The document discusses malware analysis and development, highlighting their importance for improving offensive and defensive cybersecurity skills. It emphasizes learning from existing malware samples and understanding operating system internals to become more effective in red teaming and detection engineering. Additionally, it promotes a training academy offering courses in malware development with a discount for participants.

1. The Power of Malware Analysis and Development
Uriel Kosayev - @MalFuzzer
Pavel Yosifovich - @Zodiacon

2. Uriel Kosayev
Book Author
Founder of CYMDALL
Founder of TrainSec.net
Malware Researcher
Red Teamer
Trainer & Speaker
Twitter Handle: @MalFuzzer

3. Pavel Yosifovich
Books Author
Founder of CYMDALL
Founder of TrainSec.net
Developer
Trainer & Speaker
Twitter Handle: @Zodiacon

4. What is Malware Analysis?

5. The art of research and
analysis of malicious software
behavior and patterns.

6. Static Analysis
Automated Analysis
Dynamic Analysis
Reverse Engineering
Harder

7. What is Malware Development?

8. The practice of developing code for malicious purposes

9. Only for Malicious purposes?!

10. Of course not!
Malware development can be legitimate, of course
depending on the purpose

11. The Malware Development Life-Cycle (MDLC)

12. Malware
Development
Tests and
QA
Malware
Defense
Bypass
Techniques
Offline
AV/EDR
Testing
IoC
Collection
and
Removal
Operational
Use and TI
Feed

13. Why Learn Malware Development?

14. To know how malware is written
To have better offensive and defensive skills
Become a better Red Teamer and Detection Engineer
Better understanding of your OS Internals
Better understanding of OS API Functions
Because real Hackers know their shi*, so know your shi*!

16. “The one who posses the skills and knowledge to understand
and practically apply things, has the power to rule them all”
- Anonymous Philosopher

17. So why do you even care?

18. Because the bad guys do!

19. Threat actors evolve by learning and leveraging the craft
and TTPs by researching malware samples in the wild.
So why cannot the good guys do so?

20. You do not have to develop your malware from zero
Learn from real-world malware samples and incidents

21. DarkSide Ransomware Seek & Hide
Runtime Code Decryption & Dynamic API Resolve

22. No functions in the IAT!

24. Packed/Encrypted PE Sections

26. Runtime Unpacking/Decryption

28. Dynamic API Resolve

30. And Voila!
Runtime built IAT for you

32. Developing Windows Malware
No different than any kind of low-level Windows development
Uses Windows APIs (documented or not so much)
Built with standard tools and compilers (e.g., Visual Studio)
Testing is paramount
Debugging

33. Windows Subsystem APIs
• Windows API (“Win32”)
• Classic C API from the first days of Windows NT
• Some APIs are COM based
• Especially in newer (Vista+) APIs
• Examples: BITS, DirectX, WIC, DirectShow, Media Foundation
• .NET
• Managed libraries running on top of the CLR
• Common languages: C#, VB.NET, F#, C++/CLI
• Windows Runtime (WinRT)
• New unmanaged API available for Windows 8+
• Built on top of an enhanced version of COM
33

34. PEB, TEBs
VirtualAlloc allocated
memory
Process Virtual Memory Map
MyApp.exe
NtDll.dll
KernelBase.dll
AdvApi32.dll
Thread 1 Stack
Other heaps
0
Default Process Heap
Thread 2 Stack
Kernel32.dll
2GB/4GB/8TB/128TB
34

35. Function Call Flow Example
35
call ReadFile Msvcrt.dll
call NtReadFile
sysenter / syscall
Kernel32.DLL
NtDll.DLL
call NtReadFile NtOskrnl.EXE
NtReadFile:
call driver
NtOskrnl.EXE
Initiate I/O
return to caller
driver.sys
call fread application
User mode
Kernel mode

36. Time for Some Malware Development!

37. TrainSec Academy
Where pros train pros
Advanced Security and Programming Training
https://TrainSec.net

38. Only for you folks!
20% Discount Code for the upcoming Malware Development Workshop!
Coupon Code: MALDEVISTHEBEST
Click here to redeem your coupon and get the chance to become a Malware Developer!

39. Thank you!