What You Will Learn
As defenders hone their analysis skills and automated malware detection capabilities improve, malware authors have worked harder to achieve execution within the enterprise. The result is malware that is more modular with multiple layers of obfuscated code that executes in-memory to reduce the likelihood of detection and hinder analysis. Malware analysts must be prepared to tackle these advanced capabilities and use automation whenever possible to handle the volume, variety and complexity of the steady stream of malware targeting the enterprise.
FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course leaves off, helping students who have already attained intermediate-level malware analysis capabilities take their reversing skills to the next level. Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe.
Developing deep reverse-engineering skills requires consistent practice. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.
"As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators." - Anuj Soni
FOR710 Advanced Code Analysis Will Prepare You To:
- Tackle code obfuscation techniques that hinder static code analysis, including the use of steganography.
- Identify the key components of program execution to analyze multi-stage malware in memory.
- Identify and extract shellcode during program execution.
- Develop comfort with non-binary formats during malware analysis.
- Probe the structures and fields associated with a PE header.
- Use WinDBG Preview for debugging and assessing key process data structures in memory.
- Identify encryption algorithms in ransomware used for file encryption and key protection.
- Recognize Windows APIs that facilitate encryption and articulate their purpose.
- Create Python scripts to automate data extraction.
- Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse engineering workflows.
- Write scripts within Ghidra to expedite code analysis.
- Correlate malware samples to identify similarities and differences between malicious binaries and track the evolution of variants.
- Build rules to identify, group and classify malware.
- Code deobfuscation
- Program execution
- Shellcode analysis
- Multi-stage malware
- WinDbg Preview
- Encryption algorithms
- Python scripting for malware analysis
- Dynamic Binary Instrumentation (DBI) Frameworks
- Payload and config extraction
- Scripting with Ghidra
- Malware correlation
- YARA rules
- Capa rules
What You Will Receive With This Course:
- Windows 10 VM with pre-installed malware analysis and reversing tools.
- Real-world malware samples to examine during and after class.
- Coursebooks and workbook with detailed step-by-step exercise instruction.
Syllabus (30 CPEs)
Malware authors complicate execution and obfuscate code to hide data, obscure code, and hinder analysis. Using evasion techniques and in-memory execution, malicious developers continue to thwart detection and complicate reverse engineering efforts. To facilitate an in-depth discussion of code deobfuscation and execution, this section first discusses the creative use of steganography to hide malicious content. Then, we discuss the key steps in program execution, so we can identify how code is launched and label functions accordingly. This includes a review of the Windows loader and an inspection of the Portable Executable (PE) file format. Finally, we cover how to analyze shellcode with the support of WinDbg Preview, a powerful Windows debugger.
- Investigating Code Deobfuscation Using Steganographic Techniques
- Analyzing Malicious Program Execution
- Analyzing Shellcode Execution
- Analyzing Code Deobfuscation
- Steganography approaches
- Key assembly operations
- Multi-component malware
- Windows memory allocation
- Identifying Program Execution
- Portable Executable (PE) headers and fields
- Key steps in program execution
- Memory-mapped files
- Entry point identification
- Understanding Shellcode Execution
- Identifying and extracting shellcode
- API hashing
- The Process Environment Block (PEB) and related structures
- WinDbg Preview for shellcode analysis
This section tackles a critical area of reverse-engineering malware: the use of encryption in malware. Cryptography is used by adversaries for a variety of reasons, including to encrypt files, protect keys, conceal configuration settings, and obfuscate command and control (C2) communications. To perform comprehensive investigations of high-impact malware, skillful reverse engineers must be prepared to investigate routines that implement encryption and articulate their purpose.
- Encryption Essentials Knowledge Quiz
- Identifying File Encryption and Key Protection in Ransomware
- Analyzing Data Encryption In Malware
- Encryption Essentials
- Use cases for crypto usage in malware
- Symmetric vs. asymmetric encryption
- Block vs. stream ciphers
- Modes of operation
- Common algorithms in malware
- Microsoft CryptoAPI
- File Encryption and Key Protection
- Identifying algorithms in code
- Common implementations in malware
- Locating encryption functions
- Differentiating similar ciphers
- Data Encryption in Malware
- Common uses cases for data encryption in malware
- Symmetric algorithms used for data protection
- Identifying the cipher
- Extracting key information
- Decrypting data
In this section, we discuss how to write scripts to automate our analysis. We introduce key aspects of Python scripting and write code to automate some of our work from prior sections. Next, we introduce Dynamic Binary Instrumentation (DBI) Frameworks and examine how DBI tools can complement and automate common reverse engineering workflows. We apply our knowledge of Python to automatically extract payloads and configs, accelerate debugging efforts, and support static code analysis with Ghidra.
- Writing a static config extractor in Python
- Automating payload extraction with Frida
- Matching code using Ghidra's FID Feature
- Writing a Ghidra script to decode content
- Python for Malware Analysis
- Using Visual Studio Code
- Key syntax
- File Input and Output
- Key modules for PE file analysis
- Creating scripts for code and data extraction
- Malware Analysis with Dynamic Binary Instrumentation (DBI) Frameworks
- Using DBI frameworks to automate debugging
- Writing DBI tools to decrypt data and dump code
- Automating Analysis within Ghidra
- Creating Function ID (FID) Databases
- Scripting with Ghidra
- Deobfuscating content during static code analysis
Correlational analysis helps identify similarities and differences between malware samples. This provides insight into code reuse and facilitates the creation of YARA and capa rules, allowing an organization to track malware families. Correlation analysis includes straightforward hash comparisons as well as more complex attempts to pinpoint function-level differences. We discuss several approaches to diffing binaries and assess their benefits and limitations.
- Describe the similarities and differences between multiple malware samples.
- Build YARA rules to identify a group of malware samples.
- Build capa rules to identify specified algorithms and malware techniques.
- Correlation Analysis
- Detecting code reuse
- Identifying malware families
- Correlation techniques
- Binary diffing
- Building YARA Rules
- Best practices for rule creation
- Opportunities for automation
- Building capa Rules
- Best practices for rule creation
The fifth and final section of this course gives students an opportunity to flex their new knowledge and skills in a more independent, competitive environment. Participants log onto a CTF platform, where they are presented with a combination of multiple choice and short-answer challenges. Students must recall key concepts and perform workflows we discussed in class to successfully navigate the tournament and accumulate points. Whether or not competition motivates you, this section presents an excellent opportunity to analyze real-world, complex malware samples and reinforce your new advanced code analysis skills.
FOR710 is an advanced level windows reverse-engineering course that skips over introductory and intermediate malware analysis concepts.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.
MANDATORY FOR710 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class. Important - Please Read: a 64-bit system processor is mandatory.
- It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VT". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it before class!
- 16 GB (Gigabytes) of RAM or higher is mandatory for this class Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.
- USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. Therefore, a Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.
- 200 Gigabytes of Free Space on your System Hard Drive. Free Space on Hard Drive is critical to host the VMs we distribute.
- Local Administrator access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wi-Fi 802.11 capability is mandatory. You'll need to connect to an in-class Wi-Fi network when participating in this course at a life event. Without working Wi-Fi, you'll be unable to participating in important aspects of the course.
MANDATORY FOR710 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS:
- Host Operating System: Your system must be running either Windows 10 Pro, Linux or macOS 10.14 or later that also can install and run VMware virtualization products described below.
- It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
- Download and install 7-Zip (for Windows Hosts) or Keka (macOS). Without these extraction tools, you'll be unable to extract large archives we'll supply to you in class.
INSTALL VMWARE "PRO" SOFTWARE:
- Download and install the latest version of VMware Workstation Pro or VMware Fusion Pro versions before class. Our students experienced issues with VMware being compatible with the latest underlying OS unless they were also using the latest version of VMware.e class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
- You must get the versions of the products that have "Pro" in their name. The free non-Pro versions of these products (e.g., VMware Workstation Player) are not sufficient for this course because they do not support snapshot functionality, which we will need to use.
- Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
- VMware Workstation Pro on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions from VMware.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.