SANS Cyber Security Central: Feb 2022
As defenders hone their analysis skills and automated malware detection capabilities improve, malware authors have worked harder to achieve execution within the enterprise. The result is malware that is more modular with multiple layers of obfuscated code that executes in-memory to reduce the likelihood of detection and hinder analysis. Malware analysts must be prepared to tackle these advanced capabilities and use automation whenever possible to handle the volume, variety and complexity of the steady stream of malware targeting the enterprise.
FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course leaves off, helping students who have already attained intermediate-level malware analysis capabilities take their reversing skills to the next level. Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to dissect sophisticated 32 and 64-bit Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe.
“As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators.” – Anuj Soni
FOR710 Students will learn, among other topics, how to:
- Tackle code obfuscation techniques that hinder static code analysis, including the use of steganography.
- Identify the key components of program execution to analyze multi-stage malware in memory.
- Identify and extract shellcode during program execution.
- Develop comfort with non-binary formats during malware analysis.
- Probe the structures and fields associated with a PE header.
- Use WinDBG Preview for debugging and assessing key process data structures in memory.
- Identify encryption algorithms in ransomware used for file encryption and key protection.
- Recognize Windows APIs that facilitate encryption and articulate their purpose.
- Create Python scripts to automate data extraction.
- Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse engineering workflows.
- Write scripts within Ghidra to expedite code analysis.
- Correlate malware samples to identify similarities and differences between malicious binaries and track the evolution of variants.
This course assumes some prior exposure to the Ghidra reverse engineering framework. If you're not familiar with this capability, consider watching this brief introduction by Anuj Soni