Malware Reverse Engineering by Development (Online Training)

Learn malware reverse engineering skills in IDA and x64dbg by developing a Windows 11 DLL backdoor in VS2022 and analyzing what you’ve built. All the source code will be provided by the instructor for several versions of the backdoor with increasing levels of anti-analysis protections, so you can approach the RE challenge at whatever skill level you prefer, from hard mode (analyzing the release version with no pdb) to using the debug version as a help, to just reading the source and matching to x86 instructions. You will build the same DLL for 32-bit or 64-bit architectures to see the difference in assembly.

Learning Objectives

During the course of this class, learners will have the opportunity to gain the following skills, if they choose to participate fully:

  1. Using Microsoft Windows 11 Developer VM (free) and Visual Studio 2022 (free), write and compile a very simple DLL file for Windows in C that writes content to a file on disk.
  2. Run DLL files from the command line using rundll32.
  3. Using IDA Free 7, perform static code analysis of a very simple DLL file and explain its purpose.
  4. Using x32dbg, set breakpoints and step through running the instructions of a simple DLL file via rundll32.
  5. Create a Microsoft 365 Developer Tenant (free) for testing MSTeams, etc.
  6. Use vcpkg to install static libraries for Libcurl and cJSON in VisualStudio 2022.
  7. Modify the C code of a simple DLL project to send a simple message through Microsoft Teams via a webhook URL.
  8. Using IDAFree and x32dbg, analyze the new version of the DLL and find the instructions responsible for network connections.
  9. Using C source code provided by the instructor, modify the DLL project to be a typical Remote Access Trojan (RAT) capable of running commands, listing files and processes, and reporting the output to a Command-and-Control server.
  10. Modify the DLL to allow execution using rundll32, regsvr32, and msiexec.
  11. Using IDA Free and x32dbg, analyze the relevant portions of the RAT to identify the main command loop, commands recognized, network connections, and behavior-based indications of compromise that could be used by threat hunters and security engineers.
  12. Write a tactical malware analysis report, focusing on actionable details.
  13. Provide constructive feedback to another student about their malware analysis report.
  14. Analyze another student’s version of the DLL with a few minor modifications and identify the relevant changes in functionality added by the other student.
  15. Using strings and FLOSS, extract strings from a compiled executable file.
  16. Using Python and C source code provided by the instructor, modify the DLL file to XOR encode some of the strings in the DLL project.
  17. Using IDA Free, analyze the XOR decoding function in another student’s DLL to find the key bytes and decode the encoded strings.
  18. Using C code provided by the instructor, modify the DLL project to detect when it is being run in a virtual machine or debugger, causing the DLL to modify its behavior when analyzed.
  19. Using IDA Free and x32dbg, recognize the anti-analysis code in the DLL and patch the instructions to bypass the protections and analyze it anyway.

Bonus Learning Objectives (if time permits):

  1. Modify the DLL to load Windows API functions dynamically using hashed DLL and API function names.
  2. Using IDA Free, recognize the API hashing/loading code and reverse-engineer the hashing function to find the libraries that the malware loads.
  3. Learn to use Ghidra as an alternative to IDA.
  4. Modify the DLL to inject code into another process and analyze the result.
  5. Implement rc4 encryption and recognize the algorithm in assembly.
  6. Implement a simple packer/crypter that contains an RC4-encrypted copy of the RAT DLL payload as a resource file, extracts and decrypts it, saves the DLL to disk and executes it with rundll32.
  7. Modify the packer/crypter to execute the unpacked DLL from memory instead of writing it to disk.
  8. Use Hasherezade’s PE-seive to dump payloads from memory and analyze with IDA or Ghida.
  9. Write a PowerShell script that uses Reflective DLL injection to download and execute the DLL payload from memory.
  10. Write a Visual Basic for Applications (VBA) macro in a Microsoft Word document that will execute a PowerShell script.
  11. Analyze another student’s PowerShell & VBA loader and obtain the final payload for analysis.
  12. Write an advanced malware analysis report and provide constructive feedback.

About the Speakers