Analyzing malware in a sandbox doesn’t require a high threshold of knowledge, but your results are limited. The next step to reverse engineering is to dive into the assembly code to understand the full potential, not just what you can observe dynamically. There are many resources to learn assembly, but it is difficult to learn from a book. Books explain what each instruction does, but that leaves a large gap in understanding how individual instructions relate back to the original source code.
This course will teach the basics of assembly, but more importantly, how to view those instructions as source code. The final outcome is to get you thinking of reading assembly as simply reading source code, only in a low level language instead of C. The focus isn’t on assembly in general, it is on the skills related to malicious assembly code. All of our examples are algorithms found in malware. You should come away with tangible skills that can be applied directly to reverse engineering malware, not academic skills you need to translate to malware analysis on your own.
This is a lab intensive workshop. There are 2.5 hours of briefings to teach the theory, and the rest of the time are labs to practice the implementation. Each lab builds on the skills of the previous lab up to the final capstone project where we perform a mock analysis of a piece of malware. Every lab includes an instructor walkthrough so you can compare your efforts to an optimal approach.
The class is split into 4 sections; assembly fundamentals, common programming patterns, treating assembly as code, and the capstone project.
Assembly fundamentals includes more than just the basic instructions. We will talk about tool alternatives, essential instructions, recognizing conditional statements in assembly, calling conventions, common API’s, inlined library calls, and more.
The common programming patterns will outline algorithms you need to know for analyzing malware and how they look in assembly. We will review patterns for networking, parsing command line arguments, anti-analysis techniques, and dynamically resolving API’s.
Treating assembly as code will discuss how you combine the basics into an analysis methodology. What instructions are key, what can be skipped, how long do you spend on specific parts, how to look for capabilities versus instructions, etc.
The capstone project is the analysis of a mock malware sample to show how everything is put together in a realistic manner.
What You’ll Learn
Upon completion of the course, students will have learned:
- The fundamentals of assembly
- How to relate assembly instructions back to the original source code
- How to interpret versus just read blocks of assembly instructions
- Key focus areas and what can be ignored when reading assembly
- A beginning strategy for statically reviewing malicious assembly code
Students should have an entry level understanding of programming in any language. A general idea of malware analysis goals will be helpful, but is not necessary.
Students will need a 64 bit computer with:
- VirtualBox or VMWare Workstation installed (VMWare Workstation Player is
- 25GB of free disk space to install a provided analysis VM
- 8GB of RAM
- 1 USB slot
- Internet Connectivity
- Briefing: Malware Analysis Background
- Briefing: Assembly Fundamentals
- Lab 1: Assembly Fundamentals
- Lab 2: Applying The Fundamentals
- Briefing: Common Programming Patterns
- Lab 3: Common Programming Patterns
- Briefing: Basic Static Analysis: Converting Assembly To Pseudocode
- Lab 4: Capstone