Binary Analysis Course

Analysing malware is daunting at first sight, as there are many questions but very little answers. The information security community provides information to researchers, both publicly and privately. Most reports, however, focus on the outcome of the research, rather than the process. As such, there are a lot of reports that show the results, without explicitly stating how they were obtained. In this course, every step that is taken, is explained in detail. As such, one will gain insight in both the thought process, as well as the technical analysis.

The course’s structure

This course starts at the very start, where it is assumed that the reader has little to no low level knowledge. It is expected that the reader is able to understand basic programming aspects such as functions/methods, variables, types and system calls.

Unlike most courses, this course aims to only use free and open-source software. This way, everybody can participate and follow the course, whereas most other courses are focused on proprietary tools which cost up to thousands of dollars. This won’t exclude such tools from being used in additional examples later on, but they will not be used as the sole tool in an example.

As the course progresses, the material gets more in-depth and complex. Throughout the chapters, practical cases included. These cases serve two purposes. Firstly, the reader is greeted with a puzzle every once in a while, instead of pure theory. Secondly, it provides insight in the reader’s learning curve with the help of a given case.

Table of contents

In the list below, each chapter (and the lessons in them) can be found. You can refer to this page as the table of contents or index, and bookmark it as such.

  1. Introduction to the course
    1. Practical case: Secura Grand Slam CTF “Easy Reverse”
    2. The workstation
    3. Basic CPU architecture
    4. Compilers and (dis)assemblers
  2. Assembly basics
    1. Conditions and loops
    2. Practical case: Patch Me 0x01
    3. Methods and macros: the call stack
    4. Practical case: Buffer Overflow 0x01
    5. Crash course
    6. Practical case: Crack Me 0x01
    7. Practical case: Crack Me 0x02
    8. Practical case: Crack Me 0x03
  3. Assembly code
    1. Hello World
    2. Universal Product Code calculator
    3. Debugging code
  4. Binary types
    1. Dot Net
    2. Java
    3. Android
    4. Browser plug-in
  5. Common techniques
    1. General techniques
    2. Analysing scripts
    3. Debugging Dot Net binaries
    4. Analysing high level languages
    5. Analysing low level languages
    6. Dealing with obfuscation
  6. Malware analysis
    1. Dot Net RAT
    2. Android SMS Stealer
    3. LNK & ISESteroids Powershell dropper
    4. Emotet droppers
    5. Magecart
    6. Corona DDoS bot
    7. Azorult loader stages
    8. Emotet JavaScript downloader
    9. Corona Locker
    10. ReZer0v4 loader
    11. Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
  7. Analysis scripts
    1. PowerShell string formatting deobfuscation
    2. JavaScript string concatenation deobfuscation
    3. Automatic ReZer0 payload and configuration extraction
    4. Ghidra script to decrypt strings in Amadey 1.09
    5. Ghidra script to decrypt a string array in XOR DDoS
    6. Ghidra script to handle stack strings
  8. Malware snippets
    1. Self deletion
    2. API Hashing
  9. Obtaining samples
    1. Searching samples
    2. Trapping spam e-mails
    3. Setting up a honeypot
  10. Documentation
    1. Article structure
  11. Resources
  12. F.A.Q.
  13. Miscellaneous
    1. A year in review: 2018-2019
    2. A year in review: 2019-2020
    3. A year in review: 2020-2021
    4. A year in review: 2021-2022
  14. More to come!

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.