Hack Microsoft Using Microsoft Signed Binaries

Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools.
How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks?
The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like “f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10”?
We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.
Continue reading…


Automating Detection, Investigation and Mitigation with LimaCharlie

WorkShop Duration: 3 Hours.

The workshop will begin with an overview of the various detection and automation mechanisms available in LimaCharlie.
Afterwards we will create Detections and Hunters for LimaCharlie that will automate the detection and investigation of specific malware samples (provided for the Workshop, attendees can also bring their own).
Continue reading…


Cracking Custom Encryption – An Intuitive Approach to Uncovering Malware’s Protected Data

WorkShop Duration: 2 Hours.

As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.

Continue reading…


Malware and Memory Forensics

For the first time at a Canadian conference, we are pleased to announce that we have a digital forensics and incident response (DFIR) training from none other than the co-author of the Malware Analyst Cookbook and The Art of Memory Forensics books Michael Ligh. Michael is also a core developer of the open source memory forensics tool Volatility.

Continue reading…


Modern Object-Oriented Malware Reverse Engineering

Please note that this class has been cancelled.

This training course is designed for anyone who wants to learn how to reverse engineer object-oriented code and perform analysis of complex threats. The introductory material of the class provides students with essential information on C++ code generation process: how object-oriented types are laid out in an executable, what kind of additional information compilers put into binaries and how object-oriented architecture may be reconstructed from the machine code. After this students will focus on using reverse engineering tools to put in practice what they’ve learned earlier. A lot of attention is devoted to automation of reverse engineering. As a bonus, the authors will demonstrate how to identify certain vulnerability classes such as use-after-free with Hex-Rays Decompiler SDK. Another major part of the training is related to reverse engineer malware from real-world targeted attacks where students will apply learned skills in practice. Continue reading…


Analysis of High-level Intermediate Representation in a Distributed Environment for Large Scale Malware Processing

Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception.

At Black Hat 2015 in Las Vegas the researchers co-authored a work on distributed reverse engineering techniques, using intermediate representation in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families. As a result, a rich dataset of metadata of 2 million malware samples was generated.
Continue reading…


Practical Uses of Program Analysis: Automatic Exploit Generation

Practical uses of program analysis will be presented and explained. Including Instrumentation, Symbolic and Concolic Execution, both in theory, in practice, and tools for each type. Specifically, this talk will show how to automatically generate an exploit against a complex, stand­alone application. Continue reading…