Reverse Engineering Malware
Instructor:
Nicolas Brulez
Dates:
29 January to 01 February 2018
Capacity:
16 Seats
Price:
2900 EURO before January 1,
3500 EURO after.
Learn how to unpack and Reverse-Engineer malware in this 4-day class.
Covered Topics: Unpacking, Static and Dynamic Analysis, IDA Python and Targeted Attacks.
Day 1: Manually unpacking Malware
During the first day, students will focus on unpacking files manually in order to get working executables. Most famous packers will be covered in order to introduce various techniques that can be used on unknown packers. Also known as: How to unpack properly. Once completed, students will work on “malicious packers” and learn how to unpack samples of famous malware families. Nowadays, malware uses custom polymorphic packers to slow down analysis and thwart detection.
Day 2: Static Shellcode Analysis and IDA Primer
The second day focus on extracting shell codes from malicious documents and to reverse engineer them statically. The day focuses on tricks and shortcuts to use in IDA Pro for efficient static analysis, as well as introduction to IDA Python scripts used to speed up static reverse engineering.
A special approach to handle import by hash will be presented to the students, which can be used in many other scenarios.
Day 3-4: APT Reverse Engineering
Using the information learned in the first two days, students will work on several APT samples.
The goal of those two days is to be able to identify the actions of the threats, to be able to document their features and understand how they interact with C&C servers to receive commands.
INTENDED AUDIENCE
This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.
CLASS REQUIREMENTS
Level: medium and advanced
Prerequisites
- Students should be familiar with Debugging and IDA Pro; The class is not an introduction to reverse engineering.
- Students should be familiar with Assembly; We won’t cover assembly basics during the class.
- Students should have a laptop with required software installed before attending the class.
- Students should be familiar with VMware Workstation (or the VM of their choice).
Minimum Software to Install
- Legit version of IDA Pro (latest version preferred as the instructor uses the latest version)
- Virtual Machine with XP SP3 installed (to avoid troubleshooting tools problems during the class)
- OllyDbg
- Python 2.7 should be installed in both the host and on the guest machine.
- PE Editor (eg: LordPE or your favorite PE editor)
- Hex Editor (eg: Hiew of your favorite hex editor)
- Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
- PEID
BIO
Over the last 16 years, Nicolas has authored numerous articles and papers on reverse engineering and presented at various security conferences such as RECON, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, Pacsec etc.
TO REGISTER
Click here to register.