Repacking the unpacker: Applying Time Travel Debugging to malware analysis

Abstract

In this workshop we apply the Time Travel Debugging feature of WinDbg, one of the most powerful Windows debuggers, to the field of malware analysis. We show with concrete examples how this technology can be very effective in reversing complex samples in a timely manner.

Description

Microsoft added Time Travel Debugging to their powerful WinDbg debugger in 2017. This feature is a gift for reverse engineers working in all sort of fields and is clearly gaining in popularity. The most obvious area that benefits from reverse debugging is the one of root cause analysis during vulnerability research. Multiple blog posts and demonstrations have proven this.

However, other fields of reverse engeering can also greatly benefit from this innovation. This workshop takes a look at how we can leverage Time Travel Debugging for efficiently unpacking a complex, multilayered malware sample and solving common malware analysis problems in an alternative manner.

Intended audience

The intended audience for this workshop ranges from those who have a minimal reverse engineering background, to seasoned malware analysts who are interested in new approaches.

Prerequisites

A basic knowledge of x86 Assembly is recommended. Experience in WinDbg is not required.

Contents

The workshop consists of the following main parts:

• An introduction to WinDbg Preview and its Time Travel Debugging (TTD) feature.
• A first case of unpacking a malware sample using TTD. This case will be easy to follow along.
• A second, more complex case of malware deobfuscation will be present. Experienced participants can work autonomously while others will get guidance.

Setup

Participants should bring a Windows 10 instance (this is a requirement for WinDbg Preview) with the following software installed:

• Latest version of WinDbg Preview, which can be installed (and automatically updated) through the Microsoft Store.
• A disassembler in which the participant feels comfortable (e.g. IDA, Ghidra, radare2,...). Demos will be given with IDA Freeware, which can be downloaded here.

The Windows 10 instance can be a host or guest VM, but be sure to test that you are able to start WinDbg Preview, as this can fail in a VMware environment (more info here).

Next, you will need the exercise files. The exercise files for the workshop are contained in this repository. Download a copy of this repository and bring the files with you on the Windows 10 instance.