SHACK

Malware Reverse Engineering

Instructor

Joxean Koret

Joxean Koret has been working for the past +15 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowdlege to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti- malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is also a co-author of "The Antivirus Hackers Handbook" and maintains various open source projects like Diaphora. He is currently a security engineer in Activision.

Training Dates

24 - 27 March 2019

Description

This course provides effective knowledge and hands-on experience on basic malware analysis. It introduces current and relevant techniques that will prepare students to become a proficient malware researcher heavily using IDA Pro.

Course Outline

  • Introduction to malware
  • Windows fundamentals
  • Executable file formats (PE)
  • Introduction to reverse engineering
    • Introduction
    • Tools & setting up a reverse engineering lab.
    • Brief Introductino to Graph's theory
    • Static Analysis: from C to assembler
    • Manual Code reconstruction: from (any) assembler to C
  • Unpacking
    • Static unpacking
      • IDAPython.
      • Hands on various malwares.
    • Dynamic unpacking
      • Manual reconstruction, IDA Python batch automation, VMs, memory dumping and analysis, volatility...
  • Anti-debugging techniques
    • Windows and Linux
  • Obfuscation and deobfuscation
    • JavaScript
    • Intel x86
  • Function hooking
    • How to write a simple sandbox based on user-land hooks
  • Malware clustering and indexing
    • Basic malware clusterization
    • Basic malware indexing
    • Writing an in-house malware clusterization and indexation tool.

Course Requirements

Student Requirements

  • Knows C
  • Knowing some assembly language (x86, ARM, ...) is an advantage but is not actually required

Hardware Requirements

  • Laptop with Ubuntu installed

Software Requirements

  • Microsoft Windows as a VM
  • Legal version of IDA (7.0 or higher)