This 2-days training is for anyone who wants to know how Windows works, how to understand what is happening behind the stage and how to interface with it effectively. Whether you want to analyze malware, understand (un)-documented stuff in the system, developer or just curious, there is a place for you here.
This training aims to give the audience some knowledge about the Windows operating system and practicing reverse-engineering on malware trying to escape analysis. On the first hand, the training based on Windows 11 begins with an introduction to how the operating system works with main components, main services, objects architecture, scheduling, memory management, security, programming, etc. We will dive more and more in detail according to the expectations of the group. The course is theoretical but also practical through various small labs to interact with Windows. The objective is to understand what these various elements are used for, how they work internally but also how to interface with them via the Windows API.
On the second hand, we will present the basics of reverse engineering and different techniques used by malware to avoid analysis. First, we will recall how a processor works, then we will see the assembly language in order to write some (small) programs. It will be the occasion to see different methods/tactics used by malware to avoid static/dynamic analysis. At the end, we will practice with various reverse engineering software, namely IDA and Windbg.
In the end, members of the public will have a better knowledge of Windows and more practice in reverse engineering. In addition, the public will get a good knowledge about malware’s tactics used to evade analysis.
It should be noted that this course remains an introduction to each of these fields. It is also possible, depending on the questions and needs (and the possibility to answer them), to modify the course according to the requests the same day.
By the end of workshop, participants will be able to:
- → Get an introduction to assembly language x86 and x64.
- → Understand several key components under Windows operating system.
- → Use IDA software to perform static analysis (and more).
- → Use Windbg debugger to perform dynamic analysis (and more).
- → Have background about computer security on Windows.
- → Be able to identify and understand some features in a given program.
The participants will get the following:
- →Several exercices used for practice.
- → Slides from the presentation.
- → Other references to learn more about topics covered in the workshop.
- → Practice, practice and practice…
COURSE CONTENT (ToC)
- DAY 1
- →Introduction to Windows internal
- →General architecture
- →Windows’ versions
- →Windows basics
- →CPU Protection level
- →Virtual memory & address space layout
- →Windows key concepts & components
- →Process, threads, jobs, fiber, UMS…
- →Objects handles and security
- →Windows desktops and sessions
- →Hypervisor, core OS kernel, drivers, HAL, NTDLL, Win32k…
- →Main user mode components/services
- →Windows subsystem & API
- →Win32, POSIX, OS/2, WinRT, Pico Process, WSL 1&2
- →Some security components
- →SGX enclave, TPM, VBS, VSM, VTL-X
- →System calls, kernel/hypervisor
- →Memory paging
- →Processor mode & hooking API
- →Through the day, practice: Mastering Windbg
- →Presentation of Windbg
- →First steps debugging with Windbg
- →More advanced procedures with Windbg
- →Assembly programming
- →First steps with MASM32
- →Assembly programming
- →Some history about CPU (optional)
- →Main concepts with assembly programming
- →Registers, stack, sysenter/syscall, segment code, scheduler & thread context
- →Intel documentation
- →Most useful instructions
- →Writing some small programs with MASM and debugging with Windbg
- →From C code to Assembly code (and vice-versa)
- →Calling conventions (cdecl/stdcall/x64)
- →MZ-PE format details
- →Evasion techniques :
- →Static analysis evasion techniques.
- →Dynamic analysis evasion techniques.
- →How to get control against these techniques?
- →Through the day, practice: Reverse engineering
- →Writing small programs in assembly
- →Windbg & assembly programming
- →Use of IDA software
- →A laptop with enough memory in RAM to be efficient and disk space.
- →Intel or AMD processors (x86 or x64).
- Software (ideally pre-installed):
- →Windows 11 or 10 operating system (downgraded mode with Windows 7).
- →IDA software (free version or a commercial one for a better use).
- →Visual studio community (or others).
- →Windbg Preview (available from the Windows 10 store).
There is no real requirement here; basic level in computer science would be enough since we expect that attendees are starting from zero. Nonetheless, in case of doubts:
- → With basics in programming (mastering C would be perfect).
- → With basics in mathematics and algebra.
WHO SHOULD ATTEND
- → Students in IT and most especially in security
- → Security and software engineers
- → Malware analysts
- → Developers who want to enhance their skills
- → Anyone curious about how operating system and malware analysis is welcome.
WHAT TO EXPECT
- → Get a good knowledge about how things works in Windows and more generally in operating system world
- → Get practice by reversing software.
- → Understand the purpose and the use of both static and dynamic analysis.
- → Understand better how malware tends to avoid analysis by different means.
- → Good stories and culture about Windows (history, code, architecture, security and internals).
- → Practice, practice and practice… This is the only way to progress in reverse engineering and in IT in general ;-).
WHAT NOT TO EXPECT
Disclosure about vulnerabilities not corrected, patents or cracking protection of commercial software. It is not legal in addition not to be moral.
Reverse engineering of software written in C# or C++ (it is out of scope even if tools would be presented to proceed if attendee desires to do it).