Malware Analysis: Identifying and Defeating Packing

Malware authors routinely utilize packing techniques to complicate the analysis of their code. This course will teach you techniques for identifying and defeating packing so that key characteristics and behaviors can be identified.
Course info
Level
Intermediate
Updated
Feb 12, 2019
Duration
2h 17m
Table of contents
Description
Course info
Level
Intermediate
Updated
Feb 12, 2019
Duration
2h 17m
Description

Malware authors will routinely utilize obfuscation techniques to complicate the analysis of their code. One such technique is packing, in which a malicious program is layered inside another program. In Malware Analysis: Identifying and Defeating Packing, you will gain the skills necessary to not only identify prevalent packing techniques, but also how to effectively defeat them. First, you will learn how packers work and how malware authors regularly use them. Next, you will learn how to detect common packers and methods for unpacking. Finally, you will learn about custom packers, how you can identify them and effective ways for defeating them. Each module of this course will include detailed demonstrations and hands-on labs that will allow you to analyze real-world malware. You will be going deep into malware packing techniques with such tools as IDA Pro and WinDbg, by the end of this course you will have the knowledge and skills to effectively tackle packing!

About the author
About the author

Dr. Josh Stroschein is an Assistant Professor at Dakota State University where he teaches malware analysis, software exploitation, reverse engineering and penetration testing

More from the author
Getting Started with Reverse Engineering
Beginner
3h 40m
Aug 29, 2018
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
(Music playing) Hi everyone, my name is Dr. Josh Stroschein and welcome to my course, Malware Analysis: Identifying and Defeating Packing. I am an assistant professor at Dakota State University where I teach malware analysis, reverse engineering, and software exploitation. I work as a senior malware analyst for Bromium, and I'm part of the training team and responsible for academic outreach for the Open Information Security Foundations Suricata project. In this course, we are going to tackle malware packing head on. Packing is a prevalent technique used by malware authors to hide, obfuscate, or otherwise complicate your ability to analyze the malware's code. Identifying and defeating packing is often the first step when analyzing any malicious file. Some of the major topics that we will cover include techniques and tools for analyzing malware and determining signs of packing, how to detect common packers with signatures, how to identify custom packers, and effective strategies for tracing through unpacking logic with reversing tools, such as IDA Pro, an assembly level debugger. We will also utilize real-world malware to study unique packing techniques and how to defeat them. Throughout this course you will be able to follow along through comprehensive demonstrations and apply yourself through hands-on labs with real-world malware samples. By the end of this course, you will have the knowledge and skills necessary to defeat malware packing. Before beginning the course, you should be familiar with the basics of reverse engineering and be comfortable with tools such as a disassembler and an assembly-level debugger. You should also be familiar with how to set up a safe malware analysis lab environment. I hope you'll join me on this journey to learn how to defeat packing with Malware Analysis: Identifying and Defeating Packing at Pluralsight.

Why Packing Affects Your Analysis
Welcome to Malware Analysis: Identifying and Defeating Packing. My name is Dr. Josh Stroschein, and I'll be your instructor for this course. This course is focused on identifying and defeating packing. We'll start by looking at how packers work and explore the several tools that will give you information about potential packing used and the malware that you're analyzing. We'll then move into more complex topics by identifying custom packers and how we can defeat those. This will set the stage for us to perform manual unpacking, in which we'll get deep into technical understanding of the packing techniques. This will require that we use such tools as IDA Pro in the debugger so that we can manually step through key points of the unpacking process in order to recover that inner payload, that is, the packed malware. That brings us to the end of the course. At this point, you'll have a deeper understanding of how packers work, and, more importantly, how to defeat them. This is a must-have skill for any malware analyst, as malware authors continuously use packing and obfuscation techniques to thwart our analysis. I'm excited that you're here. Let's begin.

How Packers Work
Welcome to How Packers Work. In this module, we're going to begin to develop the skills to detect signs of packing by looking at some sample programs, as well as to begin exploring several key tools that will help you in this analysis. Next, we'll take a look at a sample program, a Hello World. We'll compile this program from source, and then run it through a packer, allowing us to explore the signs of packing. Next, we'll start looking at detecting packers with signatures. This is usually an important first step because if you can determine that something is packed with a known packer, it should make your unpacking a little bit easier. If not, then we'll likely have to look at custom packing, and which we'll cover a little bit later in this course. Next, there will be another demonstration in which we'll look at using these signatures in order to detect packers on several malicious samples. Finally, we'll end this module with a lab, allowing you to apply everything that we've learned throughout this module in one final hands-on exercise. I hope you're ready to explore the world of packing! Let's begin.

Identifying Custom Packers
Welcome to Identifying Custom Packers. In this module, we're going to begin by discussing what happens when signatures fail. That is, our tools are not able to match a signature to a sample that we think is packed. This will be followed up a demo, in which we'll apply these skills and this understanding to detect custom packers in a sample. After this, I'll discuss using sandboxes for unpacking, as this is a technique that can oftentimes help with the unpacking process, requiring a little less manual effort. However, our focus on this course is on that manual analysis, manually unpacking so that you have the deepest understanding of how packing and, therefore, unpacking works. Finally, we'll end this module with a lab in which you'll be able to focus on detecting custom packers. We're not going to get to the point where we're unpacking quite yet; we're going to save that for the next module. We're now ready to move on beyond signatures, so let's dig in!

Performing Manual Unpacking
Welcome to Performing Manual Unpacking. In this module, we're going to get a little bit deeper into identifying and defeating packing by looking at a series of manual approaches. We'll begin by unpacking through memory analysis, running our samples, and looking for evidence of our unpacked malware in memory. We'll follow this up with a demo, in which we'll unpack a ransomware sample. Next, we'll get a little bit deeper into the packing logic and we'll use some reverse engineering to identify key points during the unpacking process. This will allow us to be able to defeat the packing process without having to perform an exhaust of analysis. This will be followed up with another demonstration, in which we'll unpack a malware sample known as Simda. Next, we'll get into a slightly more complex sample and get a little bit deeper into tracing the unpacking logic. The last thing we'll do in this module is a lab, in which you'll be able to get hands on using these approaches to unpack malware. We're now ready for the debugger and the disassembler, so let's begin!

Leveling up Your Skills
As hard as this may be to believe, you've made it to the end of the course. In this, the last module, we'll review what you learned. I'll provide some suggestions on how you can continue to level up your skills; that is, continue to grow as a malware analyst and, in particular, get better at unpacking malware. And that'll be it. You'll be more prepared to tackle the world of malware and malware packing.