Advanced Windows Malware Analysis
A Guided Tour Through The Forest
4 Day Training: August 1,2,3,4
This course aims to provide a deep understanding and effective approaches to the main techniques that malware analysts encounter in their daily work. Rather than focusing on a tool based approach, our main goal will be to gain insights into what the malware writers tried to achive, and the implementation they used.
By going into the mindset of the malware writer, we will learn a creative attitude to malware analysis, allowing us to come up with our own solutions, rather than relying upon existing ones.
We shall also learn how to speed up various steps of the analysis process by automation - customizing existing tools by scripting, and also patching samples and using them for our advantage.
All case studies demonstrated in class are from the author's own first hand experience.
Key Learning Objectives
- A Deep dive into the world of PE binaries
- Working with tools such as PE bear, PE Sieve, libPeConv, tiny_tracer, etc. all written by the instructor.
- Unpacking simple to complex malware.
- Malware hooking, obfuscation and detection evasion techniques.
- Analysing unusual malware such as Petya
- Hands-on exercises with malware samples.
- COMPLEXITY LEVEL: INTERMEDIATE, leaning towards Advanced.
Who Should Attend
This course is suited for researchers who have some experience with reverse engineering, programming, using debugging tools such as x64dbg, OllyDBG, IDA, etc. who want to enter the world of Windows malware analysis.
The presented knowledge will also benefit current malware analysts who wish to upgrade their skills to the next level - to better understand underlying malware techniques, and be able to write deep dive blog posts.
Day 1: Inside The Compiled Application
- Introduction: Decomposing the malware landscape. Functionality, complexity, threat actors, motivations.
- A journey from high level language, through assembly, till opcodes.
- EXERCISE: Compiling and reversing a sample application: Changing flags via a debugger, substituting a function with another, patching out conditions.
- Native and Managed PEs - Different approaches to analysis.
- Understanding PE files using PE-bear.
- Understanding the process of loading a PE binary.
- Demonstrating a manual loader on the example of libPeConv.
- Understanding injection techniques present on the landscape: RunPE, Reflective DLL, Process Doppelgänging and more.
- 32 bit meets 64: Heaven's Gate technique.
- Beyond PE: Example of malware using shellcode fragments (mechanics behind a shellcode, i.e. how a shellcode loads its imports)
- Static and dynamic analysis of shellcodes.
- Unpacking techniques: (a) PE-sieve (example of a dynamic unpacker) and (b) manual unpacking - optionally aided by a PIN tracer (tiny_tracer).
- EXERCISES: crackmes, examples for unpacking.
Day 2: Typical goals of malware and their implementations
- Understanding functionality of malicious modules and their implementation - Ransomware, Spyware, Stealer, etc.
- Malware hooks - how and why.
- Detecting hooks.
- Decomposing Banking Trojans and their modules.
- How do malware authors backdoor systems (e.g. Hidden VNC).
- Malware persistence methods.
- A walk through methods of UAC bypassing.
- EXERCISES: (a) Malware samples to unpack and identify (recognize functionality). (b) Identifying malware techniques found in the code.
Day 3: Understanding and countering malware's evasion and self-defense techniques
- Fingerprinting the environment for the sake of defense - common techniques.
- Various approaches for countering malware's defense: environment hardening, sample patching.
- Techniques employed by malware for evading monitoring, involving loading a fresh copy of DLLs (kernel32, ntdll) or extracting syscalls (from ntdll) and using custom wrappers.
- Common ways of obfuscating API calls, and how to deal with them (i.e. by using PIN tracers).
- Deobfuscating strings and other elements (a) with Python scripts. (b) adapting the original code with libPeConv.
- Examples of a malware with obfuscated flow (including SEH/VEH technique, self-modifying code, elements of virtualization).
- Overview of various approaches on using instrumentation to analyze malware.
Day 4: Not your daily piece of malware - the unusual cases
The last day is dedicated to analyse unusual/atypical malware. Students will be given a few malware examples to choose from. We will then work through the most voted case study. Depending upon the chosen malware, we would cover supplementary topics needed to analyse it, such as:
- Setting up the environment to analyse low level attacks
- Custom malware formats: Writing a loader for an unknown piece of malware.
- Kernel mode components: how to set up the environment for kernel mode debugging, how to understand the driver.
- Basic to intermediate reverse engineering and programming skills.
- Working knowledge of debuggers such as x64dbg, OllyDbg, etc.
- Familiarity with C/C++ and Python.
- A laptop capable of running 2 virtual machines
- Windows 7 or 8 VM installed. VMs for testing can be downloaded from here
- For static analysis, IDA Pro is most preferred, but Ghidra is acceptable
- A Debugger of your choice: OllyDbg/x32dbg/ImmunityDbg for 32bit apps, x64dbg for 64bit apps
Aleksandra "Hasherezade" Doniec
Aleksandra is the Malware Intelligence Analyst at MalwareBytes. She unpacks malware with as much joy as a kid unpacking candies.
In her own words: "I am passionate about IT since my early teenage years. From that time I collected wide range of experience - working as a scientific researcher, C/C++ developer, pentester and analyst. Currently, I spend most of my time analyzing malware (and sharing knowledge about it, i.e. by writing technical blog posts for Malwarebytes, sometimes presenting at conferences or recording podcasts). Even though programming is no longer my full-time job, I still love to code and create some open source tools (mostly related to malware analysis)."