Reverse Engineering Malware Overview Training

Duration: 5 days

Introduction

In this course, you will learn how to do static malware analysis using a debugger and disassembler. Through controlled evaluation using the debugger you will learn how to identify exactly what the malware specimen does and how it’s doing it. After you’ve mastered the evaluation portion of the class you will learn how to patch the specimen to make sections inactive or crack the program to allow full access to areas that have been hidden or encrypted by the malware developer.

Reverse Engineering Malware Overview Training

Related Courses

After completing this course, attendees will be able to:

Assembly language debugging fundamentals including

  • Conversion methodology from source code to assembly code
  • Intel CPU memory management and structures
  • CPU control flows and order of operations

Olly Debugger including

  • Tool Features
  • Stepping, Stepping Over and Running code
  • Useful Plug-ins and Add-ons
  • Breakpoint fundamentals and usage
  • Patching and assembling executables
  • Decrypting and decoding packed executables

Windows PE Header and Import Address Table fundamentals

Reversing DLL Malware

  • DLL malware ran as an application
  • DLL malware installed as a service
  • DLL malware ran through the services controller

Trivial unpacking and de-obfuscation techniques

O/S Concepts Regarding Reverse Engineering

  • Windows Architecture
  • Kernel vs User Mode
  • Layered O/S
  • Monolithic Kernel
  • Core Windows System Components
  • API (Win32 vs Native)
  • System Calls
  • Processes and Threads Review
  • Memory Management

PE File Format

  • PE Format Usage
  • File Types Using PE Format
  • DOS MZ Header
  • PE Header
  • Section Table
  • Sections
  • Windows Import Address Table

Static Analysis Process

Debuggers

  • Debugging Basics
  • How Debuggers Work
  • Debugging Features
  • Commonly Used Debuggers
  • User Mode Debugging
  • Remote Kernel Mode Debugging
  • Debugging API
  • Structured Exception Handling
  • Vectored Exception Handling
  • Single Stepping
  • Stepping Over
  • Software Breakpoints
  • Hardware Breakpoints
  • Reading and Writing Memory
  • Initial Breakpoint
  • Debugging and Security
  • Debugging Malware Versus Debugging Legitimate Apps

OllyDbg Overview

  • Main Code Section
  • Opcodes
  • Opcode Explanations
  • Comments Section
  • Info Bar
  • Registers Window
  • Dump Area
  • Stack Window
  • Support Windows (Breakpoints, CPU, Call Stack, etc.)

OllyDbg Plug-ins

Patching Executables

  • Applying Runtime Patches Lab
  • Patching Part 1 Lab
  • Patching Part 2 Lab

KeyGen Development

  • Key Generator Definition
  • Legitimate vs. Underground Key Generators
  • Studying How KeyGens Are Made
  • Writing Simulated KeyGens (Ethically)

Exploring Executable Modules

Static Malware Analysis

Data Obfuscation Malware Analysis

  • Simple XOR Encryption
  • Internal Obfuscation Methods
  • Reverse Engineering Obfuscated Malware

VM Detection Malware

  • IDT Methods
  • SGT Methods
  • VM Artifacts

Destructive Malware

  • Reversing and Dealing With Destructive Malware

Combining Behavioral and Static Malware Analysis

Anti-Debugging

  • Methods / Types

API-based

Exception-based

Process and thread blocks

Modified code

Hardware- and register-based: check for hardware breakpoints and CPU registers

Timing and latency: check the time taken for the execution of instructions

  • Thread Hiding
  • Self Debugging

Miscellaneous OllyDbg Plug-ins

  • OllyGraph
  • API Finder
  • Anti HW Breakpoints
  • Fader
  • Find Crypt
  • OllyStepNSearch
  • OllySnake
  • Polymorphic Breakpoint Manager

ANRC Process Injector Tool

Reversing Malicious DLLs

Simple Rootkit Walkthrough

Student Practical Demonstration

  • Using the tools, skills, and methodologies taught in days one through four of the class, you will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.

Your Name*

Company*

Position*

Your Email*

Phone*

Address*

Number of Participants *

Time Frame*

Subject*

Your Message*