06-30, 14:00–15:00 (US/Eastern), Soprano B
With the ever-increasing complexity of malware comes the need to automate tasks related to its analysis. Binary Ninja is a robust reverse engineering platform that provides a plethora of useful functionality when analyzing malware. This functionality includes a powerful Python API that can be used to automate a number of common malware reverse engineering tasks.
Throughout this workshop we will automate the deobfuscation of a real-world malware sample using Binary Ninja and freely available open-source tools.
[15 min] Introducing Workshop Resources and Content
The workshop will begin by familiarizing participants with the tools used in the workshop, including:
-
Binary Ninja (https://binary.ninja/) and Binary Ninja’s user-interface (UI) components that we will be using throughout the workshop (mainly the disassembler, decompiler, Python REPL, and scripting interfaces)
-
Binary Ninja’s Decompiler, which uses Binary Ninja Intermediate Languages (BNILs - https://docs.binary.ninja/dev/bnil-overview.html). These BNILs will be used to assist with understanding disassembled instructions during our reverse engineering process
-
Binary Ninja’s Python interface, which will be used for interacting with these BNILs
Participants will then be provided with a brief overview of the malware we will be analyzing (Qakbot) and the steps that we will take to get there.
[45 min] Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery
-
The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage
-
The next exercise will teach attendees how to use PEFile (https://github.com/erocarrera/pefile) to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
-
The next exercise will teach attendees how to use Binary Refinery (https://github.com/binref/refinery) to carve binary files from the decrypted resource
Joshua Reynolds is the founder of Invoke RE. Joshua has over ten years of reverse engineering, malware analysis and security experience working for industry leading companies. He has spoken at major conferences such as RSA, DEF CON and Virus Bulletin on topics including ransomware and malicious document analysis. He is also the co-author of a malware analysis course that is taught annually at an academic institution.