2023-09-09, 15:25–16:25 (Europe/Berlin), Pupin
This workshop examines how to use the Qiling instrumented binary emulation framework to analyze PE malware executables. Students will learn about how to interact with the framework using Python code to detect execution conditions and to dynamically run custom analysis code. Specific skills the student will learn are dumping memory containing the next malware stage for further analysis as well how to circumvent anti-analysis features added to the malware by the adversary with the intent of foiling the malware analyst.
A working understanding of malware analysis as well as basic Python scripting are expected prerequisites for participating in this workshop. However, conferencegoers of any skill level are more than welcome to watch and observe the workshop as bystanders.
The focus of this workshop is how to analyze malicious PE executables using an instrumented emulation environment. The specific tool used is Qiling and the instrumentation will be written in Python. The specific aim will be to learn how detect conditions where a breakpoint should happen as well as how to dump memory for further analysis. Additionally, students will encounter anti-emulation features for which they will learn circumvention techniques.
Everything needed for this workshop is provided in self-contained cloud lab environments generated separately for each student. The only requirements are that the student's workstation have a working wireless NIC that can connect to the workshop wifi network and a fully updated Chrome browser. This workshop is independent of the other malware analysis topics. Any of the topics can be learned without needing to attend any of the other topical workshops.
Robert Simmons is Principal Malware Researcher at ReversingLabs. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis at many of the top security conferences including DEFCON, HOPE, botconf, and DerbyCon among others.
Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine.