Code obfuscation is fast becoming a normal part of modern Windows malware. Pioneered by Emotet and popularized by the Conti ransomware leaks, we now see even simple credential stealers using cracked versions of commercial grade code virtualization! The solution… if you can’t reverse it, just run it!
In this workshop we will cover different tracing techniques that can be used to bypass and extract information from protected code. The workshop is divided into modules covering tracing with x64dbg, dynamic binary instrumentation with PIN, and API tracing with DTrace. A challenge binary is provided with each module for students to practice and the final challenge is a real world malware sample that has been virtualized.
This workshop is aimed at reverse engineers and malware analysts who have experience analyzing malware and are comfortable with debugging in userland. If you don’t have experience with malware but you do have a few hours behind the debugger you should have no problem completing the workshop.
Requirements:- Students must bring a laptop/workstation capable of running a Windows Virtual Machine (VM)
- A preinstalled Windows 10 (64bit) 20H1(or later) VM with at least 50G of free space.
You will be provided with detailed tools installation and setup instructions prior to the workshop