Workshop: Manual kernel mode malware analysis

Wednesday 3 October 16:00 - 17:30, Small talks

Vanja Svajcer (Cisco Talos)

In our day jobs we are faced with ever increasing quantities of threat data, IOCs and malware samples that have to be analysed in order to make decisions about classification and further processing. Millions of malware samples a day can only be processed in an automated fashion and we have developed systems and processes that can successfully address that challenge.

Unfortunately, over time, we have learned to rely more on automated analysis tools and have begun to lose the ability to analyse manually and understand all aspects of a threat.

This workshop will attempt to emphasise the importance of manual malware analysis, its core components, and the consequences for our community of losing this skill.

Specifically, the focus of the workshop is on dynamic manual analysis of kernel-mode malware using WinDbg. WinDbg (running on top of user- and kernel-mode Windows debuggers) is a powerful debugging environment allowing an analyst to dig into the Windows internals to analyse code and find the presence of sophisticated threats, including rootkits and other kernel malware.

WinDbg can be set to debug local or remote systems as well as user- or kernel-mode code. It is integrated with static reversing tools such as IDAPro, scripting languages such as Python and Windows symbol server, which allows the analyst to develop a more complete understanding of the problem.

Many extensions and scripts are available to help with analysing malware and vulnerabilities, either on a live system or by analysing a crash dump - an image of memory frozen in time. Unfortunately, commanding an environment as powerful as WinDBG is rather complex and the learning curve is pretty steep, despite a wealth of documentation shipped with the default distribution of debugging tools for Windows.

The workshop will provide less experienced attendees with a systematic way to approach kernel-mode analysis using WinDbg, and hopefully allow more experienced ones to improve their WinDbg-Fu.

We will describe key techniques required for conducting successful manual kernel-mode analysis and discuss minimal number of operating system objects, structures and mechanisms that we need to understand before attempting the analysis. All examples will include functionality observed by analysing recent kernel-mode malware.

The workshop will cover:

  • WinDbg Setup
  • Basic commands
  • Taking it to the next level with more advanced commands
  • Scripting with standard scripting, JavaScript and pykd
  • Extensions for malware analysis
  • Pointers for further investigation

We will conclude by providing a list of resources which should help the attendee to close a potential Windows kernel-mode analysis skills gap.

There are no special requirements for attendees but they will benefit from the hands-on examples if they are be able to bring a laptop set up with Windows Debugging tools.

The attendees can choose to set up WinDbg for kernel-mode debugging either in a host-to-VM, or VM-to-VM scenario, as documented in the Microsoft WinDbg setup instructions page The host (debugger) operating system should be Windows 7 SP1 or later and the target (debuggee) operating system should be Windows 8.1 or later.



Vanja Svajcer

Vanja Svajcer works as a technical leader at the Cisco Talos Threat Intelligence organisation.

He is a security researcher with more than 15 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked for SophosLabs and led a security research team at Hewlett Packard Enterprise.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and Android malware. He thinks time spent scraping telemetry data for signs of new attacks is well worth the effort.

In his free time, he is trying to improve his acoustic guitar skills and often plays basketball, which at his age is not a recommended activity.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.