HBFITES Data Center, Collaboration, Security, Storage, Wireless, Telepresence Training +91-9886770046 info@hbfites.com

IMA - Intermediate Malware Analysis

Description

Equipped with the Dynamic Malware Analysis knowledge from the Basic Malware Analysis course you're ready to adventure into more advanced malware topics by attending the Intermediate Malware Analysis course. During this five day course we'll show you how to do Static Malware Analysis using a debugger and disassembler. Since looking at assembly code in a debugger can be frustrating and almost impossible without a previous understanding of programming fundamentals and compiler operations we require that the students who attend this course have Assembly language knowledge or have completed our Assembly for Reverse Engineers course.

During the week of instruction we introduce you to the OllyDbg Debugger and IDA Pro Disassembler. Through controlled evaluation using the debugger we'll teach you how to identify exactly what the malware specimen does and how it's doing it. After you've mastered the evaluation portion of the class we'll teach you how to patch the specimen to make sections inactive or crack the program to allow full access to areas that have been hidden or encrypted by the malware developer.

Course Details:

  • 70% Labs, 30% Lecture using a mixture of real-world malware samples and simulated malware
  • Laptops are provided during the class
  • Students receive USB Flash drives of all malware and student labs

Objectives

Attending students will learn:

  • Assembly language debugging fundamentals including:
    • Conversion methodology from source code to assembly code
    • Intel CPU memory management and structures
    • CPU control flows and order of operations
  • Olly Debugger including:
    • Tool Features
    • Stepping, Stepping Over and Running code
    • Useful Plug-ins and Add-ons
    • Breakpoint fundamentals and usage
    • Patching and assembling executables
    • Decrypting and decoding packed executables
  • Windows PE Header and Import Address Table fundamentals
  • Reversing DLL Malware
    • DLL malware ran as an application
    • DLL malware installed as a service
    • DLL malware ran through the services controller
  • Trivial unpacking and de-obfuscation techniques

Prerequisites

You should possess knowledge of the following:

  • Attending students should have a thorough understanding of Microsoft Windows
  • Experience with VMWare software although not required would be beneficial
  • Basic knowledge and skills required to read Intel X86 Assembly
  • C Programming skills is recommended
  • PERL or Python scripting skills would be beneficial
  • Knowledge of networking protocols and Wireshark filtering is recommended

Who Should Attend

  • Threat operation analysts seeking to have a better understanding of malware
  • Incident responders who need to quickly address a system security breach
  • Forensic investigators who need to identify malicious software
  • Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies
  • Students who have mastered Behavioral Malware Analysis and want to take the next step into reversing

Outline

  • O/S Concepts Regarding Reverse Engineering
    • Windows Architecture
    • Kernel vs User Mode
    • Layered O/S
    • Monolithic Kernel
    • Core Windows System Components
    • API (Win32 vs Native)
      • Base Services
      • Component Services
      • User Interface Services
      • Graphical and Multimedia Services
      • Messaging and Collaboration
      • Networking
      • Web Services
    • System Calls
      • Sys Call Types
        • Process control
        • File manipulation
        • Device manipulation
        • Information maintenance
        • Communications
      • Sys Call Rabbit Hole
    • Processes and Threads Review
    • Memory Management
      • Dynamic Loading
      • Dynamic Linking
      • Windows Memory Management Architecture
  • PE File Format
    • PE Format Usage
    • File Types Using PE Format
    • DOS MZ Header
    • PE Header
    • Section Table
    • Sections
    • Windows Import Address Table
  • Static Analysis Process
  • Debuggers
    • Debugging Basics
    • How Debuggers Work
    • Debugging Features
    • Commonly Used Debuggers
      • OllyDbg, WinDbg, IDAPro, KL, SoftIce
    • User Mode Debugging
    • Remote Kernel Mode Debugging
    • Debugging API
    • Structured Exception Handling
    • Vectored Exception Handling
    • Single Stepping
    • Stepping Over
    • Software Breakpoints
    • Hardware Breakpoints
    • Reading and Writing Memory
    • Initial Breakpoint
    • Debugging and Security
    • Debugging Malware Versus Debugging Legitimate Apps
  • OllyDbg Overview
    • Main Code Section
    • Opcodes
    • Opcode Explanations
    • Comments Section
    • Info Bar
    • Registers Window
    • Dump Area
    • Stack Window
    • Support Windows (Breakpoints, CPU, Call Stack, Etc)
  • OllyDbg Plug-ins
  • Patching Executables
    • Applying Runtime Patches Lab
    • Patching Part 1 Lab
    • Patching Part 2 Lab
  • KeyGen Development
    • Key Generator Definition
    • Legitimate Key Generators Versus Underground Key Gens
    • Studying How Keygens Are Made
    • Writing Simulated Key Gens (Ethically)
  • Exploring Executable Modules
  • Static Malware Analysis
  • Data Obfuscation Malware Analysis
    • Simple XOR Encryption
    • Internal Obfuscation Methods
    • Reverse Engineering Obfuscated Malware
  • VM Detection Malware
    • IDT Methods
    • SGT Methods
    • VM Artifacts
  • Destructive Malware
    • Reversing and Dealing With Destructive Malware
  • Combining Behavioral and Static Malware Analysis
  • Anti-Debugging
    • Methods / Types
      • API-based
      • Exception-based
      • Process and thread blocks
      • Modified code
      • Hardware- and register-based: check for hardware breakpoints and CPU registers
      • Timing and latency: check the time taken for the execution of instructions
    • Thread Hiding
    • Self Debugging
  • Misc Olly-Dbg Plug-ins
    • OllyGraph
    • API Finder
    • Anti Anti HW Breakpoints
    • Fader
    • Find Crypt
    • OllyStepNSearch
    • OllySnake
    • Polymorphic Breakpoint Manager
  • ANRC Process Injector Tool
  • Reversing Malicious DLLs
  • Simple Rootkit Walkthrough
  • Student Practical Demonstration:
    • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.

    Lab Outline

  • Day 1
    • Lab 1 (Visualizing User vs Kernel Mode)
    • Lab 2 (Process Explorer Usage)
    • Lab 3 (Memory Mapping Processes)
    • Lab 4 (OllyDbg Basic Operations)
    • Lab 5 (OllyDbg Breakpoints)
    • Lab 6 (OllyDbg Call Stack Framing)
    • Lab 7 (Assembly Identification 1)
    • Lab 8 (Assembly Identification 2)
    • Lab 9 (PE Header Corruption)
    • Lab 10 (Debugging an Application)
  • Day 2
    • Lab 1 (OllyDbg Applying Runtime Patches)
    • Lab 2 (Exploring Executable Modules)
    • Lab 3 (Patching Part 1)
    • Lab 4 (Patching Part 2)
    • Lab 5 (Keygen Assignment Part 1)
    • Lab 6 (Keygen Assignment Part 2)
    • Lab 7 (Static Malware Analysis Malware Sample 1)
  • Day 3
    • Lab 1 (VMWare Detection Lab)
    • Lab 2 (Malware Specimen 2 Analysis)
    • Lab 3 (Malware Specimen 3 Analysis)
    • Lab 4 (Malware Specimen 4 Analysis)
  • Day 4
    • Lab 1 (Anti-Debugging Malware Specimen 1)
    • Lab 2 (Anti-Debugging Malware Specimen 2)
    • Lab 3 (Anti-Debugging Malware Specimen 3)
    • Lab 4 (Anti-Debugging Malware Specimen 4)
  • Day 5 - Student Practical Demonstration:
    • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.