What to bring:
Students must bring their own laptop with VMWare running an OS image of Windows 2000 or newer (free 30 day trial is available from http://www.vmware.com). Students should also have OllyDBG (available for free from http://home.t-online.de/home/Ollydbg/) and Datarescue IDA Pro installed in the virtual machine (demo version available from http://www.datarescue.com).
All other tools will be provided to the student in the classroom.
This class is geared for those who have a strong understanding of “live” malicious code analysis in the Microsoft Windows environment and wish to enter the world of malicious code analysis via reverse engineering.
The course will begin with a focus on familiarizing students with Datarescue’s IDA Pro disassembler, the freely available OllyDBG debugger and other relevant tools, scripts and plug-ins. You’ll learn how to analyze a binary for signs of infection, detect commonly employed obfuscation techniques and deal successfully with other forms of anti-analysis.
Building on those fundamentals, students will be guided through example exercises and eventually conduct an analysis on a real world piece of malware. Upon completion of this course students will be able
Key Learning Objectives
- Effective use of Datarescue’s IDA Pro to perform various code analysis tasks (identification, obfuscation, compression, etc).
- Effective use of OllyDBG to deal with malicious code that might use custom packers and/or encryption.
- A Methodology and guide for reverse engineering unknown binaries.
General Learning Objectives
- An understanding of the fundamentals of RCE and the application to malicious code analysis.
- Ability to translate low-level machine code into high-level concepts and processes.
- A base knowledge of the extension libraries and interfaces for IDA Pro and OllyDBG.
Who Should Attend
This course is not intended for security researchers with extensive experience in reverse engineering and/or malicious code analysis. Instead, this course is intended for novice to intermediate malicious code analysts who wish to take the next step in their technical career. Specifically, this class will work to focus and hone your skills on dealing with basic techniques employed by malicious code authors to make low-level analysis difficult and frustrating. This course serves as a great foundation for exploring even more advanced anti-analysis techniques, including anti-emulation and anti-debugging.
Attending students should be comfortable in the Windows environment and have a good understanding of x86 assembly and high level programming and OS concepts.
Scott Lambert has been an information security professional for over 6 years. He has developed, maintained and supported numerous computer security applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com. As a consultant, Lambert has developed and implemented test plans for the evaluation of both wired and wireless Intrusion Detection Systems and has performed advanced protocol analysis in support of research and validation of various computer and network vulnerabilities and attack techniques. Lambert has also performed HIPAA compliance assessments and security awareness training.
He has taught various courses relating to software development for both Northwest Vista College and ITT Technical Institute of Technology and currently holds a Bachelors of Science Degree in Computer Science from St. Mary’s University.
Pedram Amini is the Assistant Director of iDEFENSE Labs where he is responsible for the daily management of a highly technical team as well as the companies Vulnerability Contributor Program. Spending most of his time in the shoes of a security researcher, Pedram is responsible for conducting vulnerability research, analyzing unknown/malicious binaries, and developing reverse engineering tools and methodologies. He has recently spent much of his time developing automation tools, plug-ins and scripts for software like IDA Pro and OllyDbg.
Pedram graduated from Tulane University with a computer science degree in 2002 and has been employed with iDEFENSE since.