Abhijit Mohanta / Ashwin Vamshi - Demystifying Malware Reverse Engineering 4 DAY early $2,000
Trainer(s) bio:
Abhijit Mohanta is a security researcher with 15+ years of experience in the industry specialized in the field of malware analysis and detection engineering. He is author of books “Malware Analysis and Detection Engineering ” from Springer Apress publication and “Preventing Ransomware” from Packtpub publication. He is co-founder and CTO of Intelliroot. He has worked as malware researcher with organizations which include Uptycs, Juniper, Mcafee, Symantec and has contributed to development of Antivirus, EDR’s and Sandboxes. He has multiple patents and has contributed tools like YaraEDR, InjectedCodeHunter to the cybersecurity community. Apart from that he has been a speaker at conferences like AVAR (Anti-Virus Asia Researchers) and has provided training at NASSCOM and other organizations across India. Apart from that he has authored several blogs for the organizations he has worked for. He has also contributed to the MITRE ATTACK framework (ID: S0670).
Ashwin Vamshi is a security researcher with an innate interest in APTs, targeted attacks, identifying threat actors, mapping their TTP's and research on malware with high media attention. He loves playing with complex data to decode the needle in a haystack. He has more than a decade of experience in areas related to antivirus, firewall, IDS/IPS, web categorization, sandbox, heuristic engines, threat intelligence, EDR and cloud security. His research on cyber attacks and threats has been quoted in several infosec magazines and online media portals
Trainer(s) social media links:
Twitter: abhijit_mohanta
Linkedin: https://www.linkedin.com/in/abhijitmohanta/ / https://www.linkedin.com/in/ashwinvamshi/
Youtube: https://www.youtube.com/channel/UCPnic_-cpC8b_-t9vvc_Rtw
Short description of your class used for the web site and to promote your class: What is the topic? How advanced or difficult is the material? Describe the skills or knowledge will the student have learned after completing the class:
Note: To facilitate learning and provide an enriched outcome, the prerequisite material required for the program will be provided free of cost to all the students who have enrolled for the program through an online portal. This portal will be provided to all the students from the day of payment and enrollment to the course. We believe this can help the students to have a better insight and also go through several iterations to gear up for the intermediate and advanced modules of the course.
This inspiration came from the following quote
Do your homework and know your facts, but remember it's passion that persuades.
H. JACKSON BROWN, JR.
Alongside this, all the attendees who have paid for this training get a 1 year portal access which contains a plethora of content as mentioned below
● 35+ hours of recorded videos
● 5 hours of prerequisite videos included which includes Assembly language
● 80% lab exercises
● 50+ concepts
● 50+ samples that contain malware and simulated samples
● Easier and quicker learning with animated videos to demonstrate concepts
● Custom samples exhibiting a single technique to learn and understand debugging
● Detailed lab exercises to hone reverse engineering skills
The training “Demystifying Malware Reverse Engineering made easy" is aimed at deconstructing the process of reverse engineering Windows Malware. This training delves into the intricacies of modern malware, which are becoming increasingly sophisticated with tactics such as credential theft, ransomware encryption, POS malware, and evasive techniques. Traditional static and dynamic analyses, as well as memory forensics, often fall short in identifying these complex techniques. Reverse engineering becomes the most essential skill set to uncover the malware's inner workings at the code level.
Focusing on reverse engineering malware on the Windows platform, this training caters to both beginners and experienced professionals. It covers a wide range of topics, including various programming languages used in malware, diverse packing and armoring techniques, and malicious tactics such as code injection, process hollowing, rootkits, building blocks of malware detection.
The course elevates students' skills beyond traditional malware analysis, empowering them to delve deeper into malware and contribute to the enhancement of anti-malware products like EDR and Antiviruses. The students will learn to reverse engineer different malware families, including Ransomware, Stealers, and Remote Access Trojans (RATS), written in languages like .NET, C, and C++. Tools such as NSA Ghidra, IDA Pro, OllyDbg, Process Hacker, and more will be utilized effectively. Complex concepts like code injection and API hooking are explained using animations for better visualization, while numerous lab exercises allow students to apply theory to real-world scenarios. The course also covers prerequisites for reverse engineering, thus aiding even those unfamiliar and passionate about Reverse Engineering to grasp the concepts.
Prerequisite Knowledge
● Students should have prior knowledge of Static and Dynamic Analysis of Windows Malware.
● Basic understanding of C programming
● Should be comfortable with function keys on their keyboard as those would be frequently used a shortcuts for debugging
● Recommended Book: “Malware Analysis and Detection Engineering” (Apress/Springer publication by Abhijit Mohanta and Anoop Saldanha
Training outline and agenda
Prerequisite Module. Quick recap (1 hour)
This module will provide a quick recap and revise the basic modules which are provided free of cost from the date of enrollment of the students
The course will then get started with the Reverse Engineering modules is as follows:
Day 1
Module 1. Disassembly walkthrough (1 hour)
The module focuses on reading disassembly and deriving meaning from them. The module covers the following concepts
● Read code listing in disassembler, debugger
● Identify local variables, global variables
● Identify functions, parameters
● Identify array and structures
● Identify complex data structures like array of structures and linked lists
Module 2 - Windows Internals part 1 - Windows API Internals (1 hour)
Windows malwares implements various malicious techniques with the help of API’s. As such one needs to understand how to analyze the API’s. Also understanding of API internals can be helpful to understand how detection techniques are developed and even helpful to understand how malwares evade detection. The module covers the following concepts:
● Referencing API documentation
● How to read API parameters
● Analyze parameters passed as structures
● API variations - Nt versions, Ascii, Unicode
● Understanding API call flow from user to kernel, Syscall - concept useful in analyzing malwares, EDR bypass techniques, API hooking
● Identifying API sequences in malware code to identify techniques employed by malwares
Module 3 - windows Internals - part 2 - Common API sequences in Malwares (1 hour)
Covers commonly seen API sequences across all kinds of malware. The knowledge of commonly seen API's helps in accelerating Reverse Engineering as they are common across most malwares hence one does not need to reanalyse them. The module covers the following concepts:
● Process iteration
● File iteration
● API resolution
● Resource extraction
● Registry manipulation
● Threads
Module 4 - windows Internals - part 3 - Debug DLL, COM Objects, Services, PEB (1 hour)
Learn techniques to debug programs which cannot be debugged straight forward like and exe.The module covers the following concepts:
● Debugging DLL
● Debugging COM Objects
● Debugging Windows Services
Module 5 - Cryptography in Malwares (1 hour)
Cryptography is used in malwares to hide its own data and more popularly in Ransomware. Understanding of the topic would help you to debug ransomwares. The module covers the following concepts:
● Understand and Debug Windows Cryptographic API
● Identify Crypto Algorithms in malwares
Module 6 - Compilers used by Malwares (30 minutes)
Compilers used by Malwares ( 30 minutes) Compilers play a critical role in generating both legitimate and malicious binaries. They inject specific code into compiled binaries, presenting unique challenges for reverse engineering. With various compilers available for different programming languages, understanding how to reverse engineer binaries compiled with different compilers is essential. This knowledge facilitates the creation of static signatures for malware and helps in identifying compiler-inserted code, ultimately saving reverse engineering time. The module covers the following concepts:
● Identify compiler used to write malware
● Identify compiler stub
● Identify main in VC++ binaries
Q&A session (30 minutes)
Day 2
Module 7 - Malware Network Analysis (1 hour)
All kinds of malwares use the network to communicate with the CnC, exfiltrate data to the attacker. The module covers the following concepts:
● Basic concepts like network endians and related API's like htons
● Understand socket API's, HTTP API's
● Locating DGA algorithms
● Identify Lateral movement API's
Module 8 - Packers and Unpacking (4 hour)
Malwares uses packers to protect executables from static file detection used in Antivirus. The packer hides the actual functionality of the malware. In order to understand the actual functionality of the packer, one needs to unpack it and extract the actual payload by unpacking. The module teaches various tricks to unpack malware using debugger and other tools. Note: Some of the tricks explained are not available on the internet. The module covers the following concepts:
● Understand packers and process of packing binaries
● steps and code involved in packed binary execution
● unconventional and undocumented ways to unpack malwares
● systematic way to Reverse packed binaries rather than just putting breakpoint on some API's
Q&A session (1 hour)
Day 3
Module 9 - Code Injection (1 hour 30 minutes)
Malware uses code injection to conceal their actual functionality by injecting code into clean processes. Code injection is further used in concepts like API hooking which in turn is used by rootkits as well. The module covers the following concepts:
● Conventional code injection techniques like shellcode injection and DLL injection
● Advanced techniques like Thread hijacking, section and views, process hollowing
● Learn tricks to debug both the injector as well as injected code
Module 10 - API Hooking part 1 (1 hour)
API hooking is a method to modify functionality of a process by manipulating the API in memory. The concept is used by anti-malware softwares as well as malwares. API hooking is used by banking trojans and rootkits. In the module, one would understand the working of hooks and recognize them in disassembly. The module covers the following concepts:
● Type of API hooks inline hooking, IAT hooking and understand it
● Identifying and Debugging hooks
Module 11 - Rootkits - part 1 - User Mode Rootkit (1 hour)
Malwares uses rootkits to hide artifacts like file, processes. Rootkits can be user mode or kernel mode. The module covers working of user mode rootkits and their analysis. The module covers the following concepts:
● Use of API hooks in rootkits
● Disassembly analysis of user mode rootkit
Module 12 - Rootkit - part 2 - Kernel Driver-basics (30 minutes)
Kernel mode rootkits are implemented using kernel drivers. The module explains the working of kernel drivers and teaches how to debug them. Only basics are covered which are enough to kickstart analysis of kernel drivers. The module covers the following concepts:
● Basic concepts of windows driver - driver objects, irp's, ioctl's
Module 13 - Rootkit - part 3 - Kernel Debugging (1 hour)
In this module, we would debug a kernel rootkit. The module covers the following concepts:
Configuring Windbg for remote kernel debugging
Breaking at entry point of kernel drivers
● SSDT rootkit concept
● DKOM rootkit concept
● Debug a DKOM rootkit
Q&A session (1 hour)
Day 4
Module 14 - .net Reverse Engineering (1 hour 30 minutes)
A lot of malwares today are known to use .net. In this module one would learn various approaches to reverse engineer .net malwares. The module covers the following concepts:
Basic working and analysis of .net executables
● Debugging .net binaries
● Unpacking deobfuscating .net binaries
Module 15 - Golang Malware Reverse Engineering (30 minutes)
There is a growth in malwares written in golang. In this module one would learn to analyze golang compiled binaries. The module covers the following concepts:
● Basic of golang binaries
● Reverse Engineering golang binaries
Module 16 - Anti-Analysis / Evasion techniques in malware (1 hour)
Malwares use anti-techniques to evade analysis and evade security software like EDR's, Antivirus, Sandboxes. In this module one is going to learn about anti-techniques and how to locate and bypass them. The module covers the following concepts:
● Anti-VM
● Anti-Debug
● Sandbox evasion
● EDR and endpoint evasion
Module 17 - payload part 1 - Generic Concepts (1 hour)
There are a variety of malwares today which includes ransomware stealers, wipers, POS Malwares, RAT's etc. They employ various techniques like credential harvesting, keylogging, memory scanning etc. The module covers identification of these functionalities in disassembly code. The module can help you to learn working of these techniques which can be used to enhance detection features in anti-malware products. The module covers the following concepts:
● Identification of and Ransomware techniques
● Identification and analysis of keylogging code
● Identification and analysis of stealer code targeting browsers
● Identification of Code related to taking screenshots, controlling webcam etc
● Identification of POS stealing code
Module 18 - payload part 2 - Case Studies ( 1 hour 30 minutes)
The module covers case studies of some malware families and debug them. The module covers the following concepts:
● Debugging of real Ransomware
● Trick to debug of real POS malware
● Analysis of Infostealer malware
Module 19 - Building Blocks of Malware Detection (30 minutes)
This is a bonus module which talks about building blocks of malware detection technologies. Only basic concepts with some reference to open source code are covered. The module would help folks who are inspired to learn about the inner workings of antimalware technologies like EDR, Antivirus, sandboxes. Additionally, it also helps understanding evasion techniques used to malwares and Red Teamers. The module covers the following concepts:
● Static file scanning - also covers how to optimize static file detection and avoid false positives
● Behavior detection
● Event tracing for windows (ETW)
● Antimalware scan interface (AMSI)
● Memory scanning
● Use of API hooking in malware Detection
Q&A session (1 hour)
Note - We have extended another 30 minutes as this is the last day of the course
Difficulty Level:
Intermediate
Hardware/Software Requirements
Students should bring the following to the training:
- VMWare Workstation/VirtualBox preferred (Vmware Player is not recommended)
- Guest OS windows 10 64/32 bit / Windows 7 32/64 bit
- 16 GB RAM preferred with at least 4 GB of RAM allocated to the guest OS
- Minimum free space of 100 GB of hard disk for snapshots ( SSD hard disk preferred for better performance)
- List of tools to be installed inside the guest Windows OS
○ Ghidra - https://ghidra-sre.org/ (dependency)
○ IDA Free(windows) - https://hex-rays.com/ida-free/
○ Ollydbg 2.0 - https://www.ollydbg.de/version2.html
○ DNSpy - https://github.com/dnSpy/dnSpy/releases (dependency: dot framework )
○ x64Dbg - https://x64dbg.com/
○ Ollydbg/x64Dbg plugin - OllyDumpEx, ScyllaHide
○ CFF explorer - https://ntcore.com/?page_id=388
○ PEid - https://www.ollydbg.de/version2.html
○ Process Hacker - https://processhacker.sourceforge.io/
○ APIMiner - https://github.com/poona/APIMiner
○ xLogger - https://github.com/d35ha/xLogger/releases
○ Additional list of tools would be provided to students once they enroll for the training. Post installation, verify if the tools specially Ghidra and DNSpy are executing properly.
What Students Will Be Provided With?
- Course video material for 1 year
- Samples used in the lab
- Detailed videos of Lab exercises
Student Takeaways
The training is focussed on Reverse Engineering considering the diversity in today’s malwares. The Students of this course will benefit in learning the following
● Learn reading disassembly to identify various code components
● Effectively use free tools Ghidra, IDA freeware, Ollydbg, x64Dbg and effectively combine them for better results
● Learn to debug exe’s. Dll’s , windows services, COM objects, kernel malwares
● Reverse Engineer malware binaries compiled in .net, golang, C++
● Learn to identify and analyze important functionalities in Ransomware, RAT’s stealers and other malware families
● Learn to identify various techniques in malware disassembly which includes Cryptography, Lateral movement, Rootkits, API hooks, code injection
● Learn a variety of unpacking techniques
DATE: August 12th-15th, 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas
TRAINER: Abhijit Mohanta / Ashwin Vamshi
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.