Practical Malware Analyis

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment.  There are four levels of analysis challenges.

  1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal
  2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark
  3. Advanced static analysis with IDA Pro Free and Hopper
  4. Advanced dynamic analysis with Ollydbg and Windbg

The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed.

These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project
instructions.  They will remain available after the workshop ends.

Participants should be familiar with basic C programming.  Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.

Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it.  Each participant will need a 32-bit Windows virtual machine to run malware samples.  USB sticks with a Windows Server 2008 VM will be available for students to copy.  Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.

Sam Bowne

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, B-Sides SF, B-Sides LV, BayThreat, LayerOne, Toorcon, and many other schools and conferences.

He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign.

Devin Duffy-Halseth

A student of City College of San Francisco's cyber security program. Interested in a junior pentesting position in Scottsdale AZ. Enjoys studying APT campaigns and mobile device hacking.