CanSecWest: Security Masters Dojo Vancouver
Advanced Malware DeobfuscationRegister for March 10-11 Course - Advanced Malware Deobfuscation
Security researchers are facing a growing problem in the complexity of malicious executables. With an ever-increasing number of tools that malware authors use to compress and obfuscate executables, and the pressing urgency that analysts often face, it is vital for analysts to know the best methods to remove protections that they have never seen before.
Unpacking is the process of removing the compression and obfuscation applied by a "packer" (or "protector") to a compiled and linked binary. This class will focus on teaching attendees the steps required to effectively deal with both known and previously unknown packing techniques.
This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in thwarting anti-debugging and anti-disassembling techniques.
Key Learning Objectives:
- Anti-debugging tricks and how to defeat them
- Anti-disassembling tricks and how to defeat them
- A methodology for manually unpacking malware with and without the use of specialized tools
General Learning Objectives:
- An understanding of why malware authors use packers
- An understanding of how packers work
- A working knowledge of the Portable Executable (PE) file format
- Combination of lecture and lab. Labs will be interspersed with lectures and will include both group and individual work.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
What to Bring:Attendees must bring their own laptop with a 32-bit version of Microsoft Windows XP (SP2 or SP3), Windows Vista, Windows 7, or Windows 8 installed inside of a virtual machine. The host system should be configured to access the Internet via conference-provided wireless Internet access. Attendees are expected to have the following software installed in their virtual machine prior to the first day of the course:
- API Imports/Exports Viewer - Dependency Walker
- API Logger - API Monitor
- Debugger - OllyDbg 2.0
- Disassembler - IDA Pro
- Hex Editor - 010 Editor
- Import Table Reconstructor and Memory Dumper - Import REConstructor
- Packer Detector - Exeinfo PE
- PE Editor - LordPE
- Strings Dumper - BinText
PrerequisitesIt is expected that attendees have a firm understanding of x86 assembly language, and the Microsoft Windows API. Reverse engineering experience is desired, though not required. Attendees should be comfortable in the Windows environment.
MaterialsAttendees will be presented with the following materials to be used and referenced throughout the duration of the course:
- Notebooks containing lecture slides and worksheets.
- CDs containing various software tools and reference material.
Course Schedule:Day One
- PE File Format Essentials
- Packer Overview
- Fundamentals of Win32 Debugging
- Methods for Finding the Original Entry Point
- Manual and Assisted Import Table Reconstruction
- Overcoming Anti-Debugging Tricks
- User-Mode and Kernel-Mode Hooking and Code-Splicing
- Protected Processes
- Heap-Based Unpacking
- Exception Injection and Redirection
- API Redirection
- Chunked Packing