• null and OWASP Bangalore chapter leader
• A decade of security experience in various technologies
• Security researcher and evangelist
• Speaker and trainer at several security conferences
• @riyazwalikar | @wincmdfu
3. What is Bashware?
• A technique researched by Check Point Security that can be used by
malware to run using the Windows Subsystem for Linux (WSL) and
not be detected by security solutions (like AV etc.)
• Basically a way to run PE executables using the WSL
• Bash + (mal)ware
4. Back to Basics
• How does malware (pick any) infect a Windows machine?
• How is it detected? Any examples of detection techniques?
5. An overview of WSL
• WSL is a collection of components that enables native Linux ELF64
binaries to run on Windows. It contains both user mode and kernel
mode components. It is primarily comprised of:
• User mode session manager service that handles the Linux instance life cycle
• Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by
translating Linux syscalls
• Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
11. Step 2: Enable Developer mode
• Set the following registry values