Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

README.md

Repacking the unpacker: Applying Time Travel Debugging to malware analysis

Abstract

In this workshop we apply the Time Travel Debugging feature of WinDbg, one of the most powerful Windows debuggers, to the field of malware analysis. We show with concrete examples how this technology can be very effective in reversing complex samples in a timely manner.

Description

Microsoft added Time Travel Debugging to their powerful WinDbg debugger in 2017. This feature is a gift for reverse engineers working in all sort of fields and is clearly gaining in popularity. The most obvious area that benefits from reverse debugging is the one of root cause analysis during vulnerability research. Multiple blog posts and demonstrations have proven this.

However, other fields of reverse engeering can also greatly benefit from this innovation. This workshop takes a look at how we can leverage Time Travel Debugging for efficiently unpacking a complex, multilayered malware sample and solving common malware analysis problems in an alternative manner.

Intended audience

The intended audience for this workshop ranges from those who have a minimal reverse engineering background, to seasoned malware analysts who are interested in new approaches.

Prerequisites

A basic knowledge of x86 Assembly is recommended. Experience in WinDbg is not required.

Contents

The workshop consists of the following main parts:

  • An introduction to WinDbg Preview and its Time Travel Debugging (TTD) feature.
  • A first case of unpacking a malware sample using TTD. This case will be easy to follow along.
  • A second, more complex case of malware deobfuscation will be present. Experienced participants can work autonomously while others will get guidance.

Setup

Participants should bring a Windows 10 instance (this is a requirement for WinDbg Preview) with the following software installed:

  • Latest version of WinDbg Preview, which can be installed (and automatically updated) through the Microsoft Store.
  • A disassembler in which the participant feels comfortable (e.g. IDA, Ghidra, radare2,...). Demos will be given with IDA Freeware, which can be downloaded here.

The Windows 10 instance can be a host or guest VM, but be sure to test that you are able to start WinDbg Preview, as this can fail in a VMware environment (more info here).

Next, you will need the exercise files. The exercise files for the workshop are contained in this repository. Download a copy of this repository and bring the files with you on the Windows 10 instance.

About

Resources for the workshop titled "Repacking the unpacker: Applying Time Travel Debugging to malware analysis", given at HackLu 2019

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.