CNIT 126: Practical Malware Analysis

Fall 2018 Sam Bowne

78188 Tue 6:10 - 9 PM SCIE 200

Schedule · Lecture Notes · Projects · Links · Home Page

Catalog Description

Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Advisory: CS 110A or equivalent familiarity with programming

Upon successful completion of this course, the student will be able to:
  1. Describe types of malware, including rootkits, Trojans, and viruses.
  2. Perform basic static analysis with antivirus scanning and strings
  3. Perform basic dynamic analysis with a sandbox
  4. Perform advanced static analysis with IDA Pro
  5. Perform advanced dynamic analysis with a debugger
  6. Operate a kernel debugger
  7. Explain malware behavior, including launching, encoding, and network signatures
  8. Understand anti-reverse-engineering techniques that impede the use of disassemblers, debuggers, and virtual machines
  9. Recognize comTue packers and how to unpack them

Textbook

"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901 Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

You should have received an email like this, inviting you to the Canvas system we are using, which is not the Canvas system controlled by CCSF. Follow the instructions in that email to join the Canvas system.

To take quizzes, log in to Canvas here:

https://canvas.instructure.com/courses/1401413

Live Streaming

Live stream at:

http://www.ccsf.edu/en/educational-programs/school-and-departments/school-of-liberal-arts/broadcast-electronic-media-arts/EATV/webcasts.html

Classes will also be recorded and published on YouTube for later viewing.

Kahoot and Zoom

The Kahoot competitions don't work well with the CCSF livestream, because it has a delay. For them, use Zoom:

https://zoom.us/j/4108472927

Email

For class-related questions, please email
cnit.126sam@gmail.com

Schedule (may be revised)

Note: Chapter Numbers are one too high in the E-Book: Chapter 0 is mislabelled as Chapter 1, etc.
DateQuizTopic

Tue 8-21  0: Malware Analysis Primer &
1: Basic Static Techniques


Tue 8-28Quiz: Ch 0-1 *
Quiz: Ch 2-3 *
2: Malware Analysis in Virtual Machines &
3: Basic Dynamic Analysis


Tue 9-4Quiz: Ch 4 *
Proj 1-2 due *
4: A Crash Course in x86 Disassembly


Fri 9-7 Last Day to Add Classes

Tue 9-11Quiz: Ch 8
Proj 3 due
8: Debugging


Tue 9-18Quiz: Ch 9
Proj 4-5 due
9: OllyDbg


Tue 9-25Quiz: Ch 5
Proj 6 due
5: IDA Pro


Tue 10-2Quiz: Ch 6
Proj 7-8 due
6: Recognizing C Code Constructs in Assembly


Tue 10-9Quiz: Ch 7
Proj 9 due
7: Analyzing Malicious Windows Programs


Tue 10-16 Holiday - No Class

Tue 10-23Quiz: Ch 10
Proj 10-11 due
10: Kernel Debugging with WinDbg


Tue 10-30Quiz: Ch 11
Proj 12 due
11: Malware Behavior


Tue 11-6No Quiz
No Proj due
Guest Speakers from First Republic
Cybersecurity and HR will be represented
6:30 - 7:15 PM, MUB 388

Tue 11-13Quiz: Ch 12
Proj 13 & 14 due
12: Covert Malware Launching


Tue 11-20 CLASS CANCELLED DUE TO SMOKE

Tue 11-27Quiz: Ch 13
Proj 15 & 16 due
13: Data Encoding


Tue 12-4No Quiz
No Proj due
Guest: Tim O'Brien
Security Operations and the SOC of 2020

IN SCIENCE ROOM 200

Will not be recorded or livestreamed


Tue 12-11Quiz Ch 14 Available (extra credit)
Proj 17 & 18 due
Last Class: 14: Malware-Focused Network Signatures


Thu 12-13 -
Thu 12-20
Final Exam available online throughout the week.
You can only take it once.

All quizzes due 30 min. before class
* No late penalty until after 9-11

Lecture Notes

Policy

Basic Analysis

0: Malware Analysis Primer & 1: Basic Static Techniques · KEY
2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis · KEY

Advanced Static Analysis

4: A Crash Course in x86 Disassembly · KEY
5: IDA Pro · KEY
6: Recognizing C Code Constructs in Assembly · KEY
7: Analyzing Malicious Windows Programs · KEY

Advanced Dynamic Analysis

8: Debugging · KEY (Updated 9-11-18)
9: OllyDbg · KEY
10: Kernel Debugging with WinDbg · KEY

Malware Functionality

11: Malware Behavior     KEY    PDF
12: Covert Malware Launching     KEY    PDF
13: Data Encoding     KEY    PDF


Slides below this line are being updated


14: Malware-Focused Network Signatures     KEY

Anti-Reverse-Engineering

15: Anti-Disassembly     KEY
16: Anti-Debugging
17: Anti-Virtual Machine Techniques
18: Packers and Unpacking

Special Topics

19: Shellcode Analysis
20: C++ Analysis
21: 64-Bit Malware

Review Questions

Click a lecture name to see it on SlideShare.
If you want to use other formats, you may find this useful:
Cloud Convert.

Projects

Proj 1: Malware Analysis Virtual Machine (15 pts)
Proj 2: Basic Static Techniques (20 pts + 30 pts extra)
Proj 3: Unpacking (15 pts + 10 pts extra)
Proj 4. Basic Dynamic Analysis (30 pts)
Proj 5. Keylogger (15 pts + 15 pts extra)
Proj 6. Using Jasmin to Run x86 Assembly Code (15 pts)
Proj 7. Using Masm32 to Run x86 Assembly Code (20 pts)
Proj 8. Simple EXE Hacking with Ollydbg (20 pts) (rev. 9-18-18)
Proj 9: Patching EXEs with Ollydbg (10 pts + 70 pts extra)
Proj 10: Adding Trojan Code with LordPE and Ollydbg (20 pts)
Proj 11. Hacking Minesweeper with Ollydbg (15 pts + 30 pts extra)
Proj 12. IDA Pro (15 pts)
Proj 13. IDA Pro Challenges (10 pts + 30 extra)
Proj 14. Kernel Debugging with LiveKd & WinDbg (15 pts)
Proj 15. SSDT Hooking (10 pts + 15 pts extra)
Proj 16: Windows 2016 Server Virtual Machine (15 pts)
Proj 17: Compiling C on Windows 2016 Server (15 pts)
Proj 18: C Constructs in Assembly (15 pts)

Extra Credit Projects

Obfuscation CTF (up to 24 pts extra)

Virtual Machine Resources

Download Textbook Labs Here

All the projects run on a single Windows Server 2008 machine.
You can run it locally on VMware or VirtualBox, or in the cloud with NETLAB.

Local Hosting

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

VMs

For VMware: Win2008Malware.7z
Size: 2,073,173,278 bytes
SHA-256: c2d59bb80d71cb73350fe436d2658eeb46c869edce66c950ce97268e2a2fa25a

For VirtualBox: Win2008MalwareVB.7z
Size: 3,754,472,442 bytes
SHA-256: 879584a72752a3a22843b21e02992e6aa78ad4b73aed5536a44c91613d813113

For Hyper-V: Svr8Vm12.7z
Size: 2.21 GB

Download VMware Player


Links

Lab Files

Download Textbook Labs Here

Chapter Links

Ch 1a: Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades (Aug. 2012)
Ch 1b: Fake FBI warning tricks man into surrendering himself for possession of child porn

Ch 2a: VirusTotal - Free Online Virus, Malware and URL Scanner
Ch 2b: UPX NotCompressibleException
Ch 2c: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
Ch 2d: Dependency Walker (depends.exe) Home Page
Ch 2e: PEview Download
Ch 2f: Resource Hacker
Ch 2g: Download PEiD 0.95
Ch 2h: UPX: the Ultimate Packer for eXecutables - Download Ch 2i: BinText 3.03 McAfee Free Tools

Ch 3a: Process Monitor Download
Ch 3b: Process Explorer Download
Ch 3c: RegShot download
Ch 3d: Regshot user guide
Ch 3e: ApateDNS Download
Ch 3f: 3 Free Tools to Fake DNS Responses for Malware Analysis

Ch 5a: OpenRCE -- Free IDA Scripts

Ch 6a: Entry points for Windows programs

Ch 7b: Autoruns for Windows
Ch 7c: Anatomy of a Program in Memory
Ch 7d: assembly - The point of test eax eax
Ch 7e: CurrentControlSetServices Subkey Entries
Ch 7f: Globally unique identifier - Wikipedia
Ch 7g: SEH in x86 Environments
Ch 7h: assembly - What is the 'FS''GS' register intended for?
Ch 7i: winapi - FS register in Win32
Ch 7j: Ring (computer security) - Wikipedia

Ch 8a: Exploit Development for Mere Mortals Joe McCray - YouTube
Ch 8b: x86 Protected Mode Exceptions
Ch 8c: Enabling Postmortem Debugging - Windows 10 hardware dev
Ch 8d: Using Windows Event Viewer to debug crashes
Ch 8e: LiveKd for Virtual Machine Debugging

Ch 9a: Download OllyDbg 1.10
Ch 9b: OllyDbg v. 2.01 is EVIL; just misses functions found in v. 1.10
Ch 9c: OLLYDBG TUTORIALS! The Legend Of Random
Ch 9d: OpenRCE OllyDbg Plugins (down on 10-14-13)
Ch 9e: shell-storm Shellcodes Database

Ch 10a: Download Windows Symbol Packages
Ch 10b: ntoskrnl.exe - Wikipedia, the free encyclopedia
Ch 10c: Choosing the 32-Bit or 64-Bit Debugging Tools (Windows Debuggers)
Ch 10d: How To: Debug the WRK on Mac OS X Using VMware Fusion
Ch 10e: Assembly Code Debugging in WinDbg (Windows Debuggers)
Ch 10f: Microsoft Windows library files - HAL runs in kernel mode
Ch 10g: Windbg Tutorials
Ch 10h: A word for WinDbg
Ch 10i: Kernel Patch Protection - Wikipedia
Ch 10j: On Windows Syscall Mechanism and Syscall Numbers Extraction Methods
Ch 10k: The Sysenter Instruction and 0x2e Interrupt
Ch 10l: Hooking the System Service Dispatch Table (SSDT)
Ch 10m: Common WinDbg Commands (Thematically Grouped)

Ch 11a: Portable Executable - Wikipedia
Ch 11b: Resource Hacker
Ch 11c: Capturing Windows 7 Credentials at Logon Using a Custom Credential Provider (Replaces MSGINA.DLL)
Ch 11d: Detecting DLL Hijacking on Windows | SANS Institute (2015)
Ch 11e: Windows 10 Hooking Nirvana explained (2016)

Ch 13a: Tools for Examining XOR Obfuscation for Malware Analysis
Ch 13b: Base64 Decode and Encode - Online
Ch 13c:: Download FindCrypt2 (IDA Pro Plug-In)
Ch 13d: Kanal Free Download
Ch 13e: Entropy (information theory) - Wikipedia
Ch 13f: IDA Entropy Plugin
Ch 13g: IDA Entropy Plugin 0.1 -- working download link
Ch 13h: Ent -- entropy visualizer that works on Windows

Ch 15a: The Bastard Linux Disassembler (Linear)
Ch 15b: JUMP and CALL - Stack Overflow

Training Materials

Introductory: Chapter 0

Introduction to Malware Analysis Slides by Lenny Zeltser
Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser
Analysis of Malware Samples -- EXCELLENT TIPS FOR PROCESS MONITOR
Sam's Honeynet "Reverse Engineering Malware" Class Notes (Mar. 2012)

Assembly Language: Chapter 4

Windows Assembly Language Megaprimer -- VIDEO
Introductory Intel x86: Architecture, Assembly --Free class materials!
PE Structure--Excellent Diagram
Download jasmin x86 Assembler Interpreter
Jasmin tutorial - Java Assembler Interpreter

Windows Internals: Chapter 7

Windows 0wn3d By Default Mark Baggett -- VIDEO

Debugging: Chapter 8

Exploit Development for Mere Mortals Joe McCray -- VIDEO OllyDbg Tricks for Exploit Development

OllyDbg: Chapter 9

Exploit Dev Night School Day 2 - YouTube -- HIGHLY RECOMMENDED, MORE DEBUGGER DEMOS
Reverse Engineering 101 on Vimeo

Other Links

Catalog of key Windows kernel data structures
Malware Analysis Resources
Pwning a Spammer's Keylogger - SpiderLabs Anterior
SANS Memory Forensics Cheat Sheet (PDF)
An interesting case of Mac OSX malware
Picking Apart Malware In The Cloud - The business need for malware analysis
FakeNet -- Dynamic malware analysis tool
Static Analysis Talk
Worm 2.0, or LilyJade in action
Pwning the Herpes bothet and it's creator
A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability - Microsoft Malware Protection Center - Site Home - TechNet Blogs
Virtual USB Analyzer - Tutorial
PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion
FileInsight McAfee Free Tools
McAfee FileInsight -- recommended malware analysis tool
CSI:Internet - PDF timebomb
Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1
Deconstructing an ELF File
Malware Analysis Course Lecture Slides
Defeating Flame String Obfuscation with IDAPython
System Forensics: MBR Malware Analysis
Malware Hunting with the Sysinternals Tools
Honeypot Alert PHP-CGI Vuln Targeted For Database Dumping
Th3-0uTl4wS Database -- bot source code
Fuzzy Hashing presentation by Jesse Kornblum
Malware Unpacking Level: Pintool
WireShnork and other Forensics plugins for Wireshark
IntroductionToReverseEngineering
Tweaking Metasploit Modules To Bypass EMET -- Part 1
corkami - reverse engineering experiments and documentations
Modifying VirtualBox settings for malware analysis
What was that Wiper thing? - EXCELLENT MALWARE ANALYSIS
Malware Must Die!: Racing with time to get the latest payload of Blackhole Exploit Kit
Extracting EXE file (in HTTP stream) from captured packets file with Wireshark
Analyzing Unknown Malware: #2 Disclosure of an interesting Botnet - The Executable (Part 1)
Malware Analysis as a Hobby slides --Cuckoo looks great!
Shamoom The Wiper: further details (Part II) - Securelist
Backdoors are Forever: Hacking Team and the Targeting of Dissent
The Case of the Unexplained FTP Connections
Analysis of malware that infects virtual machines
Deobfuscating "PluginDetect"
To Russia With Targeted Attack
Windows DLL Injection Basics
Reverse engineering challenge intended for women
India APT Attack -- Several useful tools demonstrated
MFT vs Super Timeline: Part 1
Stack Smashing On A Modern Linux System -- Good gdb examples
Nothink.org -- EXCELLENT HONEYPOT DATA
Oh, you found a remote OpenSSH 0-day on Pastebin? Don't trust it.
KernelMode.info -- Site to get real malware samples
MalwareURL -- Site to get real malware samples
Malc0de Database -- Site to get real malware samples
PEiD 0.95 Free - Detects packers, cryptors and compilers
QUnpack -- recommended unpacker
ThreatExpert - Automated Threat Analysis
TCPView for Windows -- traffic monitoring
Total Uninstall Analyze, monitor and uninstall programs -- useful for malware analysis
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- recommended book
Volatility Cheat Sheet
Good analysis of the malware at speedtest.net
Free Online Malware Analysis Class
APT #TargetedAttacks within Twitter
How to use MANDIANT Memoryze
contagio: Collection of Pcap files from malware analysis
Malware analysis lab tools
6.25 DNS DDOS Attack In Korea -- Good example of simple dynamic analysis
Mandiant Redline is Free
Windows 8 Server 2012 Memory Forensics
Structured Exception Handler EXPLOITATION
Malware and DLLs
Trojaning antivirus uninstallers with DLL injection
When Malware Meets Rootkits (from 2005)
Process Hiding
Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering Approach -- MORE PROJECTS HERE
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- RECOMMENDED BOOK
SANS Work Study -- Get SANS classes for cheap!
Finding Evil: Automating Autoruns Analysis
Attackers' Toolbox Makes Malware Detection More Difficult
Large botnet cause of recent Tor network overload
Pushdo Botnet detects "FakeNet" analysis tool and spams practicalmalwareanalysis.com (Sept, 2013)
Reverse Engineering a D-Link Backdoor with IDA Pro
Anatomy of an exploit -- inside the CVE-2013-3893 Internet Explorer zero-day -- Part 1
binwalk - Firmware Analysis Tool
Reverse Engineering Videos
How to solve Windows system crashes in minutes --Debugging crash dumps
Kernel Pool Exploitation on Windows 7 (from 2011)
Analysis of a Malware ROP Chain
New Tool: XORStrings
Strings from CSRSS show command-line history on Windows
Reconstructing Master File Table (MFT) Entries with MFTParser.py
The OpenIOC Framework -- for sharing threat intelligence
security-onion - recommended for Snort GUIs
Malware Research -- samples
Barracuda Launches Web-Based Malware Analysis Tool Threatglass
Malware Analysis with pedump
Practical Malware Analysis - Free Download eBook - pdf (works as of 2014-07-16)
What is a mutex? - EPIC EXPLANATION
OfficeMalScanner -- detects malware in Office files
Hopper -- Mac OS X Disassembler, highly recommended by @iamevltwin
fseventer for Mac -- observe filesystem changes
logkext - Freeware keylogger for OS X
contagio: OSX malware and exploit collection (~100 files)
Shellter -- inject Metasploit payloads into PE files to bypass AV
Exeinfo PE Download
How to setup plugins for ollydbg 2.x.x?
Download OllyScript to Automate Packing
Download OllyScript PE Compact Script
QuickUnpack Tool -- Download
Ether: Malware Analysis via Hardware Virtualization Exsensions -- Free online unpacker
MacMemoryForensics - volatility - Instructions on how access and use the Mac OS X support
PEStudio performs the static investigation of Windows executables
Valgrind Tutorial
PEStudio: static malware analysis tool ty @lennyzeltser #S4con
Process Hacker can dump strings from running processes ty @lennyzeltser #S4con
Google mutant names to help identify malware ty @lennyzeltser #S4con
Malware Analysis Database -- search for mutex values & more ty @lennyzeltser #S4con
ProcDOT - Visual Malware Analysis ty @lennyzeltser #S4con
urlvoid.com Website Reputation Checker Tool ty @lennyzeltser #S4con
Exeinfo PE -- Identifies packers ty @lennyzeltser #S4con
Hacker Disassembly Uncovered (free download)
Reversing & Malware Analysis - FREE TRAINING SLIDES
The evolution of OS X malware (Oct. 2014)
Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011)
Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0
Cuckoo Sandbox VM Escape Vulnerability (2014)
Rootkits by Csaba Barta (from 2009)
Malwr - Malware Analysis by Cuckoo Sandbox
Malware Investigator -- from the FBI
Reversing a malvertisment: javascript, regex, and cookie
POWELIKS Levels Up With New Autostart Mechanism
Malicious Flash Files Gain the Upper Hand With New Obfuscation Techniques Security Intelligence Blog
Inside a Kippo honeypot: how the billgates botnet spreads -- PROJECT IDEA
Hook Analyser
Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS
Retrieve the apk signature at runtime for Android
2015-10-07: IOS Application Security Testing Cheat Sheet - OWASP
theZoo · Malware Samples to Analyze ty @the_fire_dog
Malware Researcher\'s Handbook (Demystifying PE File) - InfoSec Resources
RPISEC/Malware: Course materials for Malware Analysis
Malware Analysis by Abstruse Goose
A Crash Course In DLL Hijacking -- EXCELLENT EXPLANATION
x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO
REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALYSIS
Microsoft security technology EMET used to disable itself (Feb. 2016)
The Ultimate Disassembly Framework -- Capstone
Malwarebytes 2.2.0.1024 DLL Hijacking (works on Win 2008 Server but not Win 10) -- SHOW TO CLASS
Win32 Assembly Cheat Sheet
Local Kernel-Mode Debugging - Windows 10 hardware dev
WinDbg tools and tutorials
pestudio: Malware Initial Assessment Tool
Identifying malware with PEStudio
A fundamental introduction to x86 assembly programming
Practical Malware Analysis Starter Kit
Introductory Intel x86: Architecture, Assembly, Applications - YouTube
Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
GitHub - RPISEC/Malware: Course materials for Malware Analysis by RPISEC
Manalyzer: free online static analysis
WARNING: Tweet to download live Locky malware (BE CAREFUL)
Kwetza: infecting android applications -- MAKE INTO PROJECT
pwning bin2json | psych0tik
Microsoft/binskim: A binary static analysis tool that provides security and correctness results for Windows portable executables.
GitHub - GoSecure/malboxes: Builds malware analysis Windows VMs so that you don't have to.
pev - the PE file analysis toolkit -- MAY BE USEFUL FOR PROJECTS
pev Video Demo
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax. -- TRY FOR PROJECTS
CS7038-Malware-Analysis by ckane
Reverse Engineering Malware 101 -- free online course

New Unsorted Links

My first SSDT hook driver
SSDT Hooking mini-library/example - RaGEZONE - MMO development community
Shadow SSDT Hooking with Windbg
Download Windows Driver Kit Version 7.1.0 from Official Microsoft Download Center
InstDrv plug-in - NSIS
Installing the AWS Command Line Interface
HowTo Export a VM in OVA format in VMware Fusion for OS X with ovftool
FLARE VM: The Windows Malware Analysis Distribution You've Always Needed!
pestudio -- USEFUL FOR MALWARE ANALYSIS
Dropper Analysis -- TEST FOR PROJECT
GUnpacker 0.5 | Generic Unpacker for RE of Malware
wsunpacker -- unpacks many formats
Ether: Online Malware Unpacker
Portable Executable File Corruption Preventing Malware From Running -- USE FOR PROJECTS
fireeye/flare-floss: FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Practical Malware Analysis Chapter 1 Lab Attempt - YouTube
Kernel Forensics and Rootkits
pestudio: Malware Initial Assessment Tool
Malware Analysis Tutorials: a Reverse Engineering Approach
Reversing Basics - A Practical Approach Using IDA Pro
Ch 8f: LiveKd for Virtual Machine Debugging -- Mark's Blog
ScyllaHide: conceals debuggers from malware
Process Doppelganging Malware Evasion Technique (from 2017) ty @lennyzeltser #IRespondCon
Processhacker: Monitor system resources, debug software and detect malware --ty @lennyzeltser #IRespondCon
Invoke-DOSfuscation: Cmd.exe Command Obfuscation Tool -- ty @lennyzeltser #IRespondCon
olevba -- Extracts VBA Macros from Microsoft Office files -- ty @lennyzeltser #IRespondCon
Malware-Traffic-Analysis.net A source for pcap files and malware samples ty Andrea Kaiser #IRespondCon
MalShare: A free Malware repository providing researchers access to samples, malicous feeds, and Yara results
VirusShare.com - Because Sharing is Caring
Detect It Easy -- Unpacker for Windows malware
CFF Explorer -- Malware Analysis Tool
pestudio -- malware analysis tool
Game Hacking: WinXP Minesweeper - Reverse Engineering
Automated Malware Analysis - Joe Sandbox
Ch 10n: About Dynamic-Link Libraries | Microsoft Docs
Ch 10n: Callback Objects | Microsoft Docs
Ch 10o: Using a Driver-Defined Callback Object | Microsoft Docs
Exeinfo PE by A.S.L - packer - compression detector and data detector
GitHub - horsicq/Detect-It-Easy: Detect it Easy
The Mac Malware of 2018--WITH SAMPLES
OALabs Malware Analysis Virtual Machine
Intro to Cutter for Malware Analysis
Three Heads are Better Than One: Mastering Ghidra
Top 10 Free Keyloggers for Windows
EgeBalci/Keylogger: Simple C Keylogger...
Understanding and Analyzing Carrier Files Workshop
Modern Windows Exploit Development.pdf
Rootkit analysis Use case on HideDRV
TDSS part 1: The x64 Dollar Question
Bochs Hacking Guide
CFF Explorer -- use for malware analysis
Vergilius: Take a look into the depths of Windows kernels--USE FOR PROJECTS
2020-10-15: Recommended Mandiant and FireEye Blogs
Malware_Reverse_Engineering_Handbook.pdf
Malware Samples for Students
Windows System Processes: An Overview For Blue Teams
Persistence AppInit DLLs Penetration Testing Lab
The Art Of Mac Malware
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Labs | CyberDefenders ® | Blue Team CTF Challenges
A detailed analysis of ELMER Backdoor used by APT16 CYBER GEEKS
Analyzing APT19 malware using a step-by-step method CYBER GEEKS
Dissecting APT21 samples using a step-by-step approach CYBER GEEKS
Detecting Mimikatz with Sysmon
Packing and Process Injection to Evade Windows Defender
GitHub - danzajork/evasion: Windows packer
Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor - Wiki - VulWiki
Rootkits in Windows 10 - Windows security | Microsoft Docs
2022-02-11: Malware Analysis Series
Malware Analysis Tutorials: a Reverse Engineering Approach
Malware analysis CTF created by myself and @HBRH_314
Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code
How to Use the Slmgr activate and Slmgr rearm up to 8 times
DLL Hijack Libs
PMA 600: FLARE-ON 9 (2022) (requires password)
NASM Assembly Language Tutorials - asmtutor.com
How to Bypass Windows 11's TPM, CPU and RAM Requirements--THIS WORKS
How to bypass internet connection to install Windows 11--THIS WORKS
Winbindex - The Windows Binaries Index
MVS Collection: Windows ISOs
WindowsProtocolTestSuites
Binary Refinery tutorial
Meterpreter vs Modern EDR(s)--USE FOR PROJECT
Can't inject meterpreter shellcode in c code - Information Security Stack Exchange
Ring Zero Labs: Godbolt: Your Gateway to Learning Reverse Engineering
Decompiler Explorer
Symbolic Execution for the Win: Pwning CTFs with angr
Any.Run Analysis--USE FOR PROJECTS
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24

          

Last Updated: 12-11-18 7:15 pm