Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.
1. Basic static analysis with file, strings, PEiD, PEview, Dependency
Walker, and VirusTotal
2. Basic dynamic analysis with Process Monitor, Process Explorer,
RegShot, and Wireshark
3. Advanced static analysis with IDA Pro Free and Hopper
4. Advanced dynamic analysis with Ollydbg and Windbg
The first challenges are easy enough for beginners, and the later ones
get difficult enough to interest intermediate security professionals.
We will demonstrate the challenges, discuss the technologies and
techniques, and help participants get through them as needed.
These challenges use harmless malware samples from the "Practice
Malware Analysis" book by Michael Sikorski and Andrew Honig.
All materials and challenges are freely available at samsclass.info,
including slide decks, video lectures, and hands-on project
instructions. They will remain available after the workshop ends.
Participants should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.
Participants must bring a laptop (any OS) with VMware or VirtualBox
installed on it. Each participant will need a 32-bit Windows virtual
machine to run malware samples. USB sticks with a Windows Server 2008 VM will
be available for students to copy. Some projects also use a Kali Linux VM to
simulate the Internet, but that's not required.