Practical Malware Analysis - Hands-On

Presented at BSidesLV 2017, July 26, 2017, 8 a.m. (235 minutes)

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges. 1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal 2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark 3. Advanced static analysis with IDA Pro Free and Hopper 4. Advanced dynamic analysis with Ollydbg and Windbg The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed. These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig. All materials and challenges are freely available at, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends. Participants should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary. Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it. Each participant will need a 32-bit Windows virtual machine to run malware samples. USB sticks with a Windows Server 2008 VM will be available for students to copy. Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.


  • Devin Duffy - Intern - Uber
    I really love hearing about different malware attack vectors and APT campaigns. I'm currently seeking a junior pentesting position.
  • Dylan James Smith
    Dylan James Smith has assisted with hands-on workshops at B-Sides LV, DEF CON, RSA and other conferences. He has worked in and around the computer support industry since adolescence. Now he's old(er.) Currently focused on learning and teaching "the cybers."
  • Sam Bowne - City College San Francisco - City College San Francisco
    Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. Industry certs: CISSP, CEH, CCENT, WCNA, and more.


Similar Presentations: