Wednesday, July 22, 2009

Blackhat Training is almost here!

I am gearing up for the Blackhat Training session on Monday-Tuesday of next week. We have made room for 30 students. We spent almost four weeks working on materials, remastering the demo and recap videos, and collecting malware samples that illustrated each of the subjects we are presenting. The task was alot harder than I originally expected, especially the collection of malware. I discovered a great trick using our feed processor, which is the clever use of search terms against strings to locate malware that were using specific techniques, keylogging methods, hooking styles, even specific languages. We have a solid methodology we teach behind our Responder product, so I had to find malware that illustrated specific concepts, as opposed to tailoring a training around whatever malware happened to be available. I will try to keep the training as high level as I can, and stay out of disassembly code as much as possible, but as expected there are some key reversing skills that can never be avoided, such as the reconstruction of parameters passed to a call. But, as for arithmetic and hard logic reconstruction, the only exercise where we get into that level of detail will be the one on crypto and stego. We have one coding exercise using the new built-in scripting interface, so thats a short bit of hardcore fun as well. But most of the material is about getting reverse engineering done rapidly, getting what you need, and not bogging down - which is the name of the game.