Read what the Trainer has to day about her course at the Invisible Things.org blog : http://theinvisiblethings.blogspot.com/2008/04/vegas-training-2008.html
The course will provide attendees with an in-depth understanding of how advanced stealth malware works, how it interacts with the operating system, underlying hardware and network. Attendees will have a chance to run, analyze and experiment with several previously unpublished samples of proof-of-concept rootkits, similar to Deepdoor, FireWalk, Blue Pill and others. The malware samples will be created from scratch (and in a slightly different way) exclusively for the use during the training, as the original implementations can not be used due to NDA restrictions.
Simpler stealth malware will also be briefly covered as well as approaches to its detection, so that participants get a clear understanding what advantages the more sophisticated malware offers to attackers.
This course is focused on Windows systems (and Vista x64 specifically), although some of the concepts presented, like e.g. Blue Pill-like malware or methods for cheating hardware based memory acquisition, are OS-independent.
There will be a significant amount of previously unpublished techniques, code, and ideas presented during this training, including new ways to subvert Vista x64 kernel on the fly.
Who Should Attend?
The main goal is to help students understand contemporary malware techniques, enable them to see the “bigger picture” over technical details and show possible approaches to compromise detection. Thus the course is primarily targeted for developers of security products, forensic investigators, pen-testers and OS developers.
Basic knowledge of OS design and implementation (specifically Windows), C programming, at least basic experience with debugging and ability to understand fragments of assembler code (IA32 architecture).
Due to the course content, the trainer reserves the right to train only employees of government, law enforcement and reputable companies. Please register for the course with an email address that you can send and receive from, which is hosted in your organization's domain. Black Hat reserves the right to verify your ability to respond to email at the address and cancel the order if the verification fails (no response within 7 days). If you register with an email address not hosted in your organization, we may ask you to provide an email address within the organization that we can use for verification.
What to bring:
Each attendee should bring at least one laptop with a 64-bit AMD or Intel processor and a DVD drive (VMWare images are to be handed out on DVDs).
In order to be able to experiment with virtualization based malware (Blue Pill), the process should support hardware virtualization technology: either AMD-V or Intel VT-x.
Examples of processors that meet this criteria:
Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
Ends May 1
Begins August 1