Advanced Techniques for Reverse Engineering Windows Malware
Josh Stroschein
In-Person Training | August 3 - 6 | 4 days
Advanced Techniques for Reverse Engineering Windows Malware
Josh Stroschein
This hands-on course equips security professionals with the advanced techniques needed to reverse engineer complex Windows malware using industry-standard tools. Learn to bypass obfuscation, analyze hidden functionalities, and generate actionable threat intelligence to protect your organization.
ABSTRACT
Advanced malware is actively evading detection. Malware authors are increasingly using obfuscation, packing, and other anti-analysis techniques to make their creations a complex maze for security analysts. Traditional security tools are falling short. These sophisticated threats can bypass even the most advanced security products, leaving your organization blind to potential breaches and attacks. In, Advanced Techniques for Reverse Engineering Windows Malware, gain the skills to dissect complex malware. Learn to identify and bypass obfuscation techniques, using industry-standard tools like IDA Pro and Ghidra. Develop strategies for static and dynamic analysis to uncover hidden functionalities and generate actionable threat intelligence. You will also learn how to identify and unravel prevalent packing techniques, anti-analysis techniques and other forms of obfuscation such as control-flow obfuscation and hiding string and API calls.
By the end of this course you will have the insight to understand and anticipate where malware authors will employ these techniques to disrupt your analysis and how to unravel their obfuscation. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.
This is a fast-paced course designed to take you deep into malware reverse engineering! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 4 days of lecture, but an immersive and interactive learning experience full of hands-on exercises and labs!
INTENDED AUDIENCE
KEY LEARNING OBJECTIVES
- Perform in-depth analysis on a wide variety of malicious artifacts, such as .NET and native code binaries.
- Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
- Learn how malware authors dynamically construct import tables for function calls
- Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior (PE file format)
- Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes
COURSE DETAILS
AGENDA
Day 1: Binary Triage and Unraveling Initial Access Malware
- Learn common delivery techniques and how to extract valuable information
- Master core malware analysis tools and how to perform effective triage
- Tackle .NET malware through decompilation and dynamic analysis
Day 2: Identifying Code Obfuscation
- Identifying signs of packing and obfuscation in native code formats (PE files)
- Developing strategies for detecting known and custom packers
- Unpacking malware using reversing tools and debuggers
- Reversing malware that uses AutoIt and Golang
- Identifying anti-analysis techniques and developing mitigations
- Process hollowing and other code injection techniques
Day 3: Reversing Shellcode and the PE File Format
- Malware use of shellcode – extracting and analyzing
- Digging deep into the PE file format
- Dynamically constructing import tables and other methods for calling Windows APIs
- Identifying string obfuscation through hashes, encryption and other techniques
Day 4: Unraveling Malware Capabilities
- Identifying the use of cryptography
- Finding malware configurations and creating config extractors
- Identifying malware C2 patterns in network traffic
- Tracing the use of Windows API calls
- Handling advanced code protectors such as VMProtect
REQUIREMENTS
A laptop with the ability to run virtualization software such as VMWare or VirtualBox. Access to the system BIOS to enable virtualization, if disabled via the chipset. A laptop that the attendee is comfortable handling live malware on. Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used.
ABOUT THE INSTRUCTOR
Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. Josh is an accomplished trainer, providing training at places such as Ringzer0, BlackHat, Defcon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.
View Josh's featured videos on reverse engineering and other related topics on his YouTube channel:
https://www.youtube.com/@jstrosch/featured
https://www.linkedin.com/in/joshstroschein/
https://twitter.com/jstrosch
https://github.com/jstrosch