
DEF CON Training
Abhijit Mohanta - Malware Reverse Engineering made easy $2,000
Name of training:
Malware Reverse Engineering made easy:
A simplified approach to Reverse Engineer windows malwares.
Trainer bio:
Abhijit Mohanta is a security researcher with 15+ years of experience in the industry specialized in the field of malware analysis and detection engineering. He is author of books “Malware Analysis and Detection Engineering ” from Springer Apress publication and “Preventing Ransomware” from Packtpub publication. He is co-founder and CTO of Intelliroot. He has worked as malware researcher with organizations which include Uptycs, Juniper, Mcafee, Symantec and has contributed to development of Antivirus, EDR’s and Sandboxes. He has multiple patents and has contributed tools like YaraEDR, InjectedCodeHunter to the cybersecurity community. Apart from that he has been a speaker at conferences like AVAR (Anti-Virus Asia Researchers) and has provided training at NASSCOM and other organizations across India. Apart from that he has authored several blogs for the organizations he has worked for. He has also contributed to the MITRE ATTACK framework (ID: S0670
Trainer(s) social media links:
Twitter: abhijit_mohanta
Linkedin: https://www.linkedin.com/in/abhijitmohanta/
Class description:
The training “Malware Reverse Engineering made easy" is aimed at simplifying the process of reverse engineering Windows Malware. The training starts with basics of computer architecture, assembly language, code compilation, PE file formation and windows internals which are the bare essentials for reverse Engineering and hence helpful for students who just want to start with the subject. The training demonstrates various techniques employed to develop windows malwares which span across various compilers used to compile malware code, encryption algorithms, packers and API hooking, code injection. Students will not only learn about these techniques but would also learn to debug them throughout the training. It also covers reverse engineering of stealers, Ransomwares RATs and other malware families. Concepts like identifying Compiler stubs, Crypto algorithms, API sequences would be covered in the training that help in accelerating the process of Reverse Engineering malwares. Undocumented techniques to manually unpack unknown packed malwares would also be a part of the training. The learning process has been enhanced by using animations instead of tons of text which help the participants to visualize concepts like assembly instructions, Stack Frame, PE File, Code injections, hooking etc. The training has lots of hands-on lab exercises and demos using simulated samples and real malware. Students would proficiently learn to use tools like Ghidra, IDA Pro, Ollydbg, x64Dbg.
Class Outline:
Day 1 - Computer Architecture, Assembly, Windows Internals
Introduction and Lab Set-Up
- Lab Configuration
- Virtual machine best practices
- tool installation and basic testing
- Setting up honeytrap for Ransomware, stealers and banking trojans
- Demo - Honeytrap setup
Computer architecture, Assembly and Windows Internals
- x86/x64 Architecture and assembly
- ASM instructions with labs - data movement, string, mathematical, etc
- Recognizing Calling convention, Function Call, Stack Frame
- Recognizing variables, arrays, structures, conditions, loops in disassembly
- Manual de-compilation - writing pseudocode for disassembly
- Hands-on Lab - Reading disassembly, identifying data types, code constructs, function, loops,
PE File format
- Forward Engineering - Code compilation, PE file formation
- Important PE fields and mapping of PE to Virtual Memory
- Demo - Code compilation and PE memory mapping using process hacker
Windows Internals for Malware Analysts
- Windows OS basics and process attributes
- Dissecting Windows API
- analyzing structures passed to Windows API
- Variation in Win32 API’s ASCII, Unicode, NT API’s
- Flow of Windows API from user code to kernel
- API sequencing - Identifying and Correlating multiple API's and mapping them to techniques like Registry modification, CnC communication etc
- Hands-on Lab - Identify parameter, Structure in Windows API, API flow using debugger, API sequencing
Exploring Code with IDA, Olly and Ghidra
- Exploring advanced features of debuggers like XRefs, Code tracing, De-compiler. Analyzing code with IDA, Ghidra and Ollydbg, x64dbg
- Identify important pieces of code using Ghidra and IDA
- Hands-on Labs - Exploring Debugger/de-compiler Disassembler Features and identifying important codes
Compiler Stub
- VC++, VB, .net compiler stubs
- Finding Winmain() in VC++ Stubs
- Hands-on Lab - Find Winmain in Compiler Stubs
Commonly seen API sequences
- Thread Creation, Registry manipulation, Access PE resource, Process Iteration
- Debug Multithreaded application, windows Service
- Hands-on Lab - Debug Windows Service and threads
Cryptography in Malwares
- Common Cryptographic algorithms used in malwares and their implementation
- Identification of Crypto Algorithms
- Windows Crypto Library
- Hands-on Lab- Identifying Crypto Algorithms
Day 2 -Unpacking, Code injection, Hooking and rootkits
Packers and Unpacking
- Understanding Packing process
- Identify packers
- Understanding execution flow of packed executables
- Manual Unpacking of known and unknown packers
- Known and Undocumented tricks to manually Unpack
- Techniques to Identify Original Entry Point (OEP)
- Demo - Packer Creation, Packer identification, execution
- Hands-on Lab - Manual unpacking of known and Unknown packers
Code injection and Hollowing
- Understand various code injection techniques and tricks to debug them
- Process Hollowing
- Debugging injector and target (injected) process
- Exploring API and techniques used in Code injection and Hollowing - section, views, thread hijacking
- Hands-On Lab - Debugging injector and target (injected process).
API hooking and Rootkits
- Types of API Hooking - inline, IAT and trampoline
- Debugging API hooks
- Debugging banking trojan with fake browser
- Types of Rootkits on Windows
- User and Kernel Mode rootkits
- Static analysis of Kernel rootkits
- Demo - inline hooks, IAT hooks, Rootkits to hide processes and files
- Hands-on Lab - Debugging hooks
Evasion in Malwares
- Anti-Debugging, Anti-VM, Anti-Sandbox and how to patch the
- Patching anti-techniques
- Hands-on Lab - Code analysis of Anti-techniques in malwares
Payload analysis and malware Classification
- Malware classification
- Disassembly analysis of Ransomware, Stealers, RAT, keyloggers, ATM malwares
- Hands-on Lab - analysis of Ransomware, RAT, stealers, Keyloggers
Difficulty Level: Beginner, Intermediate
Prerequisite Knowledge:
- Students should have prior knowledge of Static and Dynamic Analysis of Windows Malware.
- Basic understanding of C programming
- Should be comfortable with function keys on their keyboard as those would be frequently used a shortcuts for debugging
- Recommended Book: “Malware Analysis and Detection Engineering” (Apress/Springer publication by Abhijit Mohanta and Anoop Saldanha
Hardware/Software Requirements
Students should bring the following to the training:
- VMWare Workstation/VirtualBox preferred
- Big NO to Vmware Player
- Guest OS windows 10 64 bit
- 16 GB RAM preferred with at least 4 GB of RAM allocated to the guest OS
- Minimum free space of 100 GB of hard disk for snapshots
- SSD hard disk preferred for better performance
- List of tools to be installed inside the guest Windows OS
○ Ghidra - https://ghidra-sre.org/ (dependency)
○ IDA Free(windows) - https://hex-rays.com/ida-free/
○ Ollydbg 2.0 - https://www.ollydbg.de/version2.html
○ DNSpy - https://github.com/dnSpy/dnSpy/releases (dependency: dot framework )
○ x64Dbg - https://x64dbg.com/
○ Ollydbg/x64Dbg plugin - OllyDumpEx, ScyllaHide
○ CFF explorer - https://ntcore.com/?page_id=388
○ PEid - https://www.ollydbg.de/version2.html
○ Process Hacker - https://processhacker.sourceforge.io/
○ APIMiner - https://github.com/poona/APIMiner
○ xLogger - https://github.com/d35ha/xLogger/releases
○ Additional tools list would be provided during the training. Post installation, verify if the tools specially Ghidra and DNSpy are executing properly.
What Students Will Be Provided With?
- Course material in form of PDF
- Samples used in the lab
- Videos of Labs
Student Takeaways
- Students would learn to read and debug disassembly
- Students would learn Identify variables, structures, calls, loops in disassembly
- Students would learn to write Pseudocode from disassembly
- Students would learn to debug Code injections, process hollowing API hook
- Students would learn to identify important API. Crypto Algorithms, anti-techniues in malware
- Students would learn to unpack known and unpackers
- Students would learn to use IDA, Ghidra, Ollydbg, x64Dbg
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Abhijit Mohanta
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
DEF CON Communications, Inc.
1100 Bellevue way NE
8A-85
Bellevue, WA 98004