Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: SANS

SANS FOR610: Reverse Engineering Malware – Course Review


What follows is a review of the SANS FOR610: reverse engineering malware class taken at the SANS Prague 2013 event. What follows are rough notes, feelings and impressions from the class as it was taking place… Take it as you will, and I hope it proves useful for you in evaluating the class.

Note: Prior to the class I’d never done reverse engineering of malware… however I have done limited exploit dev and other tasks that dovetail well with some of the concepts.


Day 1 started off slowly walking through some simple malware using some behavioral and code analysis, before moving into the setup of our lab environments. Although the first half of the day was a little slow (and instructor led, so no hands-on), it brought everybody up to speed on what we’d be doing in the coming days and helped to lay the foundation for some of the more fun topics I’m sure are headed our way in the later part of the class. After a quick bite to eat we moved into the first hands-on section of the class.

The afternoon was spent slowly walking through the step by step process of performing a behavioral analysis of brbbot in our labs. The pace for the hands-on was a little slower than I’d have liked, but the step by step methodology helped really push home the process required. It was also nice to see procDOT (from the Austrian CERT team) mentioned as well, as an easy way to perform some of the steps.

The day finished off by walking through debugging brbbot in OllyDBG to perform code analysis and dive into some of the malware’s inner workings. Again that walk-through with the class was slow-paced with a few students struggling. With a class like this it’s hard to find a suitable pace to ensure everyone can follow along. That said, even though I’ve never done malware reversing before day 1 seemed slower than it really needed to be in a lot of places.

Day 2

As is standard with most SANS classes, we kicked-off day 2 with a quick recap of the topics covered in day 1 of the class, finishing off the day 1 material with a brief discussion of what should be included in a malware analysis report.

Diving into the real day 2 content we starting looking at commonly seen packers and how to deal with them. Aside from the simple UPX cases (which are apparently more common than I thought in malware) we looked at dumping the unpacked code from memory using a number of tools. Unfortunately we didn’t dive more into the process and how to do it without the tool. I know this isn’t a simple process, but I’ve always been more of the “do it the hard way and learn, before you use the point and click tool” guy. Still you can’t have everything, and the walk-through on doing the same kind of dump using OllyDbg and the OllyDump plugin was an interesting diversion.

After a quick bite to eat we ventured into some patching of executables using OllyDbg (in particular patching to avoid debugger checks). Moving away from Windows executables, we began looking at analyzing browser-based malware.

After going through the standard JavaScript de-obfuscation techniques (as well as some debugging of JavaScript with Firebug) we moved on to a brief (possibly too brief) look at Java based malware. To finish up the final hour we dove into SWF decompilation and static analysis of some older Flash malware. The tools and techniques covered were not that different from what we’d already covered. Seems that the debugging of SWF files is still trickier than it should be (at least without the aid of costly and specialist Flash debuggers). There’s just too many ways to trick the tools into misunderstanding the code, and an area that needs a lot more research.

Day 3

No reversing class would be complete without some serious time spent crawling around in assembly. The morning was filled with the usual fare, compilers, linkers, commonly seen assembly codes and the like. Nothing that most wouldn’t have already seen and read if they were interested in this area of security. Where I think the topics really made things clear was breaking down recursion and jumps and looking at the raw C and compiled assembly versions (or one possible assembly version). It really helped to show that you can tell if the original code was a loop or an If Else. Probably nothing earth shattering for most, but I found it interesting to go down to the level. We also covered jump logic extensively looking at the way the registers are used to store the results used for common jumps. Good stuff to know if you’re reversing unknown code.

The afternoon covered some anti-disassembling examples that malware authors use to cause headaches for people reversing their work, before moving into the final real topic of the day, user-mode rootkits. The afternoon session seemed to be a little rushed, maybe due to some delays earlier on in the day. Day 3 certainly tries to cram in more than previous days have and it showed at the end with a few sections covered in a little less detail than I’d have liked. Pity really, as I’d rather a few day 1 or 2 topics were given short shrift and replaced with more time to really dig in and look at sniffers, keyloggers and the like in Olly/IDA. Overall though, the best day so far… very good stuff!

Day 4

After a sleepless night (gotta love hotels) we dove into self defending malware and started to look at some of the more commonly seen anti-debugging techniques used by modern malware. Kicking things off we manually walked through a malware sample using SEH to fool analysts, and a simple packer to prevent easy analysis of the real malware. The same was interesting in the way it used multiple techniques to fool people trying to understand the executable, but was pretty simple to bypass the protections given a few minutes and a few hints on how it works. The SEH trick was an interesting one and not one that I’d thought of before (I’m not a malware analyst after all).

The afternoon continued on from the morning session dealing with more anti-debugging tricks used commonly by packers and malware writers (including timing based RDTSC and TLS Callback techniques, amongst others). Some of these techniques are probably well-known and documented amongst analysts, but as I’ve said before, as a non-malware analyst the techniques were new to me and made for an interesting afternoon in OllyDbg and shellcode.

finishing off the theme of malware that fights back, we moved into some web-based malware and JavaScript obfuscation techniques.

Day 5

Despite only 1.5 hours sleep (don’t ask…) day 5 started quickly diving into malicious Office and PDF documents. After covering the basics, we moved into some quick analysis of malicious samples using a range of tools and scripts. As expected, the PDF section of the class was a relative what’s what of Didier Stevens research. Some of it is things I’ve already read or seen based on Didier’s wonderful training and workshops. Still, there were some interesting extensions to this using tools like shellcode2exe to create a debuggable PE in order to walk through injected shellcode in a more controllable way. I particularly liked the technique of using libemu’s sctest to create an overview of what the shellcode is doing. Something that will definitely come in handy…

Moving away from malicious files we focused on the uses of memory forensics and how malware analysis can be performed on forensic images. As expected, volatility played a big part of the afternoon, using it to check connections, find hidden processes and dump out the unpacked malware from memory into a PE file to be analysed in the normal way. Using some of the more run modules in volatility we looked at detection of kernel and user-level rootkits and how to extract information from memory dumps that help us as malware analysts understand what malware is doing on a system.

Day 6

CTF style challenges to reinforce the material covered in days 1-5… I won’t go further into this, but the experience was a good one for sure! I managed to hover around 10th position before having to head off early to catch a train. Not stellar, but for a first time malware analyst, I guess it could have been worse 😉


The pace of the class was a common theme for me throughout the first half of the week, but quickly picked up pace midway through day 3. There’s a number of reasons for this, and it was hard to tell if the class was just paced for a more beginner crowd (disclaimer: I’ve never done malware reversing, but I’ve used a majority of the tools before for various other tasks/purposes), or if the pace was effected by a few people in the class that seemed to get lost pretty easily. I won’t launch into a tirade here about people doing technical classes and not having the chops for it, so consider the issue of pace discussed 😉

The tips/tricks and general processes for working with malware were very clearly discussed and worked very well during the course. How they work in real life with modern malware that wanted to stop you at every turn is to be seen. Although we covered some of the more common methods used by malware to cause problems for analysts, there’s no way you can cover them all. Things like that can only be learnt from experience and expose to different techniques and methods after all. The processes helped me quite a lot with a few debugger questions I had. Not just when it comes to malware, but also for more offense-based reversing (thick clients etc…)

The class is very tools based. This isn’t necessarily a bad thing, as most of what we do on a day-to-day basis is tools based… but the first half in particular lacked a certain amount of “rolling up your sleeves and getting into the dirt” that I personally like to see from classes like this. Although it’s a hard way to learn, I find that learning the hard way before you just load a tool makes you respect and understand the issue and the solution. This was dealt with better in the final days with much more hands on stuff. Also, as much as people like to say the day 6 CTF style challenge is a wasted day, I found that some parts of it helped bring back points I’d forgotten from the earlier parts of the class. This really helped reinforce things for me.

Overall the class was good for a beginner just looking to get a grounding in the topic. That said however the pace made it feel like the class could have achieved so much more in the first 2 days in particular. Missing were more automated and scriptable debugging of malware. Things like pydbg, vdb/vivisect and a number of other script based debuggers would have been nice to cover, even if only in passing. A number of the examples really fell into the category of easily scriptable, and it would have been nice to get some hands on with that stuff.

I think the class really came into its own in the later days… much more focused, technical and designed to really stimulate your thinking.

SANS SEC710: Advanced Exploit Development

SANS_Logo_REVAfter spending the week doing the Advanced Web App Penetration Testing class, what could be better than spending a couple of day doing exploit dev! Yeah, nobody said I was smart, but I am a sucker for punishment.

Day 1 – Linux

The class kicked off with a discussion of the dynamic Linux memory, followed quickly by a couple of interesting (albeit similar) heap exploit exercises. The class moved quickly (lots of content, little time) into overwriting function pointers (BSS segment exploitation). As usual the exercises (labs) that follow each section helped reinforce the information from the previous section. Although the exercise programs are simple (and often simple purposed) they do a good job of easing you into the exploit type your working on without distracting you with huge monolithic programs.

After lunch we started in on format string attacks, which left the class a little confused I think. So many characters that we’re not accustomed to in exploitation. Still, things sorted themselves out, and surprisingly I was even able to get the exploit working using direct parameter access techniques.

To finish up the day there were 2 exercises: The first was a proftpd exploit (that for some reason didn’t like working on my version of VMware Fusion). The second was the bootcamp portion of the class, and was based on a challenge from the DefCon 18 CTF pre-quals.

Unfortunately we didn’t get too much time on the bootcamp as we spent more time on format strings and fighting with proftpd than planned.

Day 1 was mostly performed using older (Gutsy/Edgy Linux) so very little (if any) ASLR or other advanced protections in place. That’s not to say the information in day 1 isn’t worthwhile… it’s just like everything else, it’s a starting point!

Day 2 – Windows

Monday morning kicked things off with an overview of patch diffing (using BinDiff, PatchDiff2, and turbodiff) with IDA Pro. For people who don’t know how IDA works, the class went through some basics on using IDA for diffing. I found this a bit of a shame personally. I have no intention of buying IDA Pro (as I’m not an exploit dev) and the demo version used in class doesn’t support diffing (which is the primary use for SEC710). I’d have liked to have seen the class stick to open-source or free versions to keep the playing field flat for everybody in class. Still, BinDiff and IDA Pro are the de-facto standard, so I can see where the class is coming from. Using free or open-source alternatives may have made the examples so complex as to be unusable.

Some background info was a little fluffy for my liking. For example, the section on Microsoft patches started off with a discussion on how Microsoft releases patches and how to get patches from the MS website. Good info, but mostly known and not really something that warrants more than a 60 second refresher.

The real meat of day 2 was working through the old ms07-17 ANI exploit. Taking it from patch diffing with IDA (free or pro) through to a working exploit on a Vista host. The final exploitation used heap spraying to get code execution. Unfortunately the walkthrough of the exploit on a Windows Vista system was trickier than first thought and didn’t run as smoothly as it could have. Exploitation isn’t easy though, else we’d all be doing it…

Although the appendix talks about ROP gadgets and touches on Windows 7 x64 and Windows 8, these weren’t covered in the class itself. There is an exercise at the end of the book however that touches on Win7 exploitation.


A Lot of topics the class covered were a bit over my head as I don’t do this stuff on a daily basis, and unfortunately spent most of day 2 fighting with VMware fusion issues. SEC710 is not an easy class and tries to cram a LOT of information into the 2 days without going too long despite the bootcamp section. At the end of the class there is still a lot of content that needs to be reviewed to solidify things however, as well as the additional appendix content that’s not really covered in normal class. Exploit development isn’t for the faint of heart though, and anybody who thinks they can walk out of a 2 day class as a reverse engineer or exploit developer is fooling themselves.

People seem to want to compare SEC710 with Corelan’s Win32 Bootcamp. Although they both cover exploitation, SANS SEC710 covers different topics from the Corelan Live bootcamp (Linux being the biggest example) and the classes with SANS don’t run as long 😉 (Corelan likes to run 12 hour sessions both days… which is exhausting, but fun!).

Realistically there is no comparison between the two classes. SEC710 covers topics that are not covered in the Corelan class, and vice versa. As a result you end up with a broader knowledge from SEC710, but a much more detailed view from the Corelan class. Neither is better, they are simply different! Having said that, I found the explanations of the techniques are not as clear in SEC710 as they are in the Corelan Live – Win32 Exploit Development Bootcamp. Then again, having 2 days to focus on Windows means less setup, and more time to really deep dive without the confusion of describing different operating systems and how they differ.

Overall I enjoyed the class (despite not really being an exploit developer myself)… Everytime I sit in on one of these classes I learn a little more. Maybe one day I’ll actually have time to do the after class work to actually understand things fully!

Personally I hope they make some changes to SEC710 to make it deeper. To manage that I think they’d need to split the class into a 2 day Linux exploitation and a 2 day Windows exploitation class. Covering all the information in a single 2 day class just isn’t really feasible and leaves the student wanting more!


SANS SEC642: Advanced Web App Penetration Testing and Ethical Hacking (review)

After taking a year off from SANS London (a trip to Colombia was too much to resist last year), I flew back over to sunny London (ha) to attend the new SEC642: Advanced Web App Penetration Testing class with Justin Searle. As I’ve had a few people ask about the class I thought I’d write-up some thoughts as I go through the class… Hope they come in handy for people interested in the class content!

Day 1

Day 1 kicked off with a quick refresher on the testing methodology to ease people into things. SEC642 is strongly focused on the discovery and exploitation of vulnerabilities, but the importance of recon and mapping was emphasised during the process, as well as the process used to work through an application from initial recon through to the exploitation phase. One key point raised, and one that most people ignore, was the requirement to finish discovery of flaws (or potential flaws) in an application, BEFORE starting to exploit them. Although the exploitation phase is where we all have the most fun, it’s important for our clients to ensure we have as much coverage of the application as possible.

Jumping straight in, we discussed the more abstract and oft mis-used or unknown features of Burp Suite. It’s amazing the features that you never notice or use simply because you didn’t know they were there. Things like the Burp web interface (http://burp) and the ability to output log files (yes, even in the free version). We also touched on Burp scripting, although briefly. I’d loved to have dived into some more detailed scripting, but I get the feeling this process will be changing slightly with the 1.5 pro release, so maybe it’s better to wait anyhow 😉

With everybody on the same page with Burp, we moved into LFI (Local File Inclusion) and RFI (Remote File Inclusion). Alongside the simple examples there were some advanced methods exploiting LFI issues on various target platforms. Particularly interesting was the PHPINFO trick for using LFI to gain remote code execution on a system, as well as some interesting php://filter tricks to read the content of PHP files without them executing. It was good to have a test lab to try out the intricacies of these tricks and get the chance to get them running well and truly understand the ins and outs of the techniques.

To finish of day 1 we talked SQL Injection, with a short refresher in the basics before jumping into more advanced exploitation (including timing based and heuristic and binary search trees). We finished up day 1 with a couple of  SQLi labs to try out some of the more common SQL Injection tools (Havij, SQLmap)…

Day 2

Moving into the second day we shifted focus to “discovery and exploitation for specific applications”. We kicked things off with coverage of DOM based XSS, which is something that is often discussed, but seldom tested. Although the theory is simple enough, detection (and in particular automated testing tools) to discover DOM based XSS is not always an easy task. No discussion of XSS would be complete without looking at how it can be leveraged to attack clients, and as expected a number of possible payloads were discussed. It’s nice to see some examples of keylogging and geolocation payloads present, but the addition of scriptless attacks was particularly interesting. It was one of those “Oh yeah, that’s obvious… why didn’t I think about that sooner” moments. Sometimes you just can’t inject JavaScript, so having a few useful non-JavaScript attack payloads will certainly come in handy for those tricky apps.

web-app-security-imgMoving on from XSS, the class discussed more advanced XSRF attacks focusing more on the use of AJAX to perform attacks that are invisible to users. After some bad JavaScript coding (I’m no coder) we discussed CSRF protections and methods to bypass them by combining XSRF and XSS vulnerabilities within an application. The discussion of XSRF culminated in the creation of a simple self replicating XSRF attack (ala sammy).

To finish off the day we focused on application specific attacks against Sharepoint and WordPress systems. Personally I’d rather have spent the time discussing more in-depth workings of Sharepoint (or other enterprise grade systems such as Lotus Domino, SAP, etc…) than WordPress. Then again, you can’t please everybody all the time, and it was good to see @ethicalhack3r‘s wpscan mentioned in the WordPress section.

Overall day 2 was a little slow for my liking. Although it was nice to get some refresher on some points, it would have been cool to play with more varied XSS payload tricks, and maybe even look at some non-JavaScript injection (VBscript,…) and XSS via CSS, Flash files etc… Maybe SEC742 😉

Day 3

Of all the content, the crypto day was the one I was looking forward to most out of the class. Crypto is often something people skim over on a penetration test, so it’s nice to get some practical exercises in more advanced crypto based attacks.

The day started off with a quick grounding in common ciphers and hash algorithms, and moved on to methods for identifying encryption within web applications. The meat of the day was spent discussing attacks against CBC and ECB encryption modes (including bit flipping, CBC chosen plaintext, padding oracles and ECB shuffling attacks). With a good mix of theory and practical examples/exercises the class really helped to give a good understanding of how things work in the background, and how the can be exploited to attack or extract data from a web application.

Day 3 was a theory heavy day, and certainly a departure from days 1 and 2… I would have liked to have spent more time looking at crypto flaws, but there’s more gold in them their web applications than crypto alone!

Day 4

No advanced class would be complete without talking about bypassing web application firewalls and filters. Day 4 covered some of the more common ways to detect and enumerate WAF’s and other protections, and how to work around some of the protections they offer. Some interesting techniques such as DATAURI and CDATA blocks were touched on, as well as the more common comment and onerror/onload style bypass techniques. We also covered some groundwork on HTML5 and it’s use in injection and bypassing common filters. The day finished up with a quick look at sqlmap tamper scripts and the little used evasion techniques built into sqlmap itself.

I felt that day 4 was a little basic for an advanced class. With so many options for evading detection or active filtering, I think the coverage was a little light.

Day 5

Day 5 stepped away from the world of Web Applications for a while to venture into mobile security. Although it seems at first blush to be a bit of a strange thing to include in a web app class, a lot of mobile application testing crosses over into the web app realm. Things like SOAP and REST are common to mobile applications and web application testing, providing the perfect chance to cover some mobile security alongside the standard web application testing.

Some of the background information on mobile platforms was a little too detailed for my liking (interesting, but not really relevant to web application testing), the exercises proved interesting and allowed people to play with capturing web traffic from mobile emulators.

Day 6

As with a lot of the SANS penetration testing classes, the final day of the class was a capture the flag style challenge to enforce some of the topics covered in the class. A majority of the keys were pretty simple to find, and I won’t spoil it for you by giving you too much info. I’d have like to have seen some more of the crypto content in the CTF, but I guess in a small timeframe you can’t do everything!

Overall the CTF was a fun experience… and as usual, I did terribly! Somehow I just can’t get into CTFs


The SEC 642 is a very young course, and isn’t without its flaws and issues. Saying that, the foundation is there for a good followup to the SEC542 class. With a few tweaks and changes (that I’m sure are already in the works) the SEC642 class should provide a good addition to the SANS penetration testing range of classes. If you’re doing penetration testing and found the SEC542 class a little too light for you, then SEC642 is definitely something you should look at in the future.

I would have liked to have seen even a passing mention to Metasploit as it pertains to Web Application testing, perhaps even replacing some of the less advanced sections with a few useful examples and labs. Still, you can’t have your cake AND eat it… and most people don’t see Metasploit as a useful tool in their web application testing arsenal (mores the pity!).

Some days may spend a little too long reviewing basic principles (sometimes for good reason), as well as a little too much focus on defense sometimes (defense is good, but this IS an exploitation course). You can’t please everyone though, and I think the class strikes a reasonable balance.


SANS Germany 2012

So a little birdie told me that the fine folks over at SANS are arranging a conference in Germany this year. Unfortunately I can’t get the time off to attend, but I managed to wrangle a discount code incase any of you fine reader types are thinking of attending…

SANS Germany 2012
SANS Germany 2012 is coming up soon on 5-10 March at the Arcotel Camino in Stuttgart. This will be the first SANS training conference in the country since 2008. SANS is bringing some of its biggest classes back to Europe by popular demand.

SEC504: Hacker Techniques, Exploits and Incident Handling
MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression
DEV522: Defending Web Applications Security Essentials

So if you’re thinking of attending, the discount code “SANS5DE12” should be good for 5% off the cost of the course. Enjoy!