Malware Armor

Explore dynamic and static malware analysis techniques in this 46-minute conference talk from Circle City Con 2015. Dive into tools like Process Explorer, Process Monitor, INetSim, Wireshark, and debuggers for dynamic analysis. Learn about static analysis using PE Studio and 010 Editor Templates. Discover various types of malware armor, including anti-virtualization, anti-debugging, and anti-disassembly techniques. Understand how to detect virtualization artifacts, bypass anti-VM measures, and handle timing checks and Thread Local Storage callbacks. Examine obfuscation methods, including XOR encryption and packing. Get introduced to tools like the Veil Framework, Yara, and memory collection techniques. Gain insights into breaking disassemblers and dealing with advanced malware protection mechanisms like Shiva Anti-RE.

Intro
About This Talk
Dynamic Analysis Intro
Process Explorer
Process Monitor
INetSim + Wireshark
Debugger Video
Static Analysis
PE Studio
010 Editor Templates
Types of Malware Armor
Detecting Virtualization Artifacts
Virtual Mac Address Detection
Emotet Anti-Virtualization - Kaspersky
IDA Script to Highlight Anti-VM Instructions
How do we bypass Anti-VM
Anti-Debugging
Timing Checks
Thread Local Storage (TLS) Callbacks
Anti-Disassembly
Two Types of Disassemblers
Breaking Your Disassembler
Interactive Disassembler
Shiva Anti-RE
Shiva RE Redefined
Veil Framework
Obfuscation
XOR
Cryptography
Top Packers
Unpacking Tools
Memory Collection
Yara - "pattern matching swiss knife"
Conclusion
References
FIDELIS