Deep dive into executable packers & malware unpacking
We are proud to announce the first in a series of highly technical training courses that we have been working on for some time.
What started as a hobby with reverse engineering software protection, later became a large part of our professional careers in deciphering and debugging heavily obfuscated malware.
Zeroperil has combined the most interesting aspects from reverse engineering software protection and malware into this fast paced and intense course.
The course aims to teach students how to deal with a large variety of executable packers, crypters and modern malware loaders.
Attendees will learn advanced tactics, techniques and procedures in order to be able to retrieve the original malware samples from within multiple layers of obfuscation. As a result, static analysis will be easier and indicators of compromise can be extracted. Unpacked malware binaries will be fully working, allowing for dynamic analysis.
Students will gain the confidence to approach unknown executable packers and crypters by learning and applying principles that we will be teaching throughout the course.
Techniques for automated sample unpacking by taking advantage of the x86dbg/x64dbg scripting engine will be covered. By the end of the course students will be able to write their own powerful debugger automation scripts.
- x86/x64 architecture refresher
- Microsoft Windows ABI
- PE file format refresher
- Debugging techniques
- Anti-debugging techniques
- A tour of x86dbg
- Introduction to executable packers
- Deep dive into manual unpacking of executable packers
- Automated unpacking and x86dbg scripting
- Deep dive into reverse engineering malware loaders
- Q&A session and workshop
The training course is fully remote and sessions will be conducted over Microsoft Teams. Each student will be presented with a copy of the training materials.
Although this course does go through the necessary introductory and background theory of several technical aspects, the following set of skills is desirable prior attending:
- Basic usage of user-mode debuggers (Olly, x64/x32Dbg)
- Basic understanding of x86/x64 assembly language
- Basic knowledge of programming concepts such as pointers, loops, functions etc…
- Experience with handling malware safely (i.e. Virtual Machines and network segregation)
- Computer/laptop able to handle a VM with a minimum of 4 dedicated CPU cores, and 4 GB of RAM
- Good internet connectivity
- A virtualisation software that is able to take runtime snapshots of the guest OS
- A virtualisation software that is able to run modern Windows OS (10, 8.1, 7)
19th – 21st January 2022