26 lines
3.4 KiB
Markdown
26 lines
3.4 KiB
Markdown
+++
|
|
title = "I want to learn malware analysis (again)"
|
|
date = 2024-08-28
|
|
updated = 2024-08-29
|
|
[taxonomies]
|
|
tags = ['malware analysis']
|
|
+++
|
|
|
|
## What got me hooked
|
|
|
|
The heading says it all: I *really* want to learn malware analysis. Ever since I finalized the [Practical Malware Analysis & Triage](https://academy.tcm-sec.com/p/practical-malware-analysis-triage) course by [TCM Security](https://academy.tcm-sec.com/), I was hooked. I 💚loved💚 the entire course, especially diving deep into binaries, (trying) reverse engineering, debugging. I went through all the material, did the labs and wrote up a report, a (very shallow) static and dynamic analysis of a WannaCry-sample. I found my niche (or so I thought...)
|
|
|
|
## Rabbit holes
|
|
|
|
One thing that bothered me throughout the course, was the lack of direction and stable ground when investigating and debugging binaries. I found myself stuck reverse engineering functions that were not user written code (C runtime for example). I got close to a particularly interesting part, stepping into and over functions, all to ultimately never reach that goal of finding a specific return value or determining a critical execution flow junction. So I thought to myself: what's the best way to learn how programs work, and flip them inside out? By building them myself! With that motivation, I dove deep back into Python 🐍, thinking, this will be a good starting ground to hop over to C 🖥️ later. But...I think I got stuck at the first step! 🛑 Over the last year, I got really hooked on programming. Some of the stuff I (partially) made:
|
|
|
|
* A [`Flask`](https://flask.palletsprojects.com/en/3.0.x/) website to look up individual URLs, websites, IP addresses and email addresses for general security analysis purposes. [(Code and screenshots here)](https://code.joostagterhoek.nl/joost/flask-soc-site).
|
|
* A command-line interface tool that does the same, without the upload feature. I still need to add relevant emphasis on certain values and legend explanations. The tables are drawn with the [`rich`](https://rich.readthedocs.io/en/stable/introduction.html) module. [(Code and screenshots here)](https://code.joostagterhoek.nl/joost/cli-lookup)
|
|
* Finally, the same idea, now in a [`Tkinter`](https://docs.python.org/3/library/tkinter.html#module-tkinter) GUI app. I'm currently reimplementing the basically functioning app into classes for the main app and the frames, which is proving quite challenging. ([Code and screenshots here](https://code.joostagterhoek.nl/joost/gui-host-lookup))
|
|
|
|
## Refocused (with more experience)
|
|
|
|
Trying to get back into malware analysis, malware study in general, has been really difficult for the past couple of weeks: the Practical Malware Analysis-book I was working with feels entirely foreign (I also can't get the labs to properly function, as it's all Windows XP-based and the executables don't do what the book says). After some frustrated attempts, I will now refocus on my two main interests in the field of malware: developing 🏗️ and reverse engineering 🖥️ .
|
|
|
|
Developing I hope to do with my brand-new lifetime access to [Maldev Academy](https://maldevacademy.com). Reverse engineering by reading and practicing along with the (so far very practical) book [Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation](https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315). I hope to post any notes or blog posts about my progress here.
|