Black Hat Digital Self Defense USA 2006


Black Hat USA Training 2006
Caesars Palace Las Vegas • July 29-30 and July 31-August 1

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Black Hat Registration

Advanced Malware Deobfuscation

Jason Geffner & Scott Lambert

What to bring:
Students must bring their own laptop with Windows® XP or Windows Server 2003 installed

Learn to effectively analyze malware samples that employ chunked packing, SEH injection and redirection, protected processes, API redirection, and a plethora of other anti-debugging tricks.

Security researchers are facing a growing problem in the complexity of malicious executables. With an ever-increasing number of tools that malware authors use to compress and obfuscate executables, and the pressing urgency that analysts often face, it is vital for analysts to know the best methods to remove protections that they have never seen before.

Unpacking is the process of removing the compression and obfuscation applied by a “packer” (or “protector”) to a compiled and linked binary. This class will focus on teaching attendees the steps required to effectively deal with both known and previously unknown packing techniques.

This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in thwarting anti-debugging and anti-disassembling techniques.

Day One
The first day will focus on understanding the problems presented by obfuscated malware and the steps required to effectively return the malware to an analyzable state. You will begin the day by learning the fundamentals of the Portable Executable (PE) file format. Then, through a series of lab exercises you will learn reliable methods for finding the Original Entry Point. With this knowledge in-hand, you will write software to construct a valid PE file on disk from the memory of a running process. You will complete this exercise by reconstructing the Import Table, effectively returning the executable to its pre-obfuscated state. With this virgin executable, you will apply static analysis techniques to determine the malware’s malicious capabilities.

The day will include a series of lab exercises focused on defeating anti-debugging tricks such as hardware/software breakpoint detection, generic/specific debugger detection, unpacker stub detection, Thread Local Storage callback functions, and more.

Day Two
The second day will focus on how to unpack a heavily armored malware sample. You will learn about the concept of protected processes and how to decouple parent/child processes. Next, you will learn how API redirection utilizes stolen bytes. Then, you will master everything there is to know about Structured Exception Handling injection and redirection. Lastly, you will learn how chunked packing works, how to recognize it, and how to defeat it.

The day will end in a contest in which attendees will pit their wits against one another to analyze a heavily armored executable.

Who Should Attend
This class is for skilled security analysts who wish to learn how to remove binary obfuscation from malware for analysis purposes. It is expected that attendees have a firm understanding of x86 assembly language and the Microsoft Windows API. Reverse engineering experience is desired, though not required.

What Do I Get?

  • Hard copies of lecture slides and lab exercises.
  • A CD containing all of the tools that will be used in the course.

Jason Geffner is a Reverse Engineer on Microsoft Corporation's Anti-Malware Team, where his work involves analyzing malware samples, unpacking binaries, and writing tools for analysis and automation.

Jason graduated from Cornell University in 2004 with a Bachelor of Science in Computer Science. He spent his summer of 2003 with Compuware Corporation where he performed full source code recovery on malware samples and penetration-tested in-house copy-protection systems via reverse engineering. During the summer of 2002, Jason worked for Pitney Bowes, where he reverse engineered software security solutions and developed process-stealthing technologies.

Jason is a member of this year's Reverse Engineering Conference (REcon) Program Committee. He holds a Top Secret security clearance, and has been actively reverse engineering and analyzing software protection methods for the past nine years.

Scott Lambert is a Security Program Manager on the Secure Windows Initiative (SWI) team at Microsoft. He owns enhancing the internal security tools at Microsoft, including various fuzzing tools. Leveraging his industry experience, Lambert works to ensure that SWI tools identify the vast majority of vulnerability classes.

Prior to joining Microsoft, Lambert developed, maintained and supported numerous computer security applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com. In addition, he developed and implemented test plans for the evaluation of both wired and wireless Intrusion Detection Systems and performed advanced protocol analysis in support of research and validation of various computer and network vulnerabilities and attack techniques.

Black Hat Registration

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Early Bird:
Ends June 30, 2006

Ends July 27, 2006

Begins July 28, 2006

$1800 USD

$2000 USD

$2100 USD

Black Hat Logo
(c) 1996-2007 Black Hat