Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.
1. Basic static analysis with file, strings, PEiD, PEview, Dependency
Walker, and VirusTotal
2. Basic dynamic analysis with Process Monitor, Process Explorer,
RegShot, and Wireshark
3. Advanced static analysis with IDA Pro Free and Hopper
4. Advanced dynamic analysis with Ollydbg and Windbg
The first challenges are easy enough for beginners, and the later ones
get difficult enough to interest intermediate security professionals.
We will demonstrate the challenges, discuss the technologies and
techniques, and help participants get through them as needed.
These challenges use harmless malware samples from the "Practice
Malware Analysis" book by Michael Sikorski and Andrew Honig.
All materials and challenges are freely available at samsclass.info,
including slide decks, video lectures, and hands-on project
instructions. They will remain available after the workshop ends.
Participants should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.
Participants must bring a laptop (any OS) with VMware or VirtualBox
installed on it. Each participant will need a 32-bit Windows virtual
machine to run malware samples. USB sticks with a Windows Server 2008 VM will
be available for students to copy. Some projects also use a Kali Linux VM to
simulate the Internet, but that's not required.
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. Industry certs: CISSP, CEH, CCENT, WCNA, and more.
Dylan James Smith has assisted with hands-on workshops at B-Sides LV, DEF CON, RSA and other conferences. He has worked in and around the computer support industry since adolescence. Now he’s old(er.) Currently focused on learning and teaching "the cybers.
I really love hearing about different malware attack vectors and APT campaigns. I'm currently seeking a junior pentesting position.