The intent of this workshop is to reverse engineer existing malware to extract the portable executable (PE) injection technique to be replicated for use for red team operation tooling. The content of this workshop will begin by reverse engineering the malware Cryptowall and then go over the injection technique. The injection sequence consists of writing code into a newly created executable section in the target process, then using NtQueueApcThread to execute the target code.
Overview
Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Syllabus
Introduction
Background
Environment Setup
PE Injection
Manual Unpacking: Extracting the First Routine
Unpacking: Control Flow Obfuscation
Unpacking: Setting up Imports and Final Unpacking
Unpacking: Cryptowall Unpacked Code
Unpacking: Import Table Restoration
Injection Into Explorer: New Section Creation
Injection Into Explorer: Spawning a New Thread
Appendix