Presented at
DEF CON 31 (2023),
Aug. 10, 2023, 9 a.m.
(240 minutes)
Binary emulation is now a must-have tool for malware analysts. With a few lines of Python you can unpack binaries, skip analysis of complex algorithms, and automatically extract the configuration data from malware! It’s not too good to be true, but there is a little preparation work involved…
In this workshop you will set up your own emulation environment (using Python) and work through a series of common malware analysis tasks such as unpacking, and malware configuration extraction. The workshop starts simple using Unicorn to emulate x86 shellcode, and builds to a final project where syscall hooking is used with Dumpulator to automatically extract C2s from malware.
This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about emulation and how it can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS. Familiarity with Windows malware, assembly, and debugging are strongly recommended. If you have opened malware in a debugger before you will feel right at home here.
You will be provided with detailed virtual machine setup instructions prior to the workshop. Please make sure to bring a laptop that meets the following requirements.
- Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course.
- Your laptop must have at least 60GB of disk space free.
- Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.)
Skill Level: Intermediate
Prerequisites for students:
- Students must be able to write basic Python scripts and have a basic understanding of the Windows operating system.
- Familiarity with a Windows malware, debugging, and assembly would also be a significant benefit.
Materials or Equipment students will need to bring to participate:
- Students must bring a laptop capable of running a Windows virtual machine with the following configuration. Time will be given to troubleshoot lab setup issues but it is strongly recommended that students have the following setup prior to the workshop.
[Host Setup]
- The laptop must have VirtualBox or VMWare installed and working prior to class.
- The laptop must have at least 60GB of disk space free.
- The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one).
[ VM Install ]
- Download a free Windows 11 VM from Microsoft (https://developer.microsoft.com/en-u...tual-machines/)
- You can also use a Windows VM of your choice (Windows 10 is also ok)
[ VM Install for Mac - Apple Silicon Only (M1, M2)]
- If you have a new Apple Silicon MacBook you will are limited to running an ARM Windows VM
- ARM Windows VMs are suitable for the workshop and you can follow our installation guide on YouTube (https://youtu.be/0eR8yrDLV5M)
[VM Setup]
- Install x64dbg in your VM (https://x64dbg.com/)
- Install a free version of IDA in your VM (https://hex-rays.com/ida-free/)
- Install a version of Python > 3.8.x in your VM (https://www.python.org/)
Presenters:
-
Sean Wilson
- Co-Founder at OpenAnalysis Inc
Sean, a co-founder of OpenAnalysis Inc., splits his time between reverse engineering, tracking malware and building automated malware analysis systems. Sean brings over a decade of experience working in a number of incident response, malware analysis and reverse engineering roles.
-
Sergei Frankoff
- Co-founder at OpenAnalysis Inc
Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.
Similar Presentations: