Advanced Malware Analysis and Reverse Engineering

IN-PERSON 4 DAYS TRAINING: AUGUST 2022 * WEEK 1: AUG 6-9

Dr. Josh Stroschein

VIDEO PREVIEW

Abstract

Obfuscation, packing and other forms of anti-analysis are commonly used by malware authors to prevent or disrupt deep technical analysis. This helps the threat actors to avoid detection by even the most advanced security products deployed in your enterprise.

In this course, you will get hands on reverse engineering modern native code malware. Using tools such as IDA Pro, Ghidra, x32/x64dbg, PE Studio and more, you will learn how to perform deep technical analysis of today’s most prevalent threats. You will develop effective strategies for reverse engineering using both static and dynamic techniques and tools.

You will also learn how to identify and unravel prevalent packing techniques, anti-analysis techniques and other forms of obfuscation such as control-flow obfuscation and hiding string and API calls.

We will get hands on reversing native code malware, malware that uses interpreters such as AutoIT scripts and analyze shellcode.

By the end of this course you will have the insight to understand and anticipate where malware authors will employ these techniques to disrupt your analysis and how to unravel their obfuscation. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

This is a fast-paced course designed to take you deep into malware reverse engineering! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 4 days of lecture, but an immersive and interactive learning experience. This is an ideal course for security analysts, malware analysts/researchers and blue teams that need to get hands-on diving deep into malicious software.

Key Learning Objectives

  • Understand different attack methods used by malicious actors and how they map to attack frameworks such as MITRE ATTACK
  • Perform exhaustive analysis on native code binaries (PE files) and shellcode
  • Learn how to reverse engineering unconventional malware such as malware created with AutoIT scripts.
  • Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
  • Learn how malware authors dynamically construct import tables for function calls
  • Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior (PE file format)
  • Learn how to use reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
  • Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes

Who Should Attend

This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.

Agenda

Session 1: Reverse Engineering Malware

  • Identifying signs of packing and obfuscation in native code formats (PE files)
  • Developing strategies for detecting known and custom packers
  • Unpacking malware using reversing tools and debuggers

Session 2: Reversing Interpreted Malware and Finding Anti-Analysis

  • Reversing malware that uses AutoIt
  • Identifying anti-analysis techniques and developing mitigations
  • Process hollowing and other code injection techniques

Session 3: Reversing Shellcode and the PE File Format

  • Malware use of shellcode – extracting and analyzing
  • Digging deep into the PE file format
  • Dynamically constructing import tables and other methods for calling Windows APIs
  • Identifying string obfuscation through hashes, encryption and other techniques

Session 4: Finding Malware Configs and C2

  • Dissecting modular malware such as TrickBot
  • Identifying malware configurations
  • Identifying malware C2 patterns

Pre-requisites

The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:

  • Basic malware analysis
  • An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
  • Ability to read assembly for Intel 32 and 64 bit architectures
  • Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity

Pre-class Tutorials

To help prepare for this course, it is recommended that students be familiar with information from the following sources:

System Requirements

  • Linux/Windows/Mac desktop environment
  • A laptop with the ability to run virtualization software such as VMWare or VirtualBox
  • Access to the system BIOS to enable virtualization, if disabled via the chipset
  • Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
  • A laptop that the attendee is comfortable handling live malware on
  • Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used

Students will be provided with

Students will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that students have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that students have the ability to continue learning after the course ends and maximize the knowledge gained from this course.