ADVANCED MALWARE REVERSE ENGINEERING

Instructors: Nicolas Brulez
Dates: May 30-June 2 2022
Location:  Hotel Monville
Capacity: 25 Seats

This 4 days course is a hands on training. We are going to reverse engineer samples and code our own scripts. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing".

 

Class Outline

Day 1 Unpacking + Unobfuscation using IDA Pro processor extension plugins (nanomites)

• - During the first day, students will focus on unpacking files manually in order to get working executables.
• - Students will learn unpacking on packers written by the instructor to teach various kind of protections (nanomites, import protection etc)
• - We will write IDA processor extension plugins to remove nanomites and create fully working executables and how to write plugins to remove code obfuscation

Day 2 Unpacking Malwares : Emotet, Grandcrab, Guloader etc

• - On the second day, we are going to work on unpacking malware including: Emotet, GrandCrab (NTcrypt packed) , Paradise ransomware, GuLoader and more.
• - Generic techniques will be presented as well as writing scripts to help you in your unpacking journey.

Day 3 Advanced Malware Analysis : Symbolic Execution , IDA Python Scripting etc

• - Once the samples are unpacked, the next step is to perform Reverse Engineering. The second day focuses on analyzing malicious code.
• - Very often the imports are done dynamically using hashes and other techniques to obfuscate the code.
• - We are going to see how to handle import by hash by writing our own tools to generate enums and handle them fast.
• - We will write various scripts to speed up analysis of malicious code in IDA Python.
• - We are going to see how symbolic execution (ANGR framework) can be used to automate string decryption inside malwares, instead of reprogramming the full decryption algorithms.
• - Among the samples studied, we will work on the infamous CONTI ransomware as an example of automated string decryptions.
•  

Day 4 APT Reverse Engineering

• - Using the information learned in the first three days, students will work on several APT samples.

WHO SHOULD ATTEND?

This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.

Class Requirements

Prerequisites:

Students should be familiar with Debugging and IDA Pro: The class is not an introduction to reverse engineering. Students should be familiar with Assembly: We won't cover assembly basics during the class

Students should have a laptop with required software installed before attending the class.

Software requirement:

- Legit version of IDA Pro >=7

- Virtual Machine with windows 10 installed

- x64dbg

- Python 3

- PE Editor of your choice

- Hex Editor or your choice

- FASM assembler

Bio

Nicolas Brulez is the founder (2020) and CEO of HEXORCIST, a company that specializes in providing reverse engineering and malware analysis training. Prior to that, he worked for eight years as Principal Malware Researcher in the Global Research and Analysis Team at Kaspersky and was leading the Malware analysis reversing classes. Nicolas also worked as a senior virus researcher for Websense Security Labs where he conducted malware Reverse Engineering and programmed generic unpacking tools. He is also a co-author of the Armadillo Protection system. Over the past 20 years, Nicolas has authored numerous articles and papers on reverse engineering and virus analysis. He was the only instructor at the first RECON conference in 2005 and is still teaching there more than 15 years later. As well as RECON, Nicolas has presented at Pacsec, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon etc.

To Register

Click here to register.