CanSecWest: Security Masters Dojo Vancouver
Advanced Malware Deobfuscation
Instructors:
Jason Geffner, NGS
Scott Lambert, Microsoft
Register for this course.
Target Audience:
This class is for skilled security analysts who wish to learn how to remove binary obfuscation from malware for analysis purposes.
Description:
Security researchers are facing a growing problem in the complexity of malicious executables. With an ever-increasing number of tools that malware authors use to compress and obfuscate executables, and the pressing urgency that analysts often face, it is vital for analysts to know the best methods to remove protections that they have never seen before.
Unpacking is the process of removing the compression and obfuscation applied by a "packer" (or "protector") to a compiled and linked binary. This class will focus on teaching attendees the steps required to effectively deal with both known and previously unknown packing techniques.
This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in thwarting anti-debugging and anti-disassembling techniques.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Key Learning Objectives:
- Anti-debugging tricks and how to defeat them.
- Anti-disassembling tricks and how to defeat them.
- A methodology for manually unpacking malware with and without the use of specialized tools.
General Learning Objectives:
- An understanding of why malware authors use packers.
- An understanding of how packers work.
- A working knowledge of the Portable Executable (PE) file format.
Course Outline:
Day 1
- Administrivia and Background Information
- Introduction and Overview of Manual Unpacking
- Portable Executable File Format Primer
- Introduction to Manual Unpacking Strategies and Techniques
- Methods to find the Original Entry Point
- Process Memory Dumping and Import Table Rebuilding
Day 2
- Anti-Debugging Tricks
- Tool Workarounds
- API Redirection
- SEH Injection and Redirection
- Chunked Packing
- Q & A
Course Style:
Combination of lecture and lab. Labs will be interspersed with lectures and will include both group and individual work.
What to Bring:
Attendees must bring their own laptop with Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows Vista, or Microsoft Windows 7 installed inside of a virtual machine.
Attendees are expected to have the following software installed in a virtual machine prior to the first day of the course:
- API Imports/Exports Viewer - Dependency Walker
http://www.dependencywalker.com/ - API Logger - Auto Debug
http://www.autodebug.com/download.php - C++ Compiler - Microsoft Visual C++ 2008 Express Edition
http://www.microsoft.com/express/vc/ - Debugger - OllyDbg
http://www.ollydbg.de/download.htm - Disassembler - IDA Pro
http://www.hex-rays.com/idapro/idadowndemo.htm - Hex Editor - Hex Workshop
http://www.bpsoft.com/downloads/index.html - Import Table Reconstructor and Memory Dumper - Import REConstructor
http://www.woodmann.com/collaborative/tools/index.php/ImpREC - Microsoft Windows SDK - Windows SDK for Windows Server 2008
http://www.microsoft.com/downloads/details.aspx?familyid=E6E1C3DF-A74F-4207-8586-711EBE331CDC - Packer Detector - PEiD
http://peid.has.it/ - Packer Detector - ExeInfo PE
http://www.exeinfo.xwp.pl/ - Packer Detector - AT4RE FastScanner
http://at4re.com/download.php?view.5 - PE Editor - LordPE
http://www.woodmann.com/collaborative/tools/index.php/LordPE - Strings Dumper - BinText
http://www.foundstone.com/us/resources/proddesc/bintext.htm
Prerequisites:
It is expected that attendees have a firm understanding of x86 assembly language and the Microsoft Windows API. Reverse engineering experience is desired, though not required.
Attendee Expectations:
Attendees will be required to work both alone and in groups when performing analysis of malware samples. In addition, attendees will also share the results of their analysis with respective classmates.
Materials:
Attendees will be presented with the following materials to be used and referenced throughout the duration of the course:
- Notebooks containing lecture slides and worksheets.
- CDs containing various software tools and reference material.
