RSS feed logo header graphic

Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Reverse Engineering Rootkits
and Active Reversing

Greg Hoglund, HBGary

Register Button


This class is aimed at Information security professionals and incident responders, not traditional reverse engineers. Students DO NOT need any prior experience in software reverse engineering. This two day class will cover useful techniques and methods for incident response in the field when machines are suspected of intrusion with stealthy malware. The class is heavily exercise based and covers both kernel-mode and user-mode rootkit infections. The purpose of the class is to give students the ability to preserve physical RAM for analysis, identify rootkit behaviors, and then perform reverse engineering of captured rootkits in order to evaluate the specific threats, including but not limited to:

  • what files on the filesystem are involved in the attack?
  • which registry keys are being used?
  • does the rootkit survive reboot, and if so, by what means?
  • does the rootkit steal anything?
  • does the rootkit allow remote access?
  • does the backdoor use encryption? If so, where is the decryption routine?
  • can the rootkit be used to launch secondary attacks into the network?

The goal is to give students the ability to learn these key facts about a rootkit within only a few minutes or hours after the specimen is obtained. Presented are reverse engineering techniques designed to be easy to learn and quick to use. Students do not need to be experts at reverse engineering. Even advanced malware techniques, such as packing, can be overcome by straightforward and easy to understand methods. Much of the material, once understood, can be incorporated into automated assessment scripts.

Specific training will be given on the following scenarios:

  • Extraction of kernel mode rootkits from live system memory
  • Reconstruction of PE formatted executable images from live memory
  • Imaging physical RAM of a suspected computer
  • Overview of Windows OS data structures and what they mean
  • Recovering open file handles and registry keys from a captured RAM image
  • Detecting interrupt table hooks and SSDT hooks from a physical memory image
  • Following memory pointers
  • Translating physical addresses to virtual addresses, and why this is important
  • Capturing a live memory image of the malware after unpacking has occurred
  • Examining NDIS chains to find backdoor TCP/IP stacks

In addition, dynamic analysis of captured rootkits will be covered using a quarantined VMWare lab-image in combination with advanced debugging tools. The dynamic exercises will focus on the following scenarios:

  • Trace data packets in memory to determine location of decryption routine
  • Data-sampling, searching, and dataflow tracing
  • Efficient use of breakpoints to catch behavior at the OS level and trace back into the malware
  • Capturing the launch of a secondary process
  • Capturing file and registry key access
  • Shunting the deletion of temporary files so that secondary specimens can be captured
  • Capturing DLL injection and thread injection
  • Detecting multi-threaded data hand-off points
  • The concept of a control-flow orbit
  • Reconstructing the send/recv orbit of the malware backdoor
  • Detecting usage of common protocols, such as SMTP, POP3, and IRC

In addition to hands-on understanding, students will be exposed to scripting tools that can be customized to speed up the assessment. The class will complete the training by covering not only reverse engineering techniques, but efficient methods to organize the found data and evidence, and how to construct a report. This includes how to organize found data into layers, graphing for reports, bookmarking and comments, and automated scripting. Students will also be given a crash course on developing and customizing a report-generation script that allows the automated construction of a report in RTF format (Microsoft Word compatible). This rounds out the training and offers a complete end-to-end methodology.


Greg Hoglund has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding in the process. Greg went on to co-found Cenzic, Inc. (formerly known as ClickToSecure, Inc.) through which he orchestrated numerous innovations in the area of software fault injection. Greg is a frequent speaker at Black Hat, RSA and other security conferences. He is co-author of "Rootkits: Subverting the Windows Kernel" (Addison Wesley 2005) and "Exploiting Software: How to Break Code" (Addison Wesley 2004).

Register Button
Super Early:
Ends Mar 15
Ends May 1

Ends Jul 1

Ends Jul 22







Black Hat Webcasts

Black Hat Social