### Intro to Malware Analysis and Reverse Engineering

Course
Time
9 hours 10 minutes
Difficulty
CEU/CPE
9

### Video Description

In this module, we'll begin by learning about more advanced packers. Some more advanced packers may have multiple layers, layers of junk code, built-in defences (like anti-analysis code and anti-debugging code), custom encryption, and create small virtual machine. Finally, we'll quickly recap the key areas learned in the module. There are also some good resources that will help you establish expertise:

• Malware Analyst's Cookbook
• Practical Malware Analysis

### Video Transcription

00:04
Typically,
00:05
I have a slide for notes for the paranoid.
00:09
Well, there are more advanced packers out there.
00:12
I've seen some that have multiple layers where it will unfold one layer, and then that layer will just intern unfold another layer. And then that woman will in turn fold another layer. And maybe in somewhere there's a built in defense is like anti analysis code or anti debugging code,
00:32
not to make sure the bugger isn't being
00:34
used to take it apart.
00:36
And between here and there and between the layers, there's lots of lots of junk code.
00:43
Ah, just meaningless instructions or meaningless function calls stuff to distract you, annoy you.
00:49
Um,
00:51
and if you look at a packer for a while, you get
00:54
you typically are ableto I the jump code. You can figure it out.
00:59
Um,
01:00
and that might sound strange, but
01:03
honestly, the person who wrote the Packer isn't going to
01:08
go to AA aa huge amount of effort to deter you because,
01:12
um,
01:15
you know, a week for them might be an hour for you to overcome.
01:19
So, uh, I remember one packer. Uh, it did a weird kind of jump Cole
01:26
move combination.
01:30
Where it was moved
01:33
value from the X t e c x and then
01:36
you know, a few instructions later, move it back into, you know, move. You see X back in t A X,
01:44
and so it was pretty easy to pick out
01:47
where it was saving this registers and where's restoring them? And, you know, I was pretty easy to see that the function calls another Packer was using
01:57
didn't even check the return values of those function calls. So it was easy to see which function calls it. It actually was paying attention to and
02:07
the other ones that were just throwing values.
02:12
Um,
02:14
a lot of
02:15
packers have custom encryption. When you get into more reverse engineering, you'll see that there are crypto AP eyes on the operating system that some Packers will call their. Some Packers will implement its own
02:29
crypto, uh, you know, go for open source and A s advanced encryption standard or open source RC four or whatever else they can't copy. Paste is easiest fast. It works, and may they might tweak it a little, so you can't just use ah tool out there use code
02:49
that you found out there that they were using,
02:52
um,
02:53
so
02:54
there might be custom encryption, but it's nothing you can't overcome, because with a d bugger, we can easily step through every step of every part of it. Um, as you saw the demo, we could easily just step over stuff or run straight through things.
03:09
Uh, some or most advanced packers out there?
03:14
Uh, well, actually, convert all of the original code
03:19
that it
03:22
I was told to pack. And it will convert it into
03:27
another language pretty much,
03:30
uh,
03:30
and then execute that language in its own virtual machine.
03:36
You might
03:37
think about that and be like What? Well, if you think about Java,
03:42
03:44
you can take a dot Java file, which is
03:47
English readable strings, and it compiles it into a ah bite code
03:54
so that the Java virtual machine can then execute it.
03:59
So John was a well understood virtual machine
04:02
s. So it's
04:03
it's not that big a deal to make disassemble her for it.
04:06
But packers that create their own virtual machines each time.
04:13
It's very difficult to, um,
04:16
disassemble
04:18
that code
04:19
because even then it might be a few skated or you're just simpler might not be able to handle some of the tricks it has built in.
04:29
Um,
04:30
and it could create a rather complicated virtual machine.
04:33
Ah, at that point,
04:35
it's not worth your time. Usually to reverse engineer,
04:40
um, what it's doing instruction. My instruction.
04:43
Usually you just want to,
04:46
uh, get whatever data retargeting out of it, like an i p address or
04:53
ah, domain name or,
04:56
uh,
04:57
a particular
04:58
configuration.
05:00
So I wouldn't worry about those so much. And if you ever come across ah, very advanced packer.
05:06
Ah.
05:08
Then you spend some time on it, get to know
05:12
uh, what it's doing,
05:14
but
05:15
definitely don't
05:17
Ah,
05:18
05:19
Learning
05:21
is good, and I highly suggests that maybe you just take a solid week and go through a more difficult packer or a tutorial online about how to pack something like a s unpacked or a s pack. Um,
05:34
but definitely
05:36
don't spend your wheels on something that's,
05:41
uh,
05:43
05:45
because as a reverse engineer,
05:46
you're generally paid a lot and you know a lot and you have a very detailed, warranted view of something. Um,
05:53
so packers are meant to distract you, and some of them are really good, but they are usually very expensive, so they're not that common. So a recap of what we covered and the list of good resource is
06:06
we talked about what packers are, some of the more common ones
06:11
on. Then we took a very common one, the most common u P X and then we
06:16
So how to pack something, How to unpack something.
06:19
Ah, and we saw
06:21
what exactly is doing to the executed ble
06:25
and how it actually unfolds it in memory
06:28
order.
06:30
Decrypt sit in memory,
06:32
and
06:33
this does require a bit of assembly knowledge and in particular, the push a de and pop A T instructions
06:40
because those are not usually a ZAY said admitted by compilers. It's not usually generated code.
06:46
So
06:48
if we see that we usually think okay, something a little funky is going on here.
06:53
And those are excellent points
06:56
to, uh, excellent instructions to look out for
07:00
on. I suggest the Practical Analyst Cookbook because as we saw their scripts, you know they're old committee very enlightening to see exactly what's going on in a P e file
07:14
and give some give us some good indicator indicators of whether files packed like with the entropy or the virtual
07:21
sizes versus the raw sizes of what's on discourses. What's gonna go on? Memory
07:27
Practical malware analysis has, ah, decent section on packers.
07:33
So
07:34
I'll, uh,
07:35
suggest that you check those out and there are plenty of packers out there freely available for download.
07:43
And if you want to build a simple hello world program and then pack it with a dozen different packers and then
07:50
see how each one is doing its thing,
07:53
Ah, that is a great way to learn.
07:55
And you're going to learn 90% of this with doing it yourself.
08:01
So again, my name is Shankar's
08:03
hope You enjoyed this video and we'll see you soon.

### Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Sean Pierce
Instructor