Exploit analysis is a technique to analyze crashes enduced by fuzzing or the technique to analyze actual exploit in the wild. This course will teach you with exploit analysis methods using emulation, DBI and Intel Processor Trace.
Day 1 - Reverse Engineering - Dynamic and Static Analysis
- Objectives:
- Learning basics of Windows internals
- PE Internals
- Learning basics of dynamic and static analysis methods
- Focusing on WinDbg/IDA/Ghidra
- Learning basics of Windows internals
- Contents:
Day 2 - Advanced Reverse Engineering - Binary Instrumentation & Automatic Analysis
- Objectives:
- Learning basics of binary analysis/instrumentation tools
- Focusing on Unicorn/Capstone/Pin/TTD
- Exercise with basic to intermediate level samples
- Learning basics of binary analysis/instrumentation tools
- Contents:
- Unicorn & Capstone
- Unicorn and Capstone are industry standard emulation and disassembly engines
- Build automation framework based upon powerful opensource technology
- Pin & DynamoRio
- Basics of binary instrumentation with hands-on exercise
- WinDbg TTD:
- TTD is the most practical implementation of DBI technology
- Exercise with cases where TTD can be applied
- Unicorn & Capstone
Day 3 - Vulnerability / Exploit Analysis / Root Cause Analysis
- Objectives:
- Understanding practical approaches for analyzing threats
- Exercise with Office/Flash/Win32k samples
- Shellcode emulation
- Understanding practical approaches for analyzing threats
- Contents:
- Setting up lab environment
- 0-day analysis methodology and best practices
- Browser 0-days
- Office 0-days
- Flash 0-days
- Win32k 0-days
- Understanding differences between vulnerability and exploitation methods
- What is RCA and why is RCA important in product security perspectives.
- Understanding importance and methodology of exploitation method analysis
Day 4, 5 - DBI & Automation for Root Cause Analysis and Case Triaging
- Objectives:
- Understanding practical methods to automate APT malware and exploit analysis
- Using TTD to improve productivity of exploit analysis
- Understanding current challenges with automation - how we can miss apparent 0-days with our automation
- Understanding practical methods to automate APT malware and exploit analysis
- Contents:
- Binary Instrumentation:
- WinDbg TTD is the most practical application of DBI technology in the industry
- Case studies - real world cases from APT and commodity malware campaigns
- Intel PT
- Intel PT is still experimental in applying in real world analysis cases
- Limitations of PT technology and how can overcome
- JIT/self-modifying code/temporary code on the heap
- Case studies - share some real world cases where Intel PT can be applied
- Binary Instrumentation:
Past Trainings
- Private trainings are not listed here
Nov 2019
- When: Nov/18/2019 (Mon) ~ Nov/22/2019 (Fri)
- Where: Seoul, South Korea