Training
Our training courses can be adjusted based on the interest of your organization, if you are security-minded, troubleshooting-focused, or all of the above.
Comae specializes in delivering in-depth training on a variety of topics related to memory analysis, including but not limited to operating system internals, memory management, troubleshooting, and debugging. This course covers the state of the art tools available, some of which are open-source, like crash, but when it comes to Windows, nothing beats WinDbg for professionals.
The reason macOS is not covered in this course is because kexts have been
deprecated
by Apple.
Memory Analysis
Course Description
This course aims to provide attendees with general knowledge of Windows and Linux internals, and give the ability to do memory acquisition and analysis with Comae products as well as with publicly available software such as WinDbg or crash. Comae products support both Windows and Linux.
Course Outline
- An explanation of different memory formats
- Raw dumps
- Microsoft Formats
- Crash dumps (*.dmp)
- Full memory dumps, Kernel dumps, Process dumps
- Hibernation files
- Crash dumps (*.dmp)
- Core dumps (ELF)
- Available tools
- WinDbg Preview
- Extension Development
- C/C++ (SwishDbgExt)
- JavaScript
- Extension Development
- crash
- Comae Stardust
- WinDbg Preview
- Memory Management Unit
- Page Table Translation
- Segmentation
- Page Table Entry (PTE)
- Enhanced Page Tables (EPT)
- Memory Management
- Paging, Hibernation, Virtual Address Descriptors (VADs)
- Process Management
- Asynchronous Procedure Call (APC)
- Process Isolation
- Windows Subsystem for Linux (WSL)
- Secure Virtual Memory (VSM)
- Virtualization-Based Security (VBS)
- Trustlets (LSAISO, vTPM, HVCI)
- Windows Defender Application Guard
- Edge, Office 365
- Hardware Isolation
- Software Guard Extensions (SGX)
- Kernel DMA protection
- The death of hardware-based acquisition.
- Virtual Trust Level (VTL)
- Credential Guard
- Secure Kernel
- Isolation User Mode (IUM)
- Secure Mode Application RunTime (SMART)
- Isolation User Mode (IUM)
- Mini-filters
Instructor
The course is delivered by Matt Suiche. Some of the instructor’s contributions to the information security community include:
Documenting the Windows hibernation file in 2007.
Publishing the initial research on Mac OS X memory analysis in 2010.
Releasing the most reliable Windows memory acquisition tools win32dd and win64dd, which later became the present DumpIt (since 2010).
Releasing the first live debugger extension to enable memory analysis of Hyper-V Virtual Machines, LiveCloudKd.
Publishing the first Ethereum smart-contract decompiler, Porosity, in 2017.
Matt Suiche is also known for being one of the co-founders of application virtualization start-up CloudVolumes, which was acquired by VMware in 2014, as well as the organizer and host of the OPCDE conference. Matt also did research on DOUBLEPULSAR, explaining how it was used to infect the SWIFT Service Bureau, and helped develop the wanakiwi utility to decrypt files encrypted by the WannaCry ransomware.
Location
We do not run these courses at fixed locations. Instead, we come to you, almost anywhere in the world, and train your team or the entire organization in a private setting of your choosing.
The course can also be delivered online.
Minimum 6 students.