Summary

This one-day training is structured similarly to a standard analysis workflow. It starts with identifying and unpacking malware, including basic and sophisticated packers, while tackling common scenarios encountered in the process. Students will learn to work through defeating API hashing and string encryption within malware, leveraging plugins, and building their own custom tooling with IDA Python. From there, the session will conclude with gaining additional insights into analyzing further advanced malware techniques such as AV evasion, anti-analysis tactics, and advanced injection methods.

Prerequisites

Proficiency in IDA Pro, very good knowledge of Python

 

Course Overview

Session 1: Unpacking Malware

  • Identifying packers
    • Techniques for detecting packers via binary metadata
  • Unpacking basic packers
    • Overview of common packer structures
    • Standard approaches for unpacking
  • Unpacking advanced packers
    • Evaluating unpacking difficulty using sample metadata
    • Handling second-stage obfuscation, such as API wrappers

Session 2: Reversing Malware Obfuscation

  • Dynamic API Imports
    • Concepts of dynamic API imports and API hashing
    • Strategies for resolving API hashes
    • Utilizing IDA Python for API brute-forcing and resolution
  • String Encryption
    • Detecting string encryption in samples
    • Identifying encryption algorithms
    • Techniques for decrypting encrypted strings
    • Leveraging IDA Python to decrypt all embedded strings

Session 3: Identifying Malware Anti-Analysis/Anti-AV

  • ETW Bypasses
    • Introduction to Event Tracing for Windows (ETW)
    • The necessity for malware to evade ETW
    • Analysing ETW bypasses/evasion
  • API Unhooking
    • Overview of basic API hooking
    • Understanding Endpoint Detection and Response (EDR) hooks on low-level libraries
    • Reversing methods malware uses to unhook APIs
  • Syscalls
    • Explanation of Windows syscalls
    • Common usage scenarios of syscalls in malware
    • Identifying syscall usage
    • Reversing syscall functionality
  • Generic Advanced Anti-Analysis
    • Code checksums for tamper detection
    • Breakpoint checks & circumventing them
    • Understanding and potentially breaking environment keying

Session 4: Malware Process Injection

  • Reflective Injection
    • Differentiating reflective injection from regular injection
    • Reverse engineering reflective injection functionality in malware
  • Shellcode Injection/Execution via Callbacks
    • Fundamentals of shellcode injection
    • Understanding execution through callbacks
    • Reversing callback injection

Enroll to one of our next sessions

Thu, November 21, 2024 09:00 UTC-5 (New York)

Thu, November 21, 2024 09:00 UTC-5 (New York)

Enroll now

Thu, December 12, 2024 10:00 UTC+1 (Paris)

Thu, December 12, 2024 10:00 UTC+1 (Paris)

Enroll now