RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3, August 4-5

Reverse Engineering Rootkits

Greg Hoglund, HBGary
Rich Cummings, HBGary

registration button


This class is aimed at Information security professionals and incident responders, not traditional reverse engineers. Students DO NOT need any prior experience in software reverse engineering. This two day class will cover useful techniques and methods for incident response in the field when machines are suspected of intrusion with stealthy malware. The class is heavily exercise based and covers both kernel-mode and user-mode rootkit infections. The purpose of the class is to give students the ability to preserve physical RAM for analysis, identify rootkit behaviors, and then perform reverse engineering of captured rootkits in order to evaluate the specific threats, including but not limited to:

  • what files on the filesystem are involved in the attack?
  • which registry keys are being used?
  • does the rootkit survive reboot, and if so, by what means?
  • does the rootkit steal anything?
  • does the rootkit allow remote access?
  • does the backdoor use encryption? If so, where is the decryption routine?
  • can the rootkit be used to launch secondary attacks into the network?

The goal is to give students the ability to learn these key facts about a rootkit within only a few minutes or hours after the specimen is obtained. Presented are reverse engineering techniques designed to be easy to learn and quick to use. Students do not need to be experts at reverse engineering. Even advanced malware techniques, such as packing, can be overcome by straightforward and easy to understand methods. Much of the material, once understood, can be incorporated into automated assessment scripts.

Specific training will be given on the following scenarios:

  • Extraction of kernel mode rootkits from live system memory
  • Reconstruction of PE formatted executable images from live memory
  • Imaging physical RAM of a suspected computer
  • Overview of Windows OS data structures and what they mean
  • Recovering open file handles and registry keys from a captured RAM image
  • Detecting interrupt table hooks and SSDT hooks from a physical memory image
  • Following memory pointers
  • Translating physical addresses to virtual addresses, and why this is important
  • Capturing a live memory image of the malware after unpacking has occurred
  • Examining NDIS chains to find backdoor TCP/IP stacks

In addition, dynamic analysis of captured rootkits will be covered using a quarantined VMWare lab-image in combination with advanced debugging tools. The dynamic exercises will focus on the following scenarios:

  • Trace data packets in memory to determine location of decryption routine
  • Data-sampling, searching, and dataflow tracing
  • Efficient use of breakpoints to catch behavior at the OS level and trace back into the malware
  • Capturing the launch of a secondary process
  • Capturing file and registry key access
  • Shunting the deletion of temporary files so that secondary specimens can be captured
  • Capturing DLL injection and thread injection
  • Detecting multi-threaded data hand-off points
  • The concept of a control-flow orbit
  • Reconstructing the send/recv orbit of the malware backdoor
  • Detecting usage of common protocols, such as SMTP, POP3, and IRC

In addition to hands-on understanding, students will be exposed to scripting tools that can be customized to speed up the assessment. The class will complete the training by covering not only reverse engineering techniques, but efficient methods to organize the found data and evidence, and how to construct a report. This includes how to organize found data into layers, graphing for reports, bookmarking and comments, and automated scripting. Students will also be given a crash course on developing and customizing a report-generation script that allows the automated construction of a report in RTF format (Microsoft Word compatible). This rounds out the training and offers a complete end-to-end methodology.

Participants of the course will receive a one year subscription to HBGary Responderâ„¢ Professional:

Responder Professional is the industry's first live memory and runtime analysis platform for Windows operating systems. Responder Pro integrates the most powerful physical memory and reverse engineering capabilities into one product suite providing information assurance analysts, computer emergency response teams, and computer crime investigators with the most powerful capabitilities to collect, analyze, diagnose and report on runtime data contained in physical memory.

Disk and signature based detection tools are no match against malicious code using the latest anti-forensics, anti-detection, and anti-debugging techniques. It's no wonder that 80% of new malware is missed by Antivirus. Responder Professional provides analysts and investigators with unprecedented visibility into memory & runtime state information to detect these resistant binaries because software (good or bad) cannot execute without being present in live memory.

With a mouse click, unknown or suspicious binaries detected by Responder can be analyzed, disassembled and debugged to determine if they are malicious and to gain understanding of their capabilities and behaviors.

HBGary Responder supports proactive security assessments, live computer incident response, forensic investigations, and malware analysis.

Binary and Runtime Forensic Capabilities: Responder Pro integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

  1. Static Disassembly of Binaries
  2. Automated Malware Analysis & Reporting
  3. Advanced Graphing and Visualization


Greg Hoglund has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding in the process. Greg went on to co-found Cenzic, Inc. (formerly known as ClickToSecure, Inc.) through which he orchestrated numerous innovations in the area of software fault injection. Greg is a frequent speaker at Black Hat, RSA and other security conferences. He is co-author of Rootkits: Subverting the Windows Kernel (Addison Wesley 2005) and Exploiting Software: How to Break Code (Addison Wesley 2004).

registration button

Ends May 1

Ends July 1

Ends July 31

Begins August 1

$3200 USD

$3400 USD

$3600 USD

$3900 USD
1997-2009 Black Hat ™