BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: No Symbols When Reversing? No Problem: Bring Your Ow
 n\n   When: Friday\, Aug 9\, 11:00 - 11:20 PDT\n   Where: LVCC West/Floor 
 1/Hall 1/Track 3 - [1]Map\n\n   Description:\n   We all know it all too we
 ll: that ominous feeling when opening an\n   unknown file in your favorite
  analysis tool\, only to be greeted with\n   hundreds or thousands of unkn
 own functions\, none of which are matched\n   by your existing function si
 gnatures\, nor any of your helper scripts.\n   This makes the analysis a p
 ainfully slow and tedious process.\n   Additionally\, it sometimes means t
 hat the required analysis time\n   exceeds the available time\, and anothe
 r file is chosen to be reversed\n   instead. Especially when dealing with 
 malware\, this is an undesired\n   scenario\, as it would create a blind s
 pot from a blue team’s\n   perspective.\n\n   The goal of this talk is t
 o share a tried and tested method on how to\n   deal with thousands of unk
 nown functions in a given file\,\n   significantly decreasing the time spe
 nt on the analysis. The example\n   throughout the talk is the Golang base
 d qBit family\, but is applicable\n   to any kind of binary. While this ta
 lk focuses on using Ghidra\, given\n   its free and open-source nature\, i
 t is equally possible with other\n   industry standard tools. The focus wi
 ll be on scripts\, as well as the\n   creation and usage of FunctionID and
  BSim databases. By combining\n   these\, you will be able to create your 
 own symbols\, and bring them\n   anywhere you go\, for any language of cho
 ice.\n\n   While the symbols are portable\, an aggregation of them scales 
 very\n   well over any number of analysts. As such\, this methodology work
 s well\n   for individual researchers\, but when scaling it for a team of\
 n   researchers\, the outcome will be greater than the sum of its parts.\n
 \n   This talk will use (malicious) Golang binaries as examples and provid
 e\n   a large dataset of symbols for this language. The scripts\, as well 
 as\n   FunctionID and BSim databases\, mentioned in this talk will all be 
 made\n   publicly available at the time of this talk.\n\n   In no particul
 ar order:\n\n     * Automate .fidb generation with headless Ghidra: [2]lin
 k\n\n     * Understanding static and dynamic compilation and linking: [3]l
 ink\n\n     * How symbols work: [4]link\n\n     * BSim answers from the Gh
 idra team: [5]link\n\n     * Feeding Gophers to Ghidra (a blog I wrote for
  my employer about my\n       research into Golang internals): [6]link\n\n
      * A blog I wrote summarising my Golang reversing journey for my\n    
    employer: [7]link\n\n     * The open-source scripts on GitHub: [8]link\
 n\n     * A talk I gave about the Golang internals at HackInTheBox Amsterd
 am\n       2023: [9]link\n\n     * Ghidra’s FunctionID codebase: [10]lin
 k\n\n     * Hex-Ray’s IDA Pro’s F.L.I.R.T. explained: [11]link\n\n    
  * BSim’s GhidraDoc explanation and tutorial: [12]link\n\n   SpeakerBio:
   Max "Libra" Kersten\n\n   Max Kersten is a malware analyst\, blogger\, a
 nd speaker who aims to\n   make malware analysis more approachable for tho
 se who are starting. In\n   2019\, Max graduated cum laude with a bachelor
 's in IT & Cyber\n   Security\, during which Max also worked as an Android
  malware analyst.\n   Currently\, Max works as a malware analyst at Trelli
 x\, where he\n   analyses APT malware and creates open-source tooling to a
 id such\n   research. Over the past few years\, Max spoke at international
 \n   conferences\, such as DEFCON\, Black Hat (USA\, EU\, MEA\, Asia)\, Bo
 tconf\,\n   Confidence-Conference\, HackYeahPL\, and HackFestCA. Additiona
 lly\, he\n   gave guest lectures and workshops for DEFCON\, Botconf\, seve
 ral\n   universities\, and private entities.\n\n   '\n\n   1. #LVCCW_Level
 1_Hall1\n   2. https://blog.threatrack.de/2019/09/20/ghidra-fid-generator/
 \n   3. https://www.youtube.com/watch?v=fGnbGX88z3Y\n   4. https://www.you
 tube.com/watch?v=iBQo962Sx0g\n   5. https://github.com/NationalSecurityAge
 ncy/ghidra/issues/6098\n   6. https://www.trellix.com/blogs/research/feedi
 ng-gophers-to-ghidra/\n   7. https://www.trellix.com/blogs/research/feedin
 g-gophers-to-ghidra/\n   8. https://github.com/advanced-threat-research/Gh
 idraScripts\n   9. https://www.youtube.com/watch?v=wsNfHqZfTfE\n   10. htt
 ps://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/
 FunctionID\n   11. https://hex-rays.com/products/ida/tech/flirt/in_depth/\
 n   12. https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidr
 aDocs/GhidraClass/BSim/README.md\n\n\n
DTEND:20240809T182000Z
DTSTART:20240809T180000Z
LOCATION:DC - LVCC West/Floor 1/Hall 1/Track 3
SUMMARY:No Symbols When Reversing? No Problem: Bring Your Own
END:VEVENT
END:VCALENDAR