Packed malware hides the important information behind layers of obfuscation and often has anti-debugging techniques to defeat sandbox analysis. Unpacking with tricks will work on the simple cases, but malware is continually updated to defeat these tricks. If you want to be able to defeat sophisticated malware, you can’t rely on tricks. You need to understand the packing process to manually walk through it, looking for key indicators to know when the process has completed and to circumvent any anti-debugging techniques. Luckily, all packers use the same basic methodology. This workshop will teach you the packing methodology so that you’ll be able to unpack any sample.
The day is split into 2 sessions. One for commercial packers such as UPX, ASPACK, etc., and one for custom packers. This will provide a broad knowledge of how to unpack most malware seen in the wild. Each section starts with a briefing on the fundamental principles of how malware packers are structured. The main points covered are:
- Packer definitions
- Anatomy of a packer
- Unpacking steps
- Identifying characteristics
- Reversing methodology
Once the academic portion is over, the rest of the time is dedicated to labs. The labs allow you to practice applying the unpacking process using the information learned from the briefing. The labs are live malware samples and not toy instructional samples. You are meant to struggle through and may not be able to find OEP the first time through.
Each lab is followed by an instructor walkthrough to demonstrate the full unpacking process. Using live samples that cause you to get stuck followed by a step-by-step walkthrough is meant to maximize learning. Not only will you see the complete approach needed to unpack malware, but they will also see what aspects caused you problems and then how they were overcome by the instructor.
You will be given solution guides for each sample that fully outline all major actions the unpacking stub performs. You can then use these solution guides to review the malware samples on your own and spend a longer time analyzing the samples to reinforce the concepts learned in this course.
What You’ll Learn
Upon completion of the course, students will have learned:
- A methodology for manually unpacking malware to find the OEP
- How to recognize the identifying characteristics of each unpacking step
- What to focus on and what to ignore when manually unpacking a file
- How an experienced analyst manually unpacks a file
This is an advanced class intended to expand students’ analysis arsenal. It is not a class to teach the basics of reading assembly or analyzing malware.
Students need to be proficient in reading and debugging x86 assembly code. No previous experience with analyzing packed malware is necessary.
Students will need a 64 bit computer with:
- VirtualBox or VMWare Workstation installed (VMWare Workstation Player is
- 25GB of free disk space to install a provided analysis VM
- 8GB of RAM
- 1 USB slot
- Internet Connectivity
- Briefing: General Packer Background
- Briefing: Commercial Packers Overview
- Lab 1: Commercial Packer
- Lab 2: Commercial Packer
- Lab 3: Commercial Packer
- Briefing: Custom Packer Overview
- Lab 4: Custom Packer
- Lab 5: Custom Packer