Malware is a persistent threat in today's digital landscape, evolving continuously to evade detection and wreak havoc on systems. In this presentation, we delve into the intricacies of Malware Analysis and Development, exploring its fundamental concepts and real-world applications. What you will learn in the workshop: 1. What is Malware Analysis: We begin by demystifying Malware Analysis, a crucial process for understanding the behavior, functionality, and impact of malicious software. From static analysis to dynamic analysis techniques, we uncover the tools and methodologies used to dissect and analyze malware samples effectively. 2. What is Malware Development: Next, we shift focus to Malware Development, shedding light on the techniques and tactics employed by threat actors to create sophisticated malware. By understanding the inner workings of malware creation, we gain insights into how to combat these threats effectively. 3. The Malware Development Life Cycle: We explore the Malware Development Life Cycle, from initial reconnaissance and planning to deployment and post-exploitation activities. By mapping out this cycle, we gain a holistic view of how malware is conceived, developed, and utilized in cyber attacks. 4. Why it's important for Red Teamers and Blue Teamers: We emphasize the importance of Malware Analysis and Development for both Red Teamers and Blue Teamers. For Red Teamers, it provides invaluable insights into crafting realistic attack scenarios and testing defenses. For Blue Teamers, it equips them with the knowledge to detect, analyze, and mitigate malware threats effectively. 5. Practical Malware Reverse Engineering and Development Examples: Finally, we dive into practical examples of malware reverse engineering and development. Through hands-on demonstrations and case studies, we showcase the process of dissecting malware, understanding its functionality, and even developing defensive measures to thwart future attacks. join us virtually for our upcoming "Malware Development" Workshop to learn the world of Malware Analysis and Development, where we unravel the complexities of malware and empower defenders with the tools and knowledge to combat cyber threats effectively.

1. The Power of Malware Analysis and Development
Uriel Kosayev - @MalFuzzer
Pavel Yosifovich - @Zodiacon

2. Uriel Kosayev
Book Author
Founder of CYMDALL
Founder of TrainSec.net
Malware Researcher
Red Teamer
Trainer & Speaker
Twitter Handle: @MalFuzzer

3. Pavel Yosifovich
Books Author
Founder of CYMDALL
Founder of TrainSec.net
Developer
Trainer & Speaker
Twitter Handle: @Zodiacon

4. What is Malware Analysis?

5. The art of research and
analysis of malicious software
behavior and patterns.

6. Static Analysis
Automated Analysis
Dynamic Analysis
Reverse Engineering
Harder

7. What is Malware Development?

8. The practice of developing code for malicious purposes

9. Only for Malicious purposes?!

10. Of course not!
Malware development can be legitimate, of course
depending on the purpose

11. The Malware Development Life-Cycle (MDLC)

12. Malware
Development
Tests and
QA
Malware
Defense
Bypass
Techniques
Offline
AV/EDR
Testing
IoC
Collection
and
Removal
Operational
Use and TI
Feed

13. Why Learn Malware Development?

14. To know how malware is written
To have better offensive and defensive skills
Become a better Red Teamer and Detection Engineer
Better understanding of your OS Internals
Better understanding of OS API Functions
Because real Hackers know their shi*, so know your shi*!

16. “The one who posses the skills and knowledge to understand
and practically apply things, has the power to rule them all”
- Anonymous Philosopher

17. So why do you even care?

18. Because the bad guys do!

19. Threat actors evolve by learning and leveraging the craft
and TTPs by researching malware samples in the wild.
So why cannot the good guys do so?

20. You do not have to develop your malware from zero
Learn from real-world malware samples and incidents

21. DarkSide Ransomware Seek & Hide
Runtime Code Decryption & Dynamic API Resolve

22. No functions in the IAT!

24. Packed/Encrypted PE Sections

26. Runtime Unpacking/Decryption

28. Dynamic API Resolve

30. And Voila!
Runtime built IAT for you

32. Developing Windows Malware
No different than any kind of low-level Windows development
Uses Windows APIs (documented or not so much)
Built with standard tools and compilers (e.g., Visual Studio)
Testing is paramount
Debugging

33. Windows Subsystem APIs
• Windows API (“Win32”)
• Classic C API from the first days of Windows NT
• Some APIs are COM based
• Especially in newer (Vista+) APIs
• Examples: BITS, DirectX, WIC, DirectShow, Media Foundation
• .NET
• Managed libraries running on top of the CLR
• Common languages: C#, VB.NET, F#, C++/CLI
• Windows Runtime (WinRT)
• New unmanaged API available for Windows 8+
• Built on top of an enhanced version of COM
33

34. PEB, TEBs
VirtualAlloc allocated
memory
Process Virtual Memory Map
MyApp.exe
NtDll.dll
KernelBase.dll
AdvApi32.dll
Thread 1 Stack
Other heaps
0
Default Process Heap
Thread 2 Stack
Kernel32.dll
2GB/4GB/8TB/128TB
34

35. Function Call Flow Example
35
call ReadFile Msvcrt.dll
call NtReadFile
sysenter / syscall
Kernel32.DLL
NtDll.DLL
call NtReadFile NtOskrnl.EXE
NtReadFile:
call driver
NtOskrnl.EXE
Initiate I/O
return to caller
driver.sys
call fread application
User mode
Kernel mode

36. Time for Some Malware Development!

37. TrainSec Academy
Where pros train pros
Advanced Security and Programming Training
https://TrainSec.net

38. Only for you folks!
20% Discount Code for the upcoming Malware Development Workshop!
Coupon Code: MALDEVISTHEBEST
Click here to redeem your coupon and get the chance to become a Malware Developer!

39. Thank you!