Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing
Dr. Silvio La Porta & Dr. Antonio Villani

The course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AVs, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.

The course will also cover real-world scenarios that impair (effectively slow-down or dissuade) reverse engineering efforts and make the job of first responders tougher. The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by reimplementing an improved version of the malware code and developing custom offensive tools. The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses primarily on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved.

Key Learning objective

• Be able to recognize, implement and deal with stealthy malware/backdoors techniques and tradecrafts.
• Be able to modify malware components and pre/post build tools to protect them against reversing efforts.
• Familiarize with the latest advances in code and DLL injection techniques and customize reflective loaders.
• Learn tradecrafts used by attackers to prevent and effectively impair defensive incident responders from analyzing their tools, payloads, and backdoors.

Who should Attend

• Developers and Revese engineers who want to understand the tradecraft from a different point of view
• red-team members who want to go beyond using third-party implants
• and researchers who want to develop anti-detection techniques of real malware/apt

Laptop Requirements

• Virtualization capable CPU(s)
• Minimum 8GB of RAM (for running one guest VM)
• Minimum 80 GB free disk space

Software Requirements

• Host OS Windows 10 64-bit
• Debugging Tools for Windows (Ida Pro, WinDBG)
• SysInternals Tools
• Virtualization Software (VMWare, VirtualBox)
• Guest OS Windows 10 64-bit Version 2004
• System Administrator access required on both host and guest OSs

• Refresh of malware reverse concept and PE format
• Obfuscation and anti-reverse of IAT
• String obfuscation
• How to make a good… Malware Builder
• Advanced in persistence techniques (com hijacking, dll proxying , hijacking providers, wmi, LoLBin)
• Code injection techniques: from Reflective Loader to Phantom Dll Loader
• Multi stage malware
• Validating the target machine

• Sealing Malware with target machine
• Split the features in independent malware's module
• Filess malware component
• Privilege escalation
• Customization of encryption algorithms
• Using multiple programming languages to run malware code
• ETW internals and bypass
• How EDRs hook your code and how to detect it