Skip to content

stapiape/defcon32-malware-workshop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Challenges
Challenges
 
 
Slides
Slides
 
 
README.md
README.md
 
 
Workbook.pdf
Workbook.pdf
 
 

Repository files navigation

From an attacker's lair to your home: A practical journey through the world of malware

Hello! This repo contains the materials for my DEF CON 32 workshop.

About the workshop

During the workshop we will analyze various types of malware, from malicious documents to compiled programs, uncovering their inner workings and learning to identify potential threats effectively. The workshop is geared toward beginners, so don't worry if you don't have much experience. If you can read some high level code, you should be good to go!

To be able to fully take advantage of the workshop, you will need a laptop with an x86-64 processor capable of running 2 virtual machines simultaneously. The laptop should have at least 80 GB of free disk space.

Workshop configuration

  • Windows 10 VM:
    • Disk capacity of at least 60 GB
    • Local account
    • Username without spaces
    • Tamper protection and Windows Defender disabled
    • Windows updates disabled
    • The machine should have the following tools installed:
      • Visual Studio with the C++ runtime
      • Visual Studio Code
      • Sysinternals Suite
      • Dependency Walker
      • PEStudio
      • Olevba
      • Capa
      • Ghidra
      • CyberChef
      • DNSpy
  • Linux VM:
    • Python3 installed with the Colorama and Requests modules

Both machines should be on a Host-Only network, and the Windows VM should be using the Linux VM IP as the Gateway and DNS server.

Challenges

Challenge 1: Malicious document

In this challenge we will analyze a malicious Word document, which acts as a dropper for the .NET malware we will analyze in challenge 4. We will be using OleVBA and Microsoft Office's Visual Basic Editor for the analysis.

Challenge 2: Malicious HTML Application

In this challenge we will analyze a malicious HTA, which contains obfuscated code. The HTA will drop a powershell script, which, after performing some anti-analysis techniques, drops the DLL we will analyze on Challenge 3.

Challenge 3: Malicious DLL

This challenge is divided in two parts. First, we will understand how DLL search order hijacking works and how we can create our own malicious DLLs. Then, with the knowledge gained, we will analyze the malicious DLL that the HTA dropped. We will be using PEStudio, ProcMon, Visual Studio, TCP View and Ghidra for the analysis.

Challenge 4: Malicious .NET

For this last challenge, we will analyze the .NET program that the macro from challenge 1 executed. The program is a Remote Access Trojan (RAT), and performs multiple techniques to avoid being caught. We will finish our analysis by interacting with the RAT through dynamic analysis. We will be using PEStudio, Capa, AutoRuns and DNSpy for the analysis.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published