DotNet Malware Analysis Masterclass

Presented at DEF CON 31 (2023), Aug. 10, 2023, 2 p.m. (240 minutes).

DotNet based malware originally started out as a novelty, but has shown it is here to stay. With DotNet malware being used by APT actors and script kiddies, and anything in-between, it is safe to say that one will encounter it sooner rather than later. This four-hour workshop primarily focuses on the analyst mindset and fundamental knowledge, including topics such as loaders, unpacking, obfuscation, DotNet internals, and (un)managed hooks. In short, one will learn how to analyse DotNet malware, and write automatic unpackers. As such, this class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts. The workshop’s materials will partially consist of actual malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees. A laptop with a preinstalled VM based Windows 10 trial, along with the community edition of Visual Studio (2019 or later) and the DotNet Framework runtime for version 3.5 and later. Other tools, such as dnSpyEx, de4dot, and DotDumper, can be downloaded during the workshop, as these are insignificant in size. Knowing how to read VB.NET/C# is a prerequisite. Being able to write in C# is preferred, but the workshop can be followed without being able to, although a part of the exercises cannot be completed without it. Questions about the workshop can be asked via my open Twitter DMs: @Libranalysis (https://twitter.com/Libranalysis) Skill Level: Beginner to Intermediate Prerequisites for students: - Have sufficient disk space and RAM to run one Windows 10 VM, along with a few gigabyte additional extra space - Be able to understand VB.NET/C# and preferably (though not mandatory) be able to write in either of those languages - Be able to run a Windows 10 VM - Have a Windows 10 VM preinstalled in a virtual environment of choice (i.e., VirtualBox, VMWare) - Have Visual Studio (2019 or later) installed, along with the DotNet Framework 3.5 and higher - Analysis tools will be provided (i.e. open-source tools such as dnSpyEx) as their file size is minimal - Malware samples and exercises will be provided on-location Materials or Equipment students will need to bring to participate: A laptop capable of running one Windows 10 VM, with the above-mentioned prog2rams installed, and sufficient free disk space

Presenters:

  • Max 'Libra' Kersten - Malware Analyst at Trellix
    Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as Black Hat Arsenal (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for several universities and private entities.

Similar Presentations: