Advanced Windows Malware Analysis - A Guided Tour Through The Forest

4 Day u_long 32 CPE Hour Training: August 2020 * AUG 8, 9, 11, 13

Aleksandra "Hasherezade" Doniec

CLASS REGISTRATION IS CLOSED

This class has reached its maximum capacity.

SUGGESTED ALTERNATIVE: MODERN MALWARE ANALYSIS

Abstract

This course aims to provide a deep understanding and effective approaches to the main techniques that malware analysts encounter in their daily work. Rather than focusing on a tool based approach, our main goal will be to gain insights into what the malware writers tried to achive, and the implementation they used.

By going into the mindset of the malware writer, we will learn a creative attitude to malware analysis, allowing us to come up with our own solutions, rather than relying upon existing ones.

We shall also learn how to speed up various steps of the analysis process by automation - customizing existing tools by scripting, and also patching samples and using them for our advantage.

All case studies demonstrated in class are from the author's own first hand experience.

Key Learning Objectives

  • A Deep dive into the world of PE binaries
  • Working with tools such as PE bear, PE Sieve, libPeConv, tiny_tracer, etc. all written by the instructor.
  • Unpacking real life malware cases.
  • Analysing unusual malware
  • Hands-on exercises with malware samples.
  • COMPLEXITY LEVEL: INTERMEDIATE, leaning towards Advanced.

Who Should Attend

This course is suited for researchers who have some experience with reverse engineering, programming, using debugging tools such as x64dbg, OllyDBG, IDA, etc. who want to enter the world of Windows malware analysis.

The presented knowledge will also benefit current malware analysts who wish to upgrade their skills to the next level - to better understand underlying malware techniques, and be able to write deep dive blog posts.

Agenda

PART 1: Inside The Compiled Application

  • A journey from high level language, through assembly, till the running process.
  • EXERCISE: Compiling and reversing a sample application: Changing flags via a debugger, substituting a function with another, patching out conditions.
  • Native and Managed PEs - Different approaches to analysis.
  • Understanding PE files using PE-bear.
  • Understanding the process of loading a PE binary.
  • Demonstrating a manual loader on the example of libPeConv.
  • Understanding injection techniques present on the landscape: RunPE, Reflective DLL, Process Doppelg√§nging and more.
  • 32 bit meets 64: Heaven's Gate technique.
  • Beyond PE: Example of malware using shellcode fragments (mechanics behind a shellcode, i.e. how a shellcode loads its imports)
  • Shellcodes and how to build them: exercise in creating a 32 and 64 bit shellcode out of a code written in C
  • Static and dynamic analysis of shellcodes.
  • Unpacking techniques: (a) PE-sieve (example of a dynamic unpacker) and (b) manual unpacking - optionally aided by a PIN tracer (tiny_tracer).
  • EXERCISES: examples for unpacking.

PART 2: Typical goals of malware and their implementations

  • Understanding functionality of malicious modules and their implementation - Ransomware, Spyware, Stealer, etc.
  • Malware hooks - how and why.
  • Detecting hooks.
  • Decomposing Banking Trojans and their modules.
  • How do malware authors backdoor systems (e.g. Hidden VNC).
  • Malware persistence methods.
  • EXERCISES: (a) Malware samples to unpack and identify (recognize functionality). (b) Identifying malware techniques found in the code.

PART 3: CASE STUDY: An in-depth analysis of Fobber Malware

The last section is dedicated to analyse unusual/atypical malware. We shall cover the Win.Fobber malware. This section will consist of largely demonstrations and hands-on follow-along instruction.

  • Fobber is a quite rare, interesting malware. More details: https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber
  • The core of the malware is implemented as a SHELLCODE and not a PE
  • The only PE is the initial loader which doesn't have any malicious parts, except the injection of the malicious parts
  • Self modifying code - parts are dynamically decrypted and then encrypted again
  • We will be walking through all the elements - from the first to the last one, using a roadmap generated by a PIN tracer
  • Dumping the shellcode, and wrapping it as a PE for easier analysis
  • We will highlight the most interesting parts of the functionality
  • Pinpoint and reverse the algorithms that are important for moving the analysis forward

Prerequisites

  • Basic to intermediate reverse engineering and programming skills.
  • Working knowledge of debuggers such as x64dbg, OllyDbg, etc.
  • Familiarity with C/C++ and Python.

System Requirements

  • A laptop capable of running 2 virtual machines
  • Windows 10 VM installed. VMs for testing can be downloaded from here
  • For static analysis, IDA Pro is most preferred, but Ghidra is acceptable
  • A Debugger of your choice: OllyDbg/x32dbg/ImmunityDbg for 32bit apps, x64dbg for 64bit apps