An introduction into DotNet Malware Analysis

Workshop Information:

Title: An introduction into DotNet Malware Analysis

Time (Pacific): 0800-1200

Location: Acacia A

Cost Per Person: $0 (FREE)

To attend you must purchase a [TDI Ticket] AND [A Workshop “General Admission” ticket AND the add-on for this workshop]

Introduction Into Dotnet Malware Analysis

Presenter(s): Max Kersten, info@maxkersten.nl

Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable. In 2019, Max graduated cum laude with a bachelor’s in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as Black Hat (USA, EU, MEA, Asia), DEFCON, Botconf, and other conferences. Additionally, he gave guest lectures and workshops for several universities and private entities.

Prerequisites:

  • A laptop (x86_64 based) capable of smoothly running one x86_64 Windows 10 VM
  • Visual Studio Community Edition (2019 or later) on the VM
  • The DotNet Framework runtime for version 3.5 and later (default, version 4 is installed) on the VM
  • dnSpyEx, de4dot, DotDumper, and other tools can be downloaded during the workshop as these are insignificant in size.
  • Understand VB.NET/C#, and preferably be (somewhat) comfortable writing it. It is possible to join the workshop without the ability to write code, but you will notice this in the later stages of the workshop.

Abstract:

DotNet based malware originally started out as a novelty, but has shown it is here to stay. With DotNet malware being used by APT actors and script kiddies, and anything in-between, it is safe to say that one will encounter it sooner rather than later. This four-hour workshop primarily focuses on the analyst mindset and fundamental knowledge, including topics such as loaders, unpacking, obfuscation, DotNet internals, and (un)managed hooks. In short, one will learn how to analyse DotNet malware, and write automatic unpackers. As such, this class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts.

The workshop’s materials will partially consist of actual malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees.