CanSecWest: Security Masters Dojo Vancouver
Introduction to Malware AnalysisRegister for March 8-9 Course:
Introduction to Malware Analysis
Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today?
This class will focus on teaching attendees the steps required to understand the functionality of given malware samples.
This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.
Key Learning Objectives:
- x86 Assembly language
- PE File format
- API functions often used by malware
- Basic Anti-analysis tricks and how to defeat them
- A methodology for analyzing malware with and without the use of specialized tools
General Learning Objectives:
- An understanding of how to use reverse engineering tools
- An understanding of low-level code and data flow
- An understanding of why malware authors use packers
- An understanding of how common packers work
- Strong grasp on how to effectively return obfuscated malware to an analyzable state
- Combination of lecture and lab. Labs will be interspersed with lectures and will include both group and individual work.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
What to Bring:Attendees must bring their own laptop with a 32-bit version of Microsoft Windows XP (SP2 or SP3), Windows Vista, Windows 7, or Windows 8 installed inside of a virtual machine. The host system should be configured to access the Internet via conference-provided wireless Internet access. Attendees are expected to have the following software installed in their virtual machine prior to the first day of the course:
- API Imports/Exports Viewer - Dependency Walker
- API Logger - API Monitor
- Debugger - OllyDbg 2.0
- Disassembler - IDA Pro
- Hex Editor - 010 Editor
- Import Table Reconstructor and Memory Dumper - Import REConstructor
- Packer Detector - Exeinfo PE
- PE Editor - LordPE
- Resource Monitor - Process Monitor
- Strings Dumper - BinText
PrerequisitesThis class is for security analysts who wish to learn how to statically and dynamically analyze malware to understand its functionality. Previous experience is not required with reverse engineering or Windows internals, though some programming knowledge is preferable. Attendees should be comfortable in the Windows environment.
MaterialsAttendees will be presented with the following materials to be used and referenced throughout the duration of the course:
- Notebooks containing lecture slides and worksheets.
- CDs containing various software tools and reference material.
Course Schedule:Day One
- Administrivia and Background Information
- Dynamic Analysis vs. Static Analysis
- Windows Internals
- Code and Data Flow on x86 Systems
- x86 Assembly Language
- PE File Format
- Analyzing malware with IDA Pro
- Analyzing malware with OllyDbg
- Exploits and Shellcode
- Malware Deobfuscation