation
      • Automation based upon PyKD
      • Building WinDbg extensions
    • IDA Automation
      • Creating IDA Scripts for Automation
    • Ghidra
      • Ghidra is a powerful disassembly tool released by NSA
      • It has a powerful decompiler which can help your investigations

Day 2 - Advanced Reverse Engineering - Binary Instrumentation & Automatic Analysis

  • Objectives:
    • Learning basics of binary instrumentation
    • Exercise with basic to intermediate level samples
  • Contents:
    • Unicorn & Capstone
      • Unicorn and Capstone are industry standard emulation and disassembly engines
      • Build automation framework based upon powerful opensource technology
    • Pin & DynamoRio
      • Basics of binary instrumentation with hands-on exercise
    • WinDbg TTD:
      • TTD is the most practical implementation of DBI technology
      • Exercise with cases where TTD can be applied

Day 3 - Vulnerability / Exploit Analysis / Root Cause Analysis

  • Objectives:
    • Understanding practical approaches for analyzing threats
  • Contents:
    • Setting up lab environment
    • 0-day analysis methodology and best practices
      • Browser 0-days
      • Office 0-days
      • Flash 0-days
      • Win32k 0-days
    • Understanding differences between vulnerability and exploitation methods
      • What is RCA and why is RCA important in product security perspectives.
      • Understanding importance and methodology of exploitation method analysis

Day 4, 5 - DBI & Automation for Root Cause Analysis and Case Triaging

  • Objectives:
    • Understanding practical methods to automate APT malware and exploit analysis
    • Understanding current challenges with automation - how we can miss apparent 0-days with our automation
  • Contents:
    • Binary Instrumentation:
      • WinDbg TTD is the most practical application of DBI technology in the industry
      • Case studies - real world cases from APT and commodity malware campaigns
    • Intel PT
      • Intel PT is still experimental in applying in real world analysis cases
      • Limitations of PT technology and how can overcome
        • JIT/self-modifying code/temporary code on the heap
      • Case studies - share some real world cases where Intel PT can be applied