Skip to content
Resources for the workshop title "Repacking the unpacker: Applying Time Travel Debugging to malware analysis", given at HackLu 2019
Branch: master
Clone or download
Latest commit fd73e70 Sep 11, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Sep 11, 2019

README.md

Repacking the unpacker: Applying Time Travel Debugging to malware analysis

Abstract

In this workshop we apply the Time Travel Debugging feature of WinDbg, one of the most powerful Windows debuggers, to the field of malware analysis. We show with concrete examples how this technology can be very effective in reversing complex samples in a timely manner.

Description

Microsoft added Time Travel Debugging to their powerful WinDbg debugger in 2017. This feature is a gift for reverse engineers working in all sort of fields and is clearly gaining in popularity. The most obvious area that benefits from reverse debugging is the one of root cause analysis during vulnerability research. Multiple blog posts and demonstrations have proven this.

However, other fields of reverse engeering can also greatly benefit from this innovation. This workshop takes a look at how we can leverage Time Travel Debugging for efficiently unpacking a complex, multilayered malware sample and solving common malware analysis problems in an alternative manner.

Intended audience

The intended audience for this workshop ranges from those who have a minimal reverse engineering background, to seasoned malware analysts who are interested in new approaches.

Prerequisites

A basic knowledge of x86 Assembly is recommended. Experience in WinDbg is not required.

Contents

The workshop consists of the following main parts:

  • An introduction to WinDbg Preview and its Time Travel Debugging (TTD) feature.
  • A first case of unpacking a malware sample using TTD. This case will be easy to follow along.
  • A second, more complex case of malware deobfuscation will be present. Experienced participants can work autonomously while others will get guidance.

Setup

Participants should bring a Windows 10 instance (this is a requirement for WinDbg Preview) with the following software installed:

  • Latest version of WinDbg Preview, which can be installed (and automatically updated) through the Microsoft Store.
  • A disassembler in which the participant feels comfortable (e.g. IDA, Ghidra, radare2,...). Demos will be given with IDA Freeware, which can be downloaded here.

The Windows 10 instance can be a host or guest VM, but be sure to test that you are able to start WinDbg Preview, as this can fail in a VMware environment (more info here).

The exercise files for the workshop will be available for download under the Releases prior to the workshop. Download the latest release and bring the files with you on the Windows 10 instance.

You can’t perform that action at this time.