CSCI 4972/6963 Malware Analysis

Spring 2013


Instructor: Bulent Yener,

Office Hours: TBD

 

TA: Jeremy White,

Office Hours: TBD

 

Class: Friday 12:30PM – 2:50PM

 

Syllabus: here


Text Book:
Practical Malware Analysis

 

Date

Topic

Tasks

Links for the Hungry Mind

1/25/2013

Introduction to Malware,

Basic Static Analysis

Distribute VMs

VirtualBox

 

DreamSpark-Microsoft's free software outlet for students

http://www.reddit.com/r/uic

http://www.reddit.com/r/reverseengineering

RPISEC Wiki

Irc.rpisec.org #malware

Safari Technical Books

An In-Depth Look into the Win32 Portable Executable File Format

An In-Depth Look into the Win32 Portable Executable File Format, Part 2

2/1/2013

Basic Dynamic Anlaysis

Chp. 1,3 Quiz

Conventions:

Defcon - Hacking Convention

Blackhat

Recon

 

Books:

Ebrary

Rootkit Arsenal

Malware Analyst's Cookbook and DVD

Practical Malware Analysis - Ebrary Version

 

Programming:

Python pefile

ProjectEuler

 

Anonymity:

https://www.torproject.org/

anonymous-speaks-the-inside-story-of-the-hbgary-hack

 

Hacker Forums:

http://www.hackforums.net/

http://opensc.ws/

http://crackingforum.com/

 

Journals:

Journal of Computer Virology

 

Presenters for next week:

 

Malware analysis reports are due by 11:59PM Thursday February 7th, 2013

Each day late is 10% off the report. Submission is by email with subject

line “Malware Analysis Class Report 1” without the quotes.

 

Sample Report: SampleReport.docx, SampleReport.pdf

 

Presentations may be turned in after they are given. Submission is by email

With subject line: “Malware Analysis Class Presentation 1” without the

Quotes.

 

2/8/2013

Assignment 1: Real Malware

Analysis

Give presentations,

Submit write-ups

 

Assembly Walk-throughs, to be completed with Chapter 4

asmtut1.docx, asmtut1.pdf – Assembly with Visual Studio

asmtut2.docx, asmtut2.pdf – Assembly with Cygwin/NASM and Shellcode

2/15/2013

X86 Assembly

Chp. 4 Quiz

CrackMe's

2/22/2013

IDA

Chp. 5 Quiz

Basic Crackme

Basic Crackme Source Code

TLS Call Back Demo

 

Assignment2.pdf

Assignment2File

3/1/2013

C Code Constructs

Chp. 6, Quiz

Simple trick to hide IDA debugger

IDA Stealth Plugin - just read the page

warmup.exe

workout.exe

Decorating Your Disassembly - IDC scripts

InlineASM.cpp           ß--------------------------Just added(3/7/13)

 

 

General reversing:

http://www.openrce.org/articles/

http://www.woodmann.com/forum/activity.php

http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html

http://tuts4you.com/download.php

3/8/2013

Assignment 2:Crackme

Submit write-ups

.NET Reversing

 

ReflectorInstaller.exe

ReflexilPlugin.zip

SmokeTest.zip

010-Hex EditorInstaller

 

.Net Crackmes

net1.exe

net2.exe

net3.exe

net4.exe

CodgeGate Bin100

Bin100 Solution

 

Walk-throughs:

demystifying-dot-net-reverse-engineering-part-1-big-introduction

dot-net-reverse-engineering-part-2

dot-net-reverse-engineering-part-3

demystifying-dot-net-reverse-engineering-introducing-round-trip-engineering

demystifying-dot-net-reverse-engineering-advanced-round-trip-engineering

Reflexil Video

Assembly-Manipulation-and-C-VB-NET-Code-Injection

 

.Net Tools

http://www.woodmann.com/collaborative/tools/index.php/Category:.NET_Tools

 

.Net resources

http://www.jasonhaley.com/obfuscation/

http://www.jasonbock.net/JB/Resources.aspx

3/15/2013

Spring Break

3/22/2013

Debugging, OllyDBG

No Quiz

1-hookme

----------------------------

Includes masm32, RadASM, hookme crackme’s, and tutorial. Tutorial covers code caves and

Loading malicious dlls.

1-hookme.zip

 

For information regarding known dlls see:

http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx

 

 

2-headers

-----------------------------

Includes LordPE, CFF Explorer, and RegisterMe crackme’s.

LordPE for comparing headers

CFF Explorer for editing headers

2-headers.zip

 

3-ImmDbg PyCommand

-----------------------------

See page 200 in book

Modified script from p 200 to fit Chapter 9-1 lab: WILL PUT UP TUESDAY

 

3-Olly Debug plugins

-------------------------------

http://www.woodmann.com/collaborative/tools/index.php/Category:OllyDbg_Extensions

http://www.openrce.org/downloads/browse/OllyDbg_Plugins

http://thelegendofrandom.com/blog/archives/63

3/29/2013

Anti-Debugging

Chp. 16 Quiz

NSA.exe

 

MyPlugins.zip – a few selected olly plugins

 

Debuggers.zip (possibly includes malware) – some crackers’ personal olly setups

 

WinAppDebug.zip – WinAppDebug with some malware scripts and required libraries

 

40 Cracking Lessons with screencasts – This is a website with an updated version of what I showed in class

 

Turbodiff – IDA Free plugin -

 

Immunity Debugger Python

--------------------------------------

https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/

Immunity Debugger Downloads [ Plugins, tools, script and utilities for Immunity... ]

 

Pure Python Debuggers

------------------------------------------------------

https://github.com/OpenRCE/pydbg

http://winappdbg.sourceforge.net/

 

PaiMei - Reverse Engineering Framework

How to use PyDbg as a powerful

 

Gray Hat Python (Available online through RPI ebrary)

 

 

Websites covering the research of our guest, Dr. Adam Young

------------------------------------------------------

http://www.cryptovirology.com/ - “...the culmination of over a decade of research on novel cryptographic

 Trojan horses, viruses, and worms in peer-reviewed academic forums.”

http://www.feralcore.com/ -“Feralcore is an experimental general-purpose communications protocol.

It draws on many ideas including Darwin, Core War, and Cryptovirology.”

4/4/2013

Packers

Chp. 18 Quiz

1-Olly-scripting.zip

----------------------------------------

ImportREC – used for manually fixing import address table (IAT)

ODBGScript – used for automating tasks with OllyDbg

Olly Scripts-Tuts4You – database of 900+ scripts for the ODBGScript plug-in

Olly-Scripts-Crackers – 1000+ scripts I got off some cracking forum

ARTeam.Ezine.Number2.pdf – online magazine issue that has an article about writing OllyDbg scripts

ODbgScript.txt – lists all of the keywords/APIs for writing Olly scripts

UPX 1.xx – 2.xx – 3.00.txt – sample Olly script used to unpack UPX packed exe’s

 

2-OllyPython.zip

---------------------------------------------

Python Plugin – Olly plugin for writing python scripts

Python-2.5.msi – installs Python 2.5

 

3-Immdbg-python

----------------------------------------------

upx.py – script I wrote that finds OEP in upx packed malware, execute this with !upx.py <moduleName>

              Example usage: !upx Lab18-01.exe

 

UnpackMe’s

----------------------------------------------------

Quiz6.exe

solPacked.exe

antire test.exe

 

Resources

---------------------------------------

http://flylib.com/books/en/4.287.1.16/1/               -conditional log breakpoints for OllyDbg

http://www.ihtb.org/security/quickrefs/OllyDbg_quickref.pdf                  -OllyDbg commandline usage

https://code.google.com/p/corkami/ -reverse engineering and visual documentations

http://eikonal.wordpress.com/2011/02/28/code-analysis-debugging-and-reverse-engineering-code-security/

https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/

http://tekwizz123.blogspot.com/2012/04/pycommands-tutorial.html

 

LessonNotes.txt

 

 

Assignment 3:

assignment3.exe is a packed version of solitaire. Unpack and patch assignment3.exe so that a player can win solitaire instantly and see a splash-screen/message-box

with the names of the people in your team. Once you have figured out how to unpack and patch assignment3.exe, you must also automate the process unpacking and patching the packed version. This would be an OllyScript, Olly Python script, Immunity Debug Python scripts, etc ... Teams can be of 1 or 2 people. All programs must work on our VM setup of Windows XP-SP3.

 

Due date: April 18th, 11:59PM, 10% off each day that it is late

 

Submission is by email with subject line:Malware Class Assignment 3

 

Submission materials: 1 zip file containing

                                                             

                                                              (10 pts) assignment3.exe that is unpacked and patched as described. Must complete automation and document to receive points.

                                                              (30 pts) Scripts/other materials that automate the process of unpacking and patching of assignment3.exe

                                                              (60 pts) 1 document that describes each challenge faced during unpacking and patching and how your team overcame it.

                                                                    Screen shots are a must.

 

assignment3.exe

4/12/2013

Anti-Disassembly

Chp. 15 Quiz

Lesson.txt

 

Anti-Disassembly

---------------------------------------------------------------

 

Anti-Disassembly BlackHat Presentation

https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_Slides.pdf

anti-re.zip – assembled and categorized files from blackhat presentation

 

http://research.dissect.pe/docs/blackhat2012-paper.pdf

 

https://github.com/rrbranco/blackhat2012/

 

IDA-Pro disassembly errors:

https://www.hex-rays.com/products/ida/support/idadoc/549.shtml

 

Unpacking

-------------------------------------------------------------------------

 

UnPackMe.exe –practice UnPackMe did in class

 

Olly Dbg Run trace, hit trace

http://securitylabs.websense.com/content/Blogs/3144.aspx

 

diff 2 traces

http://www.openrce.org/downloads/details/188/OllySnake

 

Resources

----------------------------------------------------------------------------

 

Challenges/CrackMe’s/UnpackMe’s:

http://tuts4you.com/download.php?list.52

http://www.net-force.nl/challenges/

http://www.bright-shadows.net/

 

Additional Resources:

http://www.brokenthorn.com/Resources/OSDevIndex.html   -in depth on x86 registers

https://github.com/a0rtega/pafish - sample anti-re techniques in one dll

 

4/19/2013

Assignment 3: UnpackMe 

Submit Write-ups

Lesson.txt

 

Cygwin.bat – customized Cygwin start up, includes $PATH settings for Visual Studio tools. This allows for making of pin tools.

 

0-Win32api and x86 Opcodes.zip – Win32api.hlp to be used with OllyDbg

 

1-More advanced unpacking - PartI.zip – includes collection of packer identification programs like PEiD

 

2-pin.zip –Intel’s dynamic binary instrumentation framework PIN

assignment3Screenshot.jpg – visualization of assignment3 unpacking and running

 

3-Vera.zip – PIN tools by Danny Quist allowing for the visualization of program traces

http://csr.lanl.gov/malware/ - VERA website with publications

 

4-code injection.zip – demonstration program for process creation in suspended state, followed by code injection into that process

 

Resources

------------------------------------------------------------------------------------------------

Peter Ferrie’s Anti-Unpacker tricks – 7 part series for Virus Bulletin magazine

http://pferrie.tripod.com/papers/unpackers21.pdf

http://pferrie.tripod.com/papers/unpackers22.pdf

http://pferrie.tripod.com/papers/unpackers23.pdf

http://pferrie.tripod.com/papers/unpackers24.pdf

http://pferrie.tripod.com/papers/unpackers25.pdf

http://pferrie.tripod.com/papers/unpackers26.pdf

http://pferrie.tripod.com/papers/unpackers27.pdf

 

Peter Ferrie’s Anti-Debugging tricks

http://pferrie.host22.com/papers/antidebug.pdf  140+ pages on anti-debugging techniques

 

http://www.reconstructer.org/ – security blog, including unpacking tutorials

Basic unpacking UPX,ASPack

http://www.reconstructer.org/papers/Unpacking_UPX_and_Aspack_with_ESP_Trick.swf

 

Pin Tools

http://www.files.dc9723.org/binary_instrumentation_dc9723.pdf

4/26/2013

Covert Malware Launching   

Chp 12 Quiz

Lesson9.txt

 

Assignment 3 Recap:

 

Process Injection Monitor: API tracer using Microsoft Detours

http://x1a0ran.blog.com/2013/01/25/process-injection-monitor/

ProcessInjectionMonitor-release.zip

ProcessInjectionMonitor-release-src.zip

 

Malpimp: API Tracer using PyDBg

http://securityxploded.com/malpimp.php

Malpimp.zip

 

Demo Scene Chaos Theory:

http://chaostheory.conspiracy.hu/downloads.php

chaostheory.exe

 

Hooking the System Service Descriptor Table (SSDT):

preserve.zip

http://proquest.safaribooksonline.com.libproxy.rpi.edu/book/networking/security/9781449626365/chapter-11-modifying-call-tables/115_hooking_the_ssdt

Rootkit Arsenal

http://www.belowgotham.com/Links.htm

 

 

Resources:

http://en.wikipedia.org/wiki/DLL_injection

http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

https://thunked.org/programming/fun-with-thread-contexts-process-injection-t206.html

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

 

http://www.securestate.com/Research%20and%20Innovation/Pages/Tools.aspx -Syringe

http://blog.securestate.com/syringe-utility-provides-ability-to-inject-shellcode-into-processes/

 

https://github.com/inquisb/shellcodeexec -shellcodeexec is an open source script to execute in memory a sequence of opcodes.

 

 

Last hour: guest speaker from Grey Castle Security

Tyler Wrightson:

http://twrightson.wordpress.com/page/2/

https://twitter.com/tbwrightson

http://www.amazon.ca/Wireless-Network-Security-Beginners-Guide/dp/0071760946

5/3/2013

Anti-Virtualization

Chp 17 Quiz

Assignment 4:

assignment4.txt

assignment4.exe

 

 

Extra Credit: 5% of total grade to individuals that solve an unsolved crackme from www.Crackmes.de. You must receive confirmation from me that it is a valid choice, and you must write a document detailing your solution. You may choose any difficulty level you'd like.

You can split a crackme with someone, 2 people work on it, 5%/2 = 2.5% per person;5 people/5% = 1% per person.

 

IDA Pro Book

http://proquest.safaribooksonline.com.libproxy.rpi.edu/book/software-engineering-and-development/software-testing/9781593273750/firstchapter#X2ludGVybmFsX0J2ZGVwRmxhc2hSZWFkZXI/eG1saWQ9OTc4MTU5MzI3Mzc1MC8yNDk=

 

http://site.ebrary.com.libproxy.rpi.edu/lib/rpi/docDetail.action?docID=10496688

 

IDA Scripting

http://practicalmalwareanalysis.com/colorida-idc-2/

https://code.google.com/p/idapython/wiki/ExampleScripts

5/10/2013                

Assignment 4:

Submit write-ups by

May 11th 11:59PM

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



IRC:

Server:

Channel:

#malware

Teacher’s Nick

lynxjerm