Practical Malware Analysis

Summer 2017 Sam Bowne


Scores from BSidesLV 2017
Scores from DEF CON 25 (2017)

Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Familiarity with programming in C and assembler is helpful but not necessary.

Download VM Win2008Malware.7z
2,073,173,278 bytes

Basic Static Analysis

1. Basic Static Techniques (10 pts.)
2. Unpacking
3. Challenge: Name the Packer (5 pts)
4. Challenge: Datestamp (5 pts)

Basic Dynamic Analysis

5. Basic Dynamic Analysis
6. Keylogger (15 pts.)
7. Challenge: Beacons (10 pts)

Advanced Static Analysis

8. Jasmin
9. Challenge: Secret Message (10 pts)
10. IDA Pro
11. Challenges with IDA (50 pts)

Advanced Dynamic Analysis

12. Simple EXE Hacking with Ollydbg (20 pts.)
13: Adding Trojan Code with LordPE (20 pts.)
14: Patching EXEs with Ollydbg (100 pts.)
15. Kernel Debugging with LiveKd & WinDbg (15 pts.)
16. SSDT Hooking (15 pts.)

Extra Challenge

C1. AES & PBKDF2 in Python (40 pts.)

Tools Used

Student Assistants

Elizabeth Biddlecome

LinkedIn · Resume

I have over 15 years of experience as a consultant in devising innovative technical solutions for small to medium enterprise needs. As a consultant, I'm devoted to creatively and effectively solving problems while providing a satisfying user experience. Throughout my career as a full stack software engineer, my enthusiasm for architecture, security, and server-side programming has driven my ability to architect robust apps, while my strong design skills have allowed me to create attractive, engaging UI designs to spec. Craftsmanship is critical to my work- I perceive code as art.

Information Security is a deep passion of mine; I enjoy contributing as a core member of my team in local and national cybersecurity competitions as I transition fully into this space professionally.

As engineers, I believe that we have signed up for a life-long learning process, and will always be students in one regard or another. I am also a dedicated educator, teaching both working professionals and adolescent through young adult students. MissionBit is a non-profit working within the San Francisco Unified School District, working toward the goal of closing the tech divide via mentoring the next generation of engineers, software developers, project managers, and security professionals in their career pursuits, with a particular focus on underrepresented minority and economically disadvantaged students.

Elizabeth With Her "Software Engineer Pathways to Employment" Class at Microsoft

Other Projects

Proj 3: INetSim (20 pts.) (rev. 2-1-16)
Proj 7: Compiling C on Windows 2008 Server (15 pts.) (rev. 2-27-17)
Proj 8: Disassembling C on Windows (15 pts. + 10 extra credit) (rev. 2-27-17)
Proj 9: Disassembling C on Windows Part 2 (15 pts. + 10 extra credit) (Modified 3-20-17)
Proj 11: Using OllyDbg to Analyze Lab09-01.exe (rev. 3-21-16) (15 pts.)
Proj 12: Kernel Debugging with Livekd on Windows Server 2008 (20 pts.) (Updated 3-11-17)
Proj 13: Using Kernel Debugging Commands with WinDbg (15 pts.) (rev. 4-19-17)
Proj 14: Malware Behavior (Lab 11-1) (35 pts.) (updated 4-19-17)
Proj 15: Covert Malware Launching (Lab 12-1) (rev. 4-18-16) (25 pts.)
Proj 16: Data Encoding (Lab 13-1) (25 pts.) (rev. 4-24-17)

Extra Credit Projects

Proj 1x: File and Strings (10 pts. extra credit) (rev. 8-22-13)
Proj 3x: Harvesting Files from Packet Captures with Wireshark (10 pts.)
      pX12-121.pcap (1.2 MB)
Proj 4x: Introduction to Hopper (20 points) (rev. 2-22-16)
Proj 5x: Assembly Code Challenges (30 points) (rev. 2-9-16)
Proj 6x: Disassembling C on Windows Part 3 (15 pts. + 10 extra credit)
Proj 7x: Analyzing Malicious Windows Programs (Lab 7-2) (15 pts.)
Proj 8x: Using WinDbg on a Crash Dump (15 pts.)
Project 12x: Anti-Disassembly (Lab 15-1) (15 pts.)


CNIT 126: Practical Malware Analysis
CNIT 127: Exploit Development
CNIT 128: Hacking Mobile Devices
CNIT 123 Ethical Hacking and Network Defense
CNIT 124 Advanced Ethical Hacking
CNIT 40: DNS Security
CNIT 141: Cryptography for Computer Networks
Last Updated: 7-30-17 8:06 am