Retired beginner/intermediate malware analysis training materials from @pedramamini and @erocarrera. This course was last given in 2010 and the materials were open sourced in 2020. Written in LaTeX + Beamer, the course materials can be rendered in slideshow and article modes.
Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
What You Will Learn
This course was designed for students who have an introductory / basic understanding of x86 assembly and reverse engineering as well as more advanced students wishing to refresh their skills and learn new approaches to familiar problems. The course will cover the basics of x86 assembly and pattern recognition, Windows process memory layout, tools of the trade (such as IDA Pro and OllyDbg), the PE file format and basic exploitation methodologies abused by worms to penetrate a target system (stack/heap overflows). As this course is focused on malicious code analysis, students will be given real-world virus samples to reverse engineer. The details of executable packing, obfuscation methods, anti-debugging and anti-disassembling will be revealed and re-enforced with hands-on exercises.
Toward the end of the course more advanced reverse engineering techniques with applications to malicious code analysis will be taught—including:
- Various approaches to automation
- Malware classification
- Applications of binary matching/diffing
This is a two-day course where the notion of "rapid response" is taken into consideration with each aspect, focusing on techniques and methodologies that can be applied in a timely and effective manner. We will force you to learn shortcuts and put your mouse to rest. At the completion of this course, students will walk away with applicable real world knowledge that can be directly applied to various reverse engineering related tasks, especially with regards to malicious code analysis.
How the Course is Run
This course is by no means a two-day lecture. Instead, you will be engaged in a number of individual and group hands-on exercises to reinforce and solidify everything that is taught in the class. Some of the exercises are held in a competitive nature, followed by class discussion to pin point elegant approaches and solutions that various individuals or groups may have used. Despite the fact that the course is held in Vegas, take home exercises will be available for the type-A personalities attending the course.
Who Should Attend
If you are interested in the field of reverse engineering, want to learn how to dissect unknown code faster, want to discuss cutting edge technologies, techniques and ideas, or simply want to impress your friends ... then this class is for you.
Aside from direct class materials, slides and hands-on exercises, students will have many opportunities to engage in one-on-one questions with instructors. Furthermore, students will be divided into groups by experience to foster student-student knowledge transfer as well.
Prospective students should be comfortable operating Microsoft Windows and have a basic understanding of x86 assembly and high level programming and OS concepts.
Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
Pedram currently leads the Zero Day Initiative at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer- developing automation tools, plug-ins and scripts for software like IDA Pro and OllyDbg.
In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has previously presented at DEFCON, RECon, ToorCon and taught a sold out reverse engineering course at Black Hat US 2005. Pedram holds a computer science degree from Tulane University.
Ero is currently a reverse engineering automation researcher at SABRE Security, home of BinDiff and BinNavi. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.
While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking.
Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering tools such as pydot, pype, pyreml and idb2reml.