Practical Malware Analysis

Sam Bowne

SCOREBOARD

Scores from BSidesLV 2017
Scores from DEF CON 25 (2017)
Scores from CactusCon 2017

Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Familiarity with programming in C and assembler is helpful but not necessary.

Setup

All the projects run on a single Windows Server 2008 machine.
You can run it locally on VMware or VirtualBox, or in the cloud with NETLAB.

Local Hosting

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

VMs

For VMware: Win2008Malware.7z
Size: 2,073,173,278 bytes
SHA-256: c2d59bb80d71cb73350fe436d2658eeb46c869edce66c950ce97268e2a2fa25a

For VirtualBox: Win2008MalwareVB.7z
Size: 3,754,472,442 bytes
SHA-256: 879584a72752a3a22843b21e02992e6aa78ad4b73aed5536a44c91613d813113


Cloud Hosting

Login

Hosted by  

Basic Static Analysis

1. Basic Static Techniques (10 pts.)
2. Unpacking
3. Challenge: Name the Packer (5 pts)
4. Challenge: Datestamp (5 pts)

Basic Dynamic Analysis

5. Basic Dynamic Analysis
6. Keylogger (15 pts.)
7. Challenge: Beacons (10 pts)

Advanced Static Analysis

8. Jasmin
9. Challenge: Secret Message (10 pts)
10. IDA Pro
11. Challenges with IDA (50 pts)

Advanced Dynamic Analysis

12. Simple EXE Hacking with Ollydbg (20 pts.)
13: Adding Trojan Code with LordPE (20 pts.)
14: Patching EXEs with Ollydbg (100 pts.)
15. Kernel Debugging with LiveKd & WinDbg (15 pts.)
16. SSDT Hooking (15 pts.)

Extra Challenge

C1. AES & PBKDF2 in Python (40 pts.)

Tools Used

Student Assistants


Elizabeth Biddlecome

LinkedIn · Resume


I have over 15 years of experience as a consultant in devising innovative technical solutions for small to medium enterprise needs. As a consultant, I'm devoted to creatively and effectively solving problems while providing a satisfying user experience. Throughout my career as a full stack software engineer, my enthusiasm for architecture, security, and server-side programming has driven my ability to architect robust apps, while my strong design skills have allowed me to create attractive, engaging UI designs to spec. Craftsmanship is critical to my work- I perceive code as art.

Information Security is a deep passion of mine; I enjoy contributing as a core member of my team in local and national cybersecurity competitions as I transition fully into this space professionally.

As engineers, I believe that we have signed up for a life-long learning process, and will always be students in one regard or another. I am also a dedicated educator, teaching both working professionals and adolescent through young adult students. MissionBit is a non-profit working within the San Francisco Unified School District, working toward the goal of closing the tech divide via mentoring the next generation of engineers, software developers, project managers, and security professionals in their career pursuits, with a particular focus on underrepresented minority and economically disadvantaged students.

Elizabeth With Her "Software Engineer Pathways to Employment" Class at Microsoft

Other Projects

Proj 3: INetSim (20 pts.) (rev. 2-1-16)
Proj 7: Compiling C on Windows 2008 Server (15 pts.) (rev. 2-27-17)
Proj 8: Disassembling C on Windows (15 pts. + 10 extra credit) (rev. 2-27-17)
Proj 9: Disassembling C on Windows Part 2 (15 pts. + 10 extra credit) (Modified 3-20-17)
Proj 11: Using OllyDbg to Analyze Lab09-01.exe (rev. 3-21-16) (15 pts.)
Proj 12: Kernel Debugging with Livekd on Windows Server 2008 (20 pts.) (Updated 3-11-17)
Proj 13: Using Kernel Debugging Commands with WinDbg (15 pts.) (rev. 4-19-17)
Proj 14: Malware Behavior (Lab 11-1) (35 pts.) (updated 4-19-17)
Proj 15: Covert Malware Launching (Lab 12-1) (rev. 4-18-16) (25 pts.)
Proj 16: Data Encoding (Lab 13-1) (25 pts.) (rev. 4-24-17)

Extra Credit Projects

Proj 1x: File and Strings (10 pts. extra credit)
      121-X11-files.zip (rev. 8-22-13)
Proj 3x: Harvesting Files from Packet Captures with Wireshark (10 pts.)
      pX12-121.pcap (1.2 MB)
Proj 4x: Introduction to Hopper (20 points) (rev. 2-22-16)
Proj 5x: Assembly Code Challenges (30 points) (rev. 2-9-16)
Proj 6x: Disassembling C on Windows Part 3 (15 pts. + 10 extra credit)
Proj 7x: Analyzing Malicious Windows Programs (Lab 7-2) (15 pts.)
Proj 8x: Using WinDbg on a Crash Dump (15 pts.)
Project 12x: Anti-Disassembly (Lab 15-1) (15 pts.)

Scores 9-28-17

Classes

CNIT 126: Practical Malware Analysis
CNIT 127: Exploit Development
CNIT 128: Hacking Mobile Devices
CNIT 123 Ethical Hacking and Network Defense
CNIT 124 Advanced Ethical Hacking
CNIT 40: DNS Security
CNIT 141: Cryptography for Computer Networks
Last Updated: 10-1-17 11:35 am