Name of Traning:
Practical Malware Analysis Bootcamp
A full description of the training:
In this program, participants will get to know the internals of malwares, understanding its behavior, origins, and modes of infiltration. The session explores topics from fundamental structure of PE files to advanced techniques seen in a day to day analysis of malwares. You'll gain hands-on experience in dissecting malicious code and get familiar with various tools used by Malware analysts and reverse engineers. The session will cover the fundamental principles of malware analysis, guiding you through the identification and classification of various types of malware
The training is designed to bridge the gap between entry-level and intermediate malware analysts. Participants will be working hands-on with recent malware samples to get a good grasp over sophisticated evasion techniques
Outline of the Class
Malware Introduction
- What is a malware
- Identifying malicious or benign files
- Setting up a Lab for safe Malware Reversing
Pe File Format
- Parsing PE files from headers to overlay
- Analyzing Import and Export Address Table (IAT and EAT)
Brief Introduction to Windows internals and API
- Windows Architecture
- Windows Kernel Objects and Handles
- Windows Data Structures Primer
Assembly Language Basics Refresher
- X86 Architecture Review with Stack Usage and general OPcodes
Static Malware Analysis
- Playing with Disassembly
- Recognition of Packed vs Unpacked Malwares
Malware Evasion techniques
- Process Injection
- Process Replacement
- APC Injection
- DLL Persistence
- User mode Rootkits
- Persistence using Windows Registry
- Lab
Anti-VM Techniques
- Detection using VM Configuration and Hardware
- MAC Address Checks and vulnerable instructions
- Lab
Anti-Disassembly Techniques
- Return Pointer Abuse
- Disassembler Assumptions
- Breaking stack frame Analysis
- Lab
Anti-Debugging Techniques
- Anti Debugging through Windows API calls
- Structure Matching
- TLS Callbacks
- Memory Scanning
- Lab
.Net Compiled Malware
- Overview of .NET Compiled Malware
- Utilizing DNSpy and reading Decompiled code
- Common Protections
Dynamic Malware Analysis
- Malware Sandboxes and their pros and cons
- Mapped and unmapped PE file
- Common Unpacking techniques
- Debugging through a malware sample
- Extracting payload from a packed malware Lab
Writing Signatures for detection as well as Hunting purposes
- Pattern matching and using Yara for Threat Hunting
PREREQUISITES:
- Comfortable with reading C Code
- Basic understanding of the Windows environment
WHAT STUDENTS WILL BE PROVIDED WITH:
- Course material (pdf copy)
- Lab solution material
- Malware samples used in the sessions
- VM links to download
WHAT NOT TO EXPECT
- Reversing VMProtect/Themida or other commercial packer based malware/software
- Malware Removal training
Trainer
Neel works as a Staff Researcher at Trellix's Advanced Research Center and has over a decade of hands-on experience in handling malware campaigns and various detection technologies. He enjoys analyzing and dissecting malware samples that arrive through various attack vectors, such as emails and drive-by downloads. Neel has gradually developed an interest in the Threat Intel domain and loves tracking some notorious APT groups with their updated TTPs. He also works on authoring proactive detections for Trellix products to keep up with the cyber threat landscape. In addition to his work, he enjoys traveling and playing cricket.
Pratik is a Security Researcher working at Trellix's Advanced Research Center, where he focuses on email and network security, and preventing phishing and malware attacks. He has a passion for reverse engineering and vulnerability analysis, and he enjoys learning new tools and techniques to enhance his skills. In his spare time, he enjoys playing Souls games, as he loves challenges.