WHISKEYCON

Malware Analysis Course

Instructor

Joxean Koret

Joxean Koret has been working for more than 15 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowdlege to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti-malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is currently a security researcher in Coseinc.

Training Dates

26 - 29 March 2016

Description

This course provides effective knowledge and hands-on experience on basic malware analysis. It introduces current and relevant techniques that will prepare students to become a proficient malware researcher. Heavy use of IDA to perform both static an dynamic analysis.

Topics

Day 1

Overview of Malware*

  • Definition of Malware
  • Types of Malware
  • Characteristics
  • Prevalence
  • Classification of unknown binaries

Windows Fundamentals

  • Basic Concepts
  • Windows API overview
  • Handles
  • Malware Behaviours
  • File Management
  • Registry
  • Networking

Dynamic Analysis

  • Definition
  • Pros & Cons
  • Process
  • Tools
  • Lab Exercise

Day 2

Programming Fundamentals Overview

  • Instructions
  • Functions
  • Code Constructs
  • Data Representation

X86 Assembly Refresher

  • x86 Registers
  • x86 Instructions Format
  • Common x86 instructions
  • Stack
  • Calling conventions

Static Analysis

  • Definition
  • Pros and Cons
  • Process
  • Tools
  • Lab Exercise

Day 3

PE File format

  • PE Fundamentals
    • Image Base
    • Virtual Address
    • Relative Virtual Address
    • File Offset
    • Section Alignment
    • File Alignment
    • Size of Image
    • Entry Point
    • Sections
    • Import Table & Import Address Table
  • PE Loader Basics

Unpacking Strategies

  • Options for unpacking malware
  • Methods and steps to manually unpack malware
  • Tools used for unpacking malware

Day 4

Anti-Debugging Techniques

  • Generic debugger detection
  • Specific debugger detection
  • Other methods

Advance Deobfuscation

Course Requirements

Student Requirements

  • Knows C
  • Knowing x86 Assembly is an advantage

Software Requirements

  • Microsoft Windows as a VM
  • Full version of IDA 6.1 or later (Free version of IDA might work)

Hardware Requirements

  • Laptop with Ubuntu installed