Reverse Engineering++ For Exploit Analysis

Exploit analysis is a technique to analyze crashes enduced by fuzzing or the technique to analyze actual exploit in the wild. This course will teach you with exploit analysis methods using emulation, DBI and Intel Processor Trace.

Day 1 - Reverse Engineering - Dynamic and Static Analysis

  • Objectives:
    • Learning basics of Windows internals
      • PE Internals
    • Learning basics of dynamic and static analysis methods
      • Focusing on WinDbg/IDA/Ghidra
  • Contents:
    • WinDbg Automation
      • Automation based upon PyKD
      • Building WinDbg extensions
    • IDA Automation
      • Creating IDA Scripts for Automation
    • Ghidra
      • Ghidra is a powerful disassembly tool released by NSA
      • It has a powerful decompiler which can help your investigations

Day 2 - Advanced Reverse Engineering - Binary Instrumentation & Automatic Analysis

  • Objectives:
    • Learning basics of binary analysis/instrumentation tools
      • Focusing on Unicorn/Capstone/Pin/TTD
    • Exercise with basic to intermediate level samples
  • Contents:
    • Unicorn & Capstone
      • Unicorn and Capstone are industry standard emulation and disassembly engines
      • Build automation framework based upon powerful opensource technology
    • Pin & DynamoRio
      • Basics of binary instrumentation with hands-on exercise
    • WinDbg TTD:
      • TTD is the most practical implementation of DBI technology
      • Exercise with cases where TTD can be applied

Day 3 - Vulnerability / Exploit Analysis / Root Cause Analysis

  • Objectives:
    • Understanding practical approaches for analyzing threats
      • Exercise with Office/Flash/Win32k samples
      • Shellcode emulation
  • Contents:
    • Setting up lab environment
    • 0-day analysis methodology and best practices
      • Browser 0-days
      • Office 0-days
      • Flash 0-days
      • Win32k 0-days
    • Understanding differences between vulnerability and exploitation methods
      • What is RCA and why is RCA important in product security perspectives.
      • Understanding importance and methodology of exploitation method analysis

Day 4, 5 - DBI & Automation for Root Cause Analysis and Case Triaging

  • Objectives:
    • Understanding practical methods to automate APT malware and exploit analysis
      • Using TTD to improve productivity of exploit analysis
    • Understanding current challenges with automation - how we can miss apparent 0-days with our automation
  • Contents:
    • Binary Instrumentation:
      • WinDbg TTD is the most practical application of DBI technology in the industry
      • Case studies - real world cases from APT and commodity malware campaigns
    • Intel PT
      • Intel PT is still experimental in applying in real world analysis cases
      • Limitations of PT technology and how can overcome
        • JIT/self-modifying code/temporary code on the heap
      • Case studies - share some real world cases where Intel PT can be applied

Past Trainings

  • Private trainings are not listed here

Nov 2019

  • When: Nov/18/2019 (Mon) ~ Nov/22/2019 (Fri)
  • Where: Seoul, South Korea