Wednesday, April 30, 2008

Vegas Training 2008

Last year we debuted with our Understanding Stealth Malware training at the Black Hat Vegas. We had about 70 participants and I think it was a reasonable success, especially that the training was announced very late. Since then we have done a couple of on-site classes and also have been continually updating the training.

During our 2nd public edition, at Black Hat Europe 2008 in March this year, we significantly extended the part about virtualization, e.g. by adding discussion of nested virtualization on AMD-v and showing and analyzing the actual code for implementing this. Also we have used the New Blue Pill code with VT-x support (previously it worked only on AMD-V), making it possible to use both AMD and Intel machines for the class. This allowed us to offer this training in a "Bring Your Own Laptop" fashion, that we know is much preferred by attendees, who simply feel better when using their own, known, work environment.

At the upcoming Black Hat Vegas 2008 we are also going to offer this class. That would be our 3rd public edition. Again, we hope to improve it even more beyond what we have presented at BH Europe 2008. Similarly as last time, we will not provide the computers, but rather expect the attendees to bring their own systems. At the end of this article are the requirements that should be met by your machine, if you would like to use it during the training and be able to do all the exercises. Of course, you should back up all your important data before coming to the class, as the computer might become corrupt after doing some of the exercises (although this has never happened so far).

There will be only one class offered on August 4/5 (the weekday class). You can view the detailed training agenda that we used for the BH Europe class in March here. Please note that the exact shape of the Vegas class is subject to be a bit different, as we are planning to add new material again.

This might be the very last chance for you to attended this specific training, as it's quite possible that next year we will be offering some other class, focused on Virtualization security entirely. Don't worry, however, if you don't get a seat in the Vegas class, there is still a chance to have that class presented on-site in your town.

You can register for the Vegas training here.

See you in Vegas!

Hardware Requirements
  1. 64-bit (x64) AMD or Intel processor with hardware virtualization support (AMD-v or VT-x)
  2. DVD-ROM
  3. 2GB RAM (for convenient work with VMWare)
Software Requirement
  1. 64-bit Vista OS (primary OS, non virtualized)
  2. Windows Driver Kit (WDK) 6000 or newer (available via MSDN subscription).
  3. VMWare Workstation 6.x or VMWare Player 2.x (the latter is free)
  4. Optionally: IDA Pro 5.x disassembler (for exercises that involve finding bugs in drivers)
AMD Processors
Most modern AMD mobile processors, like e.g. AMD Turion and Athlon, used in modern laptops support AMD-v technology. Unfortunately there is no single place on AMD website that would provide the complete description of all CPUs that support AMD-v technology or provide an answer whether a given model does support it. When in doubt use google and always verify with the CHKSVMX program described below.

Intel Processors
Most modern Intel processors used in notebooks support Intel VT-x virtualization technology, this include Core 2 Solo, Core 2 Duo (except T5500, T5550 and T5750 models) and Core 2 Extreme. You can check your own model starting at this website, then chose your processor family and chose "Specifications" tab. Make sure the processor supports "Intel® 64 architecture" and "Intel® Virtualization Technology".

Using Mac for the training
You can very easily use MacBook or MacBook Pro for this training. You can easily install Windows on a second partition using the Boot Camp program that ships with all the newer Macs. You simply start Boot Camp application when running Mac OS X and then it automatically shrinks your current Mac partition, creates a new one for Windows, and asks to insert the installation media and reboots the system and you then perform normal Windows setup (after installation is complete your Vista should find all the necessary drivers via Windows Update). You might also want to use the free AutoHotKey program for the right-click emulation on your newly installed Vista. Please don't worry that Boot Camp tells that you should install a 32-bit Vista - you can ignore this and insert a 64-bit Vista installation disk.

Testing your machine with CHKSVMX
We have prepared a special little program, CHKSVMX, to test whether a given machine indeed supports hardware virtualization technology. The CHKSVMX program can be downloaded from here

The program doesn't introduce any persistent changes to the OS and doesn't require any installation procedure. It checks for virtualization support (on both AMD and Intel processors) not only by reading the CPUID information but also by trying to actually enable virtualization mode and then disable it again. Although most of the laptops available these days support hardware virtualization, in many cases this feature is disabled or locked down in the BIOS. If the virtualization is reported as "locked", please try to enable it in the BIOS. Please note that in most cases you will have to fully power down your system for the BIOS changes to take effect (reboot is not enough)!

Additionally CHKSVMX checks whether a 64-bit edition of Windows is running, as such OS is required for the training.

DISCLAIMER: The test program is digitally signed with the Invisible Things Lab's certificate and we assure that the program does not perform any malicious actions. ITL is, however, not responsible for any accidental damage or system instability issues the test program might cause.

1 comment:

Anonymous said...

I need to buy a new laptop anyway, and this training is just another reason to do it sooner then later. I wondered if you or someone else could suggest a laptop that meets the training requirements AND was portable (not 8 lbs!). A dell would be ideal.