(Required) |
CNIT 126: Practical Malware AnalysisFall 2020 Sam Bowne
Schedule · Lecture Notes · Projects · Links · Home Page
|
(Optional) |
Catalog DescriptionLearn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.Advisory: CS 110A or equivalent familiarity with programming Upon successful completion of this course, the student will be able to:
Textbook"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901 Buy from AmazonQuizzesThe quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts. Discussion BoardEach CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due. Live StreamingLive stream at: For class-related questions, please send messages inside Canvas or emailcnit.126sam@gmail.com |
Schedule (may be revised) | ||||
---|---|---|---|---|
Note: Chapter Numbers are one too high in the E-Book Chapter 0 is mislabelled as Chapter 1, etc. | ||||
Date | Quiz | Topic | ||
Tue 8-18 | 0: Malware Analysis Primer & 1: Basic Static Techniques
| |||
Tue 8-25 | Quiz: Ch 0-1 * Quiz: Ch 2-3 * Proj 30 or 20 due * |
2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
| ||
Tue 9-1 | Quiz: Ch 4 * Proj 101 & 102 due * |
4: A Crash Course in x86 Disassembly
| ||
Fri 9-4 | Last Day to Add Classes | |||
Tue 9-8 | Quiz: Ch 8 Proj 201 (if using a local VM) due |
8: Debugging | ||
| ||||
Tue 9-15 | Quiz: Ch 9
Proj 221 & 301 due |
9: OllyDbg
| ||
Tue 9-22 | Quiz: Ch 5
Proj 401 due Discussion 1 due |
5: IDA Pro
| ||
Tue 9-29 | No Quiz
Proj 110 due Discussion 2 due |
More about file headers and DLLs, and the Assembler CTF
| ||
Tue 10-6 | Quiz: Ch 6
Proj 402 due Discussion 3 due |
6: Recognizing C Code Constructs in Assembly
| ||
Tue 10-13 | Quiz: Ch 7
Proj 303 or 303c due Discussion 4 due |
7: Analyzing Malicious Windows Programs
| ||
Tue 10-20 | Quiz: Ch 10
Proj 304 due Discussion 5 due |
10: Kernel Debugging with WinDbg
| ||
Tue 10-27 | Quiz: Ch 11
Proj 410c or 410 due Discussion 6 due |
11: Malware Behavior
| ||
Tue 11-3 | No Quiz
No Proj due Discussion 7 due |
| ||
Tue 11-10 | Quiz: Ch 12
Discussion 8 due |
12: Covert Malware Launching
| ||
Tue 11-24 | Quiz Ch 13 Proj 420 & 421 due Discussion 9 due |
13: Data Encoding
| ||
Tue 12-1 | Quiz Ch 14
Discussion 10 due |
14: Malware-Focused Network Signatures
| ||
Tue 12-8 | No Quiz
All Extra Credit due |
Last Official Class Meeting 15: Anti-Disassembly
| ||
Fri 12-11 - Fri 12-18 |
Final Exam available online throughout the week. You can only take it once. | |||
All quizzes due 30 min. before class * No late penalty until 9-8 |
Links |
---|
Lab FilesDownload Textbook Labs HereChapter LinksCh 1a: Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades (Aug. 2012)Ch 1b: Fake FBI warning tricks man into surrendering himself for possession of child porn
Ch 2a: VirusTotal - Free Online Virus, Malware and URL Scanner
Ch 3a: Process Monitor Download
Ch 5a: OpenRCE -- Free IDA Scripts
Ch 6a: Entry points for Windows programs
Ch 7b: Autoruns for Windows
Ch 8a: Exploit Development for Mere Mortals Joe McCray - YouTube
Ch 9a: Download OllyDbg 1.10
Ch 10a: Download Windows Symbol Packages
Ch 11a: Portable Executable - Wikipedia
Ch 13a: Tools for Examining XOR Obfuscation for Malware Analysis
Ch 15a: The Bastard Linux Disassembler (Linear) Training MaterialsIntroductory: Chapter 0Introduction to Malware Analysis Slides by Lenny ZeltserIntroduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser Analysis of Malware Samples -- EXCELLENT TIPS FOR PROCESS MONITOR Sam's Honeynet "Reverse Engineering Malware" Class Notes (Mar. 2012) Assembly Language: Chapter 4Windows Assembly Language Megaprimer -- VIDEOIntroductory Intel x86: Architecture, Assembly --Free class materials! PE Structure--Excellent Diagram Download jasmin x86 Assembler Interpreter Jasmin tutorial - Java Assembler Interpreter Windows Internals: Chapter 7Windows 0wn3d By Default Mark Baggett -- VIDEODebugging: Chapter 8Exploit Development for Mere Mortals Joe McCray -- VIDEO OllyDbg Tricks for Exploit DevelopmentOllyDbg: Chapter 9Exploit Dev Night School Day 2 - YouTube -- HIGHLY RECOMMENDED, MORE DEBUGGER DEMOSReverse Engineering 101 on Vimeo Other LinksCatalog of key Windows kernel data structuresMalware Analysis Resources Pwning a Spammer's Keylogger - SpiderLabs Anterior SANS Memory Forensics Cheat Sheet (PDF) An interesting case of Mac OSX malware Picking Apart Malware In The Cloud - The business need for malware analysis FakeNet -- Dynamic malware analysis tool Static Analysis Talk Worm 2.0, or LilyJade in action Pwning the Herpes bothet and it's creator A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability - Microsoft Malware Protection Center - Site Home - TechNet Blogs Virtual USB Analyzer - Tutorial PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion FileInsight McAfee Free Tools McAfee FileInsight -- recommended malware analysis tool CSI:Internet - PDF timebomb Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1 Deconstructing an ELF File Malware Analysis Course Lecture Slides Defeating Flame String Obfuscation with IDAPython System Forensics: MBR Malware Analysis Malware Hunting with the Sysinternals Tools Honeypot Alert PHP-CGI Vuln Targeted For Database Dumping Th3-0uTl4wS Database -- bot source code Fuzzy Hashing presentation by Jesse Kornblum Malware Unpacking Level: Pintool WireShnork and other Forensics plugins for Wireshark IntroductionToReverseEngineering Tweaking Metasploit Modules To Bypass EMET -- Part 1 corkami - reverse engineering experiments and documentations Modifying VirtualBox settings for malware analysis What was that Wiper thing? - EXCELLENT MALWARE ANALYSIS Malware Must Die!: Racing with time to get the latest payload of Blackhole Exploit Kit Extracting EXE file (in HTTP stream) from captured packets file with Wireshark Analyzing Unknown Malware: #2 Disclosure of an interesting Botnet - The Executable (Part 1) Malware Analysis as a Hobby slides --Cuckoo looks great! Shamoom The Wiper: further details (Part II) - Securelist Backdoors are Forever: Hacking Team and the Targeting of Dissent The Case of the Unexplained FTP Connections Analysis of malware that infects virtual machines Deobfuscating "PluginDetect" To Russia With Targeted Attack Windows DLL Injection Basics Reverse engineering challenge intended for women India APT Attack -- Several useful tools demonstrated MFT vs Super Timeline: Part 1 Stack Smashing On A Modern Linux System -- Good gdb examples Nothink.org -- EXCELLENT HONEYPOT DATA Oh, you found a remote OpenSSH 0-day on Pastebin? Don't trust it. KernelMode.info -- Site to get real malware samples MalwareURL -- Site to get real malware samples Malc0de Database -- Site to get real malware samples PEiD 0.95 Free - Detects packers, cryptors and compilers QUnpack -- recommended unpacker ThreatExpert - Automated Threat Analysis TCPView for Windows -- traffic monitoring Total Uninstall Analyze, monitor and uninstall programs -- useful for malware analysis Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- recommended book Volatility Cheat Sheet Good analysis of the malware at speedtest.net Free Online Malware Analysis Class APT #TargetedAttacks within Twitter How to use MANDIANT Memoryze contagio: Collection of Pcap files from malware analysis Malware analysis lab tools 6.25 DNS DDOS Attack In Korea -- Good example of simple dynamic analysis Mandiant Redline is Free Windows 8 Server 2012 Memory Forensics Structured Exception Handler EXPLOITATION Malware and DLLs Trojaning antivirus uninstallers with DLL injection When Malware Meets Rootkits (from 2005) Process Hiding Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering Approach -- MORE PROJECTS HERE Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- RECOMMENDED BOOK SANS Work Study -- Get SANS classes for cheap! Finding Evil: Automating Autoruns Analysis Attackers' Toolbox Makes Malware Detection More Difficult Large botnet cause of recent Tor network overload Pushdo Botnet detects "FakeNet" analysis tool and spams practicalmalwareanalysis.com (Sept, 2013) Reverse Engineering a D-Link Backdoor with IDA Pro Anatomy of an exploit -- inside the CVE-2013-3893 Internet Explorer zero-day -- Part 1 binwalk - Firmware Analysis Tool Reverse Engineering Videos How to solve Windows system crashes in minutes --Debugging crash dumps Kernel Pool Exploitation on Windows 7 (from 2011) Analysis of a Malware ROP Chain New Tool: XORStrings Strings from CSRSS show command-line history on Windows Reconstructing Master File Table (MFT) Entries with MFTParser.py The OpenIOC Framework -- for sharing threat intelligence security-onion - recommended for Snort GUIs Malware Research -- samples Barracuda Launches Web-Based Malware Analysis Tool Threatglass Malware Analysis with pedump Practical Malware Analysis - Free Download eBook - pdf (works as of 2014-07-16) What is a mutex? - EPIC EXPLANATION OfficeMalScanner -- detects malware in Office files Hopper -- Mac OS X Disassembler, highly recommended by @iamevltwin fseventer for Mac -- observe filesystem changes logkext - Freeware keylogger for OS X contagio: OSX malware and exploit collection (~100 files) Shellter -- inject Metasploit payloads into PE files to bypass AV Exeinfo PE Download How to setup plugins for ollydbg 2.x.x? Download OllyScript to Automate Packing Download OllyScript PE Compact Script QuickUnpack Tool -- Download Ether: Malware Analysis via Hardware Virtualization Exsensions -- Free online unpacker MacMemoryForensics - volatility - Instructions on how access and use the Mac OS X support PEStudio performs the static investigation of Windows executables Valgrind Tutorial PEStudio: static malware analysis tool ty @lennyzeltser #S4con Process Hacker can dump strings from running processes ty @lennyzeltser #S4con Google mutant names to help identify malware ty @lennyzeltser #S4con Malware Analysis Database -- search for mutex values & more ty @lennyzeltser #S4con ProcDOT - Visual Malware Analysis ty @lennyzeltser #S4con urlvoid.com Website Reputation Checker Tool ty @lennyzeltser #S4con Exeinfo PE -- Identifies packers ty @lennyzeltser #S4con Hacker Disassembly Uncovered (free download) Reversing & Malware Analysis - FREE TRAINING SLIDES The evolution of OS X malware (Oct. 2014) Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011) Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0 Cuckoo Sandbox VM Escape Vulnerability (2014) Rootkits by Csaba Barta (from 2009) Malwr - Malware Analysis by Cuckoo Sandbox Malware Investigator -- from the FBI Reversing a malvertisment: javascript, regex, and cookie POWELIKS Levels Up With New Autostart Mechanism Malicious Flash Files Gain the Upper Hand With New Obfuscation Techniques Security Intelligence Blog Inside a Kippo honeypot: how the billgates botnet spreads -- PROJECT IDEA Hook Analyser Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS Retrieve the apk signature at runtime for Android 2015-10-07: IOS Application Security Testing Cheat Sheet - OWASP theZoo · Malware Samples to Analyze ty @the_fire_dog Malware Researcher\'s Handbook (Demystifying PE File) - InfoSec Resources RPISEC/Malware: Course materials for Malware Analysis Malware Analysis by Abstruse Goose A Crash Course In DLL Hijacking -- EXCELLENT EXPLANATION x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALYSIS Microsoft security technology EMET used to disable itself (Feb. 2016) The Ultimate Disassembly Framework -- Capstone Malwarebytes 2.2.0.1024 DLL Hijacking (works on Win 2008 Server but not Win 10) -- SHOW TO CLASS Win32 Assembly Cheat Sheet Local Kernel-Mode Debugging - Windows 10 hardware dev WinDbg tools and tutorials pestudio: Malware Initial Assessment Tool Identifying malware with PEStudio A fundamental introduction to x86 assembly programming Practical Malware Analysis Starter Kit Introductory Intel x86: Architecture, Assembly, Applications - YouTube Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS) GitHub - RPISEC/Malware: Course materials for Malware Analysis by RPISEC Manalyzer: free online static analysis WARNING: Tweet to download live Locky malware (BE CAREFUL) Kwetza: infecting android applications -- MAKE INTO PROJECT pwning bin2json | psych0tik Microsoft/binskim: A binary static analysis tool that provides security and correctness results for Windows portable executables. GitHub - GoSecure/malboxes: Builds malware analysis Windows VMs so that you don't have to. pev - the PE file analysis toolkit -- MAY BE USEFUL FOR PROJECTS pev Video Demo Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax. -- TRY FOR PROJECTS CS7038-Malware-Analysis by ckane Reverse Engineering Malware 101 -- free online course New Unsorted LinksMy first SSDT hook driverSSDT Hooking mini-library/example - RaGEZONE - MMO development community Shadow SSDT Hooking with Windbg Download Windows Driver Kit Version 7.1.0 from Official Microsoft Download Center InstDrv plug-in - NSIS Installing the AWS Command Line Interface HowTo Export a VM in OVA format in VMware Fusion for OS X with ovftool FLARE VM: The Windows Malware Analysis Distribution You've Always Needed! pestudio -- USEFUL FOR MALWARE ANALYSIS Dropper Analysis -- TEST FOR PROJECT GUnpacker 0.5 | Generic Unpacker for RE of Malware wsunpacker -- unpacks many formats Ether: Online Malware Unpacker Portable Executable File Corruption Preventing Malware From Running -- USE FOR PROJECTS fireeye/flare-floss: FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. Practical Malware Analysis Chapter 1 Lab Attempt - YouTube Kernel Forensics and Rootkits pestudio: Malware Initial Assessment Tool Malware Analysis Tutorials: a Reverse Engineering Approach Reversing Basics - A Practical Approach Using IDA Pro Ch 8f: LiveKd for Virtual Machine Debugging -- Mark's Blog ScyllaHide: conceals debuggers from malware Process Doppelganging Malware Evasion Technique (from 2017) ty @lennyzeltser #IRespondCon Processhacker: Monitor system resources, debug software and detect malware --ty @lennyzeltser #IRespondCon Invoke-DOSfuscation: Cmd.exe Command Obfuscation Tool -- ty @lennyzeltser #IRespondCon olevba -- Extracts VBA Macros from Microsoft Office files -- ty @lennyzeltser #IRespondCon Malware-Traffic-Analysis.net A source for pcap files and malware samples ty Andrea Kaiser #IRespondCon MalShare: A free Malware repository providing researchers access to samples, malicous feeds, and Yara results VirusShare.com - Because Sharing is Caring Detect It Easy -- Unpacker for Windows malware CFF Explorer -- Malware Analysis Tool pestudio -- malware analysis tool Game Hacking: WinXP Minesweeper - Reverse Engineering Automated Malware Analysis - Joe Sandbox Ch 10n: About Dynamic-Link Libraries | Microsoft Docs Ch 10n: Callback Objects | Microsoft Docs Ch 10o: Using a Driver-Defined Callback Object | Microsoft Docs Exeinfo PE by A.S.L - packer - compression detector and data detector GitHub - horsicq/Detect-It-Easy: Detect it Easy The Mac Malware of 2018--WITH SAMPLES OALabs Malware Analysis Virtual Machine Intro to Cutter for Malware Analysis Three Heads are Better Than One: Mastering Ghidra Top 10 Free Keyloggers for Windows EgeBalci/Keylogger: Simple C Keylogger... Understanding and Analyzing Carrier Files Workshop Modern Windows Exploit Development.pdf Rootkit analysis Use case on HideDRV TDSS part 1: The x64 Dollar Question Bochs Hacking Guide CFF Explorer -- use for malware analysis Vergilius: Take a look into the depths of Windows kernels--USE FOR PROJECTS 2020-10-15: Recommended Mandiant and FireEye Blogs Malware_Reverse_Engineering_Handbook.pdf Malware Samples for Students Windows System Processes: An Overview For Blue Teams Persistence AppInit DLLs Penetration Testing Lab The Art Of Mac Malware ELF Malware Analysis 101: Linux Threats No Longer an Afterthought Labs | CyberDefenders ® | Blue Team CTF Challenges A detailed analysis of ELMER Backdoor used by APT16 CYBER GEEKS Analyzing APT19 malware using a step-by-step method CYBER GEEKS Dissecting APT21 samples using a step-by-step approach CYBER GEEKS Detecting Mimikatz with Sysmon Packing and Process Injection to Evade Windows Defender GitHub - danzajork/evasion: Windows packer Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor - Wiki - VulWiki Rootkits in Windows 10 - Windows security | Microsoft Docs 2022-02-11: Malware Analysis Series Malware Analysis Tutorials: a Reverse Engineering Approach Malware analysis CTF created by myself and @HBRH_314 Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code How to Use the Slmgr activate and Slmgr rearm up to 8 times DLL Hijack Libs PMA 600: FLARE-ON 9 (2022) (requires password) NASM Assembly Language Tutorials - asmtutor.com How to Bypass Windows 11's TPM, CPU and RAM Requirements--THIS WORKS How to bypass internet connection to install Windows 11--THIS WORKS Winbindex - The Windows Binaries Index MVS Collection: Windows ISOs WindowsProtocolTestSuites Binary Refinery tutorial Meterpreter vs Modern EDR(s)--USE FOR PROJECT Can't inject meterpreter shellcode in c code - Information Security Stack Exchange Ring Zero Labs: Godbolt: Your Gateway to Learning Reverse Engineering Decompiler Explorer Symbolic Execution for the Win: Pwning CTFs with angr Any.Run Analysis--USE FOR PROJECTS Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24 |