Skip to content

Instantly share code, notes, and snippets.

@jershmagersh

jershmagersh/3hr_workshop.md

Created April 3, 2024 15:51
Show Gist options
  • Save jershmagersh/19b4868fea60ae393924dbd05a22b245 to your computer and use it in GitHub Desktop.
Save jershmagersh/19b4868fea60ae393924dbd05a22b245 to your computer and use it in GitHub Desktop.
Download ZIP
3hr_workshop.md
Raw
3hr_workshop.md
  1. 30 min - Introducing Workshop Resources and Content 

  • The workshop will begin by familiarizing participants with the tools used in the workshop, including:

  • Binary Ninja (https://binary.ninja/) and Binary Ninja’s user-interface (UI) components that we will be using throughout the workshop (mainly the disassembler, decompiler, Python REPL, and scripting interfaces)

  • Binary Ninja’s Decompiler, which uses Binary Ninja Intermediate Languages (BNILs - https://docs.binary.ninja/dev/bnil-overview.html). These BNILs will be used to assist with understanding disassembled instructions during our reverse engineering process

  • Binary Ninja’s Python interface, which will be used for interacting with these BNILs

  • Participants will then be provided with an overview of the malware we will be analyzing (Qakbot) and the steps that we will take to get there (i.e., writing a static unpacker, analyzing Qakbot using Binary Ninja, and extracting campaign information)

  1. 45 min - Writing a Static Unpacker

  • This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”), therefore, we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery

  • The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage

  • The next exercise will teach attendees how to use PEFile (https://github.com/erocarrera/pefile) to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise

  • The next exercise will teach attendees how to use Binary Refinery (https://github.com/binref/refinery) to carve binary files from the decrypted resource

  1. 45 min - Analyzing Qakbot using Binary Ninja

  • This section will teach participants how to automate analysis and deobfuscation of malware samples using Binary Ninja. This will be accomplished using the Qakbot sample as an example. The Qakbot malware uses multiple obfuscation techniques that are used to hinder reverse engineering and analysis. We will perform multiple hands-on exercises to automate removal of these obfuscation techniques to assist with the reverse engineering process

  • The first exercise in this section will teach attendees about the concept of dynamic function resolution and how to resolve it using Binary Ninja automation

  • The following exercise will teach attendees how to analyze string encryption techniques that are employed by Qakbot and how they can be resolved using Binary Ninja automation

  1. 45 min - Extracting Campaign Information
  • One of the main goals for analyzing malware is extracting campaign information, which is the information associated with a specific malware distribution campaign. This includes Indicators of Compromise (IOCs) which are used by blue teamers to block and detect malware on networks and information used by analysts to track botnets. The exercise in this section will teach attendees how to extract this information using the techniques we’ve used throughout the workshop
  1. Closing and Questions & Answers - 15 min
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment