Summary

This one-day training is structured similarly to a standard analysis workflow. It starts with identifying and unpacking malware, including basic and sophisticated packers, while tackling common scenarios encountered in the process. Students will learn to work through defeating API hashing and string encryption within malware, leveraging plugins, and building their own custom tooling with IDA Python. From there, the session will conclude with gaining additional insights into analyzing further advanced malware techniques such as AV evasion, anti-analysis tactics, and advanced injection methods.

Prerequisites

Proficiency in IDA Pro, very good knowledge of Python

 

Course Overview

Session 1: Unpacking Malware

  • Identifying packers
    • Techniques for detecting packers via binary metadata
  • Unpacking basic packers
    • Overview of common packer structures
    • Standard approaches for unpacking
  • Unpacking advanced packers
    • Evaluating unpacking difficulty using sample metadata
    • Handling second-stage obfuscation, such as API wrappers

Session 2: Reversing Malware Obfuscation

  • Dynamic API Imports
    • Concepts of dynamic API imports and API hashing
    • Strategies for resolving API hashes
    • Utilizing IDA Python for API brute-forcing and resolution
  • String Encryption
    • Detecting string encryption in samples
    • Identifying encryption algorithms
    • Techniques for decrypting encrypted strings
    • Leveraging IDA Python to decrypt all embedded strings

Session 3: Identifying Malware Anti-Analysis/Anti-AV

  • ETW Bypasses
    • Introduction to Event Tracing for Windows (ETW)
    • The necessity for malware to evade ETW
    • Analysing ETW bypasses/evasion
  • API Unhooking
    • Overview of basic API hooking
    • Understanding Endpoint Detection and Response (EDR) hooks on low-level libraries
    • Reversing methods malware uses to unhook APIs
  • Syscalls
    • Explanation of Windows syscalls
    • Common usage scenarios of syscalls in malware
    • Identifying syscall usage
    • Reversing syscall functionality
  • Generic Advanced Anti-Analysis
    • Code checksums for tamper detection
    • Breakpoint checks & circumventing them
    • Understanding and potentially breaking environment keying

Session 4: Malware Process Injection

  • Reflective Injection
    • Differentiating reflective injection from regular injection
    • Reverse engineering reflective injection functionality in malware
  • Shellcode Injection/Execution via Callbacks
    • Fundamentals of shellcode injection
    • Understanding execution through callbacks
    • Reversing callback injection

Enroll to one of our next sessions

Thu, December 12, 2024 10:00 UTC+1 (Paris)

Thu, December 12, 2024 10:00 UTC+1 (Paris)

Enroll now

Products

IDA Home
IDA Pro
IDA Free
IDA Classroom
IDA Pro OEM
Private Lumina Add-on
Teams Add-on
Training courses

Case studies

Malware Analysis & Digital Forensics
Vulnerability research & penetration testing
Dynamic Analysis & Debugging
Automotive Security
Interoperability
Software Assessments

Classroom

IDA Classroom Free
Classroom discount for IDA Pro

Resources

Documentation
Forum
Blog
Community plugins

Pricing

For organizations
For individuals
For education providers
Our reseller partners

Company

About us
Careers
Privacy policy
Terms of use
Contact us

Connect with the community on

X Mastodon LinkedIn YouTube

© 2024 Copyright Hex-Rays