malware_fridays
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | malware_fridays [2013/08/13 12:13] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <!-- Uncomment below if you want to have the automatic next meeting template appear --> | ||
+ | <!-- {{recurring event | ||
+ | |name=Malware Friday | ||
+ | |dayoffset=27 | ||
+ | }} --> | ||
+ | **Malware Friday** is an event open to anyone who wishes to learn more about reverse-engineering as well as dissecting, understanding and de-fanging malware. It occurs on the last Friday of every month unless otherwise noted. | ||
+ | |||
+ | ====== | ||
+ | |||
+ | To participate in the malware analysis part of Malware Fridays, you need to meet the following pre-requisites: | ||
+ | * Knowledge of assembly. | ||
+ | * A majority of the samples will be for Windows, so knowledge of x86 is preferred. | ||
+ | * Navigating a binary through a debugger such as OllyDBG, WinDBG or IDA. | ||
+ | * Basic knowledge of the Windows PE file format. | ||
+ | * The PE format gets super-complicated (especially with packers), but basic understanding should be sufficient to navigate most situations. | ||
+ | * Basic understanding of the concepts behind reverse-engineering. | ||
+ | Optional things to know: | ||
+ | * Anti-debug techniques. | ||
+ | * Anti-reversing techniques. | ||
+ | * Compiler theory. | ||
+ | * Knowledge of compiler theory is EXTREMELY useful for reverse-engineering. If you at least meet this requirement, | ||
+ | |||
+ | To meet these pre-requisites, | ||
+ | |||
+ | To participate in the learning half of Malware Friday, all you need is to bring yourself and a brain. Preferably you're going to want to bring something to take notes with, but other than that all you need is to take a seat and listen. | ||
+ | |||
+ | ====== | ||
+ | |||
+ | The first hour is dedicated to the basics of reverse-engineering and assembly. This is for those who wish to participate in the actual reverse-engineering and dissection of a given piece of nastiness but don't quite have the skills and knowledge. Since this event attracts such a wide audience with an immense interest in learning, this is necessary to bring everyone up to speed. During this hour, the following topics will be covered in an interactive lecture format: | ||
+ | * Assembly basics (x86, ARM, etc.) | ||
+ | * Deriving higher-level code from blocks of assembly | ||
+ | * Anti-debug techniques | ||
+ | * Anti-reversing techniques | ||
+ | * Unpacking binaries | ||
+ | * Patching binaries (colloquially: | ||
+ | |||
+ | After this hour, the real fun begins with the sample of the month, provided by [[Vyrus]], [[frank^2]], | ||
+ | |||
+ | ====== | ||
+ | There are a plethora of tools at your disposal to dissect and understand what's going on in a given binary. This is a rudimentary list of the basics you may need when going about your business. | ||
+ | ===== Virtual Machines | ||
+ | ==== VMware | ||
+ | **[[http:// | ||
+ | ==== VirtualBox | ||
+ | **[[http:// | ||
+ | ==== Parallels Desktop | ||
+ | **[[http:// | ||
+ | ===== Debuggers | ||
+ | In this context, a " | ||
+ | ==== OllyDBG | ||
+ | > //OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.// | ||
+ | |||
+ | **[[http:// | ||
+ | |||
+ | ==== IDA Pro ==== | ||
+ | > //IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.// | ||
+ | |||
+ | **[[http:// | ||
+ | |||
+ | ====== | ||
+ | ===== August 27, 2010 ===== | ||
+ | * First Malware Friday ever! | ||
+ | * Found out that not many people even knew assembly... whoops! | ||
+ | * Walk-thru of Israel Torres' | ||
+ | * All you really care about here is the < | ||
+ | ===== September 24, 2010 ===== | ||
+ | * Came prepared to give a lecture on assembly... no one here to lecture to! Well that makes things fast. | ||
+ | * Analyzed a malicious PDF which dropped an EXE. ([[http:// | ||
+ | * Fuckin' | ||
+ | * Unpacked it! ([[http:// | ||
+ | * On top of being packed with UPX, this also uses a custom protector that eventually dumps a bunch of unpacking code to a randomly allocated space in memory via VirtualAllocEx. You can see this in action by setting a breakpoint on 0x00405860 after UPX has done its thing will allow you to figure out where it's going. | ||
+ | * Once in the memory section called by VirtualAllocEx, | ||
+ | ===== January 28, 2011 ===== | ||
+ | * Malware Friday has survived the holiday slaughter. | ||
+ | * STORM WORM 5000 BROUGHT TO YOU BY THE NUMBER ONE MALWARE TEAM IN THE GREATER LOS ANGELES AREA: *NULL SPACE LABS* ([[http:// | ||
+ | * VM image now up on boobies: \\\\boobies\\Malware Friday\\Reversing Image.rar | ||
+ | |||
+ | ====== | ||
+ | * [[Recommended Reading]] | ||
+ | * [[Recommended Viewing]] | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
malware_fridays.txt · Last modified: 2013/08/13 12:13 by 127.0.0.1