Advanced Malware Techniques

Summary

This 1-day course is ideal for intermediate or advanced level IDA users. The training is structured similarly to a standard analysis workflow It starts with identifying and unpacking malware, including basic and sophisticated packers, while tackling common scenarios encountered in the process. Attendees will learn to work through defeating API hashing and string encryption within malware, leveraging plugins, and building their own custom tooling with IDA Python. From there, the session will conclude with gaining additional insights into analyzing further advanced malware techniques such as AV evasion, anti-analysis tactics, and advanced injection methods.

Prerequisites

Proficiency in IDA Pro, very good knowledge of Python, and light knowledge of malware techniques

Computer Requirements

Has IDA installed with a valid license for at least the Disassembler and a minimum of 1 Decompiler - we can provide a license for training if need be
Runs Windows (Intel), Linux (Intel), or macOS (ARM or Intel) matching your IDA license
Has IDAPython (Python 3.8+) installed
Has a stable internet connection
Can join Google Meets video conferencing, preferably with an active microphone, but not required

System & Tooling Requirements

Windows 10 - x64, running within a Virtual Machine
IDA Pro (8.4 or 9.0) with FindCrypt Plugin and HashDB Plugin
x32dbg/x64dbg , ScyllaHide Plugin
Python 3.9+ and Pip (IDA Pro is bundled with the correct version of Python)
Code editor of choice (Visual Studio Code, Sublime Text, etc.)
PE Bear
PE Studio Or CFF Explorer
SystemInformer/ProcessHacker

Trainer

Daniel B.

Daniel spends his days as a Principal Malware Reverse Engineer, predominantly focused on E-Crime malware, occasionally branching out to APT. Outside of his day job, he runs 0ffset Training which offers practical and affordable cyber security training, with a primary specialization in malware analysis and malware reverse engineering - he co-developed the Zero2Automated course. Outside of malware, he's interested in exploit development and threat intelligence.

Daniel is a longtime IDA user with over 7 years under his belt (keyboard?), mostly focused on the static analysis side of the house. He’s going on his second year of teaching our Advanced Malware class.

“Good stuff. Good trainer. All in all great with a very deep dive into the technical details and absolutely worth attending.”

Course Overview

Session 1: Unpacking Malware

Approx. 2h

Identifying packers
- Techniques for detecting packers via binary metadata
Unpacking basic packers
- Overview of common packer structures
- Standard approaches for unpacking

Unpacking advanced packers
- Evaluating unpacking difficulty using sample metadata
- Handling second-stage obfuscation, such as API wrappers

Session 2: Reversing Malware Obfuscation

Approx. 2.5h

Dynamic API Imports
- Concepts of dynamic API imports and API hashing
- Strategies for resolving API hashes
- Utilizing IDA Python for API brute-forcing and resolution

String Encryption
- Detecting string encryption in samples
- Identifying encryption algorithms
- Techniques for decrypting encrypted strings
- Leveraging IDA Python to decrypt all embedded strings

Session 3: Identifying Malware Anti-Analysis/Anti-AV

Approx. 2h

ETW Bypasses
- Introduction to Event Tracing for Windows (ETW)
- The necessity for malware to evade ETW
- Analysing ETW bypasses/evasion
API Unhooking
- Overview of basic API hooking
- Understanding Endpoint Detection and Response (EDR) hooks on low-level libraries
- Reversing methods malware uses to unhook APIs

Syscalls
- Explanation of Windows syscalls
- Common usage scenarios of syscalls in malware
- Identifying syscall usage
- Reversing syscall functionality
Generic Advanced Anti-Analysis
- Code checksums for tamper detection
- Breakpoint checks & circumventing them
- Understanding and potentially breaking environment keying

Enroll to one of our next sessions