Reverse Engineering Malware

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content

 

Creator:     Matt Briggs

                   & Frank Poz  @knowmalware


License:    Creative Commons: Attribution, Share-Alike

(http://creativecommons.org/licenses/by-sa/3.0/)


Class Prerequisites: Introduction to Intel x86 and Introduction to Reverse Engineering Software or equivalent knowledge.


Lab Requirements:

- Virtual machine software (VMWare is recommended).

  1. -Windows system with IDA Pro (Free 5.0 is acceptable).

  2. -Microsoft Visual Studio 2008 redistributable package.


Class Textbook: “Practical Malware Analysis” by Michael Sikorski and Andrew Honig


Recommended Class Duration: 2 days


Creator Available to Teach In-Person Classes: Yes


Author Comments:


An email arrives in your inbox: "You have to check out this picture!" It came from your friends address, which you know and trust. It beckons you to open it. Maybe you weren't fooled this time, but it's likely at least one of the 50 other recipients couldn't resist.


As we store more of our confidential information on our computers, from bank account credentials, to company secrets, the reward to risk ratio increases as has the number malware (malicious software) threats. While anti-virus and intrusion detection systems have improved over the years, nothing can substitute a skilled malware analyst when a business needs to understand and mitigate a network intrusion.


This class picks up where the Introduction to Reverse Engineering Software course left off, exploring how static reverse engineering techniques can be used to understand what a piece of malware does and how it can be removed.


Topics include:

- Understanding common malware features and behavior

- Defeating code armoring and obfuscation

- Signature creation and applying prior analysis

- Dynamic analysis tools and how they can aid static analysis


During the course students will complete many hands on exercises.


Before taking this class you should take Introduction to Intel x86 and Introduction to Reverse Engineering Software or have equivalent knowledge.



Latest Class Materials


All material (TiddlyWiki (html+javascript) & analyzed malware (PE) & IDA C & Python scripts)
TiddlyWiki lecture materials (html+javascript)
IDA C & Python scripts
Malware samples

To bypass exe filters, e.g. so this can be sent through email, the Malware ZIP is an encrypted zip with a password of infected. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.


2013 Class Materials that match videos


All materials (TiddlyWiki (html+javascript) & analyzed malware (PE) & IDA C & Python scripts)
TiddlyWiki lecture materials (html+javascript)
IDA C & Python scripts
Malware samples

To bypass exe filters, e.g. so this can be sent through email, the Malware ZIP is an encrypted zip with a password of infected. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.


HD Videos on Youtube


Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 Prerequisites (15:51, 133 MB)

Day 1 Part 2 Analysis Goals (7:34, 89MB)

Day 1 Part 3 Triage, Tasks, and Tools (14:41, 130 MB)

Day 1 Part 4 Malware Lab Setup (3:08, 40 MB)

Day 1 Part 5 Analysis Methods (8:10, 106 MB)

Day 1 Part 6 Execution and Persistence (4:42, 60 MB)

Day 1 Part 7 Know Your Tools (9:36, 76 MB)

Day 1 Part 8 Generic RE Algorithm (3:50, 38 MB)

Day 1 Part 9 Data Encoding (11:02, 105 MB)

Day 1 Part 10 Data Encoding - Common Algorithms - Caesar Cipher & XOR + variants (25:02, 234 MB)

Day 1 Part 11 Data Encoding - Common Algorithms - Base64 (33:45, 316 MB)

Day 1 Part 12 Data Encoding - Common Algorithms - Crypto (11:04, 111 MB)

Day 1 Part 13 Data Encoding - Common Algorithms - Compression (4:09, 48 MB)

Day 1 Part 14 Data Encoding - Common Algorithms - String Obfuscation (10:23, 112 MB)

Day 1 Part 15 Data Decoding (20:28, 201 MB)

Day 1 Part 16 How a Debugger Works (1:54, 20 MB) (this is covered more in the new Intro RE which hasn’t been released yet)

Day 1 Part 17 Malware Unpacking (35:29, 351 MB)

Day 1 Part 18 Day 1 Review(1:46, 24 MB)

Day 2 Part 1 Network Communications - Introduction & Finding the Code (24:36, 226 MB)

Day 2 Part 2 Network Communications - Command & Control, Indicators (10:39, 116 MB)

Day 2 Part 3 DLL Analysis (20:09, 201 MB)

Day 2 Part 4 Anti-Analysis (11:53, 124 MB)

Day 2 Part 5 Anti-Analysis Examples (29:45, 266 MB)

Day 2 Part 6 How CreateFile() Works (4:16, 40 MB)

Day 2 Part 7 Shellcode Analysis (7:50, 89 MB)

(5:31:58, sans lab time)


The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides.



Revision History:


08-17-2014 - 1. Added common string encodings (UTF-8, UTF-16, etc) 2. Added packer categories and references. 3. Updated Generic RE Algorithm 4. Added instructions for using PDFStreamDumper to extract shellcode from a PDF 5. Minor formatting changes 6. Added sdhash reference to Triage section 7. Added shellcode example-specific decoding IDC script

06-02-2013 - Uploaded class videos & revised materials

08-04-2012 - Initial class content upload


If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.