DEF CON Forum Site Header Art


No announcement yet.

CANCELED Randy Pargman & Joshua Galloway - Learn Reverse Engineering by Writing a C RAT

  • Filter
  • Time
  • Show
Clear All
new posts

  • CANCELED Randy Pargman & Joshua Galloway - Learn Reverse Engineering by Writing a C RAT

    Randy Pargman & Joshua Galloway - Learn Reverse Engineering by Writing a C RAT
    Latest details, requirements, description, cost:

    Training description:

    Learn malware reverse engineering by building a Remote Access Tool (backdoor) from scratch, using C and C++ code provided by the instructors.
    By the end of the class, we'll be defeating packers, decrypting RC4-encrypted payloads, writing and reverse-engineering a loader that uses anti-disassembly and anti-debugging tricks, injecting a DLL into another process to hide it, then learning reverse engineering skills that let us dodge those bullets and bypass the anti-analysis tricks like Neo would if he were reverse engineering in the Matrix.

    Course overview:

    Learning Objectives
    During the course of this class, learners will have the opportunity to gain the following skills, if they choose to participate fully:
    1. Using Microsoft Windows 11 Developer VM (free) and Visual Studio 2022 (free), write and compile a very simple DLL file for Windows in C that writes content to a file on disk.
    2. Run DLL files from the command line using rundll32.
    3. Using IDA Free 7, perform static code analysis of a very simple DLL file and explain its purpose.
    4. Using x32dbg, set breakpoints and step through running the instructions of a simple DLL file via rundll32.
    5. Create a Microsoft 365 Developer Tenant (free) for testing MS Teams, etc.
    6. Use vcpkg to install static libraries for Libcurl and cJSON in Visual Studio 2019
    7. Modify the C code of a simple DLL project to send a simple message through Microsoft Teams via a webhook URL.
    8. Using IDA Free and x32dbg, analyze the new version of the DLL and find the instructions responsible for network connections.
    9. Using C source code provided by the instructor, modify the DLL project to be a typical Remote Access Tool (RAT) capable of running commands, listing files and processes, and reporting the output to a Command-and-Control server.
    10. Modify the DLL to allow execution using rundll32, regsvr32, and msiexec.
    11. Using IDA Free and x32dbg, analyze the relevant portions of the RAT to identify the main command loop, commands recognized, network connections, and behavior-based indications of compromise that could be used by threat hunters and security engineers.
    12. Write a tactical malware analysis report, focusing on actionable details (given a report template from instructors to fill in the blanks)
    13. Provide constructive feedback to another student about their malware analysis report.
    14. Analyze another students version of the DLL with a few minor modifications and identify the relevant changes in functionality added by the other student.
    15. Analyze code written in Nim and Go to compare/contrast differences introduced by compilers and languages.
    16. Using Python and C source code provided by the instructor, modify the DLL file to XOR encode some of the strings in the DLL project.
    17. Using IDA Free, analyze the XOR decoding function in another students DLL to find the key bytes and decode the encoded strings.
    18. Using C code provided by the instructor, modify the DLL project to detect when it is being run in a virtual machine or debugger, causing the DLL to modify its behavior when analyzed.
    19. Using IDA Free and x32dbg, recognize the anti-analysis code in the DLL and patch the instructions to bypass the protections and analyze it anyway.

    Bonus Learning Objectives (if time permits):
    20. Modify the DLL to load Windows API functions dynamically using hashed DLL and API function names.
    21. Using IDA Free, recognize the API hashing/loading code and reverse-engineer the hashing function to find the libraries that the malware loads.
    22. Learn to use Ghidra as an alternative to IDA.
    23. Modify the DLL to inject code into another process and analyze the result.
    24. Implement rc4 encryption and recognize the algorithm in assembly.
    25. Implement a simple packer/crypter that contains an RC4-encrypted copy of the RAT DLL payload as a resource file, extracts and decrypts it, saves the DLL to disk and executes it with rundll32.
    26. Modify the packer/crypter to execute the unpacked DLL from memory instead of writing it to disk.
    27. Use Hasherezades PE-seive to dump payloads from memory and analyze with IDA or Ghida.
    28. Write a PowerShell script that uses Reflective DLL injection to download and execute the DLL payload from memory.
    29. Write a Visual Basic for Applications (VBA) macro in a Microsoft Word document that will execute a PowerShell script.
    30. Analyze another students PowerShell & VBA loader and obtain the final payload for analysis.
    31. Write an advanced malware analysis report and provide constructive feedback about another students advanced report.

    Student skill level:

    This is an advanced level class. No prior experience writing or reverse engineering software is assumed or required, but it is very helpful to have at least some familiarity with the concepts of both coding and reading x86 assembly. If no prior experience, learners should come with an intense curiosity and desire to learn quickly.

    What should students bring to the Training?:

    Learners must have a computer with virtualization software (VMWare Workstation or Fusion, VirtualBox, Parallels, etc) and know how to use it. The host computer should have at least 8 GB of RAM and at least 4 CPU cores so that 4GB of RAM and 2 CPU cores can be allocated to the virtual machine. We will use the free Windows 11 VM with developer tools provided by Microsoft:

    Learners MUST bring a computer with virtualization software (VMWare Workstation or Fusion, VirtualBox, Parallels, etc) and know how to use it.

    Learners must create a free Microsoft 365 Developer program account before the class start date: and be able to access their account during the class.

    We will provide an on-line session (and a recording of it) at least a week in advance of the training to make sure everyone has their VM set up correctly and is ready to go, answer questions, etc. We'll need to send out a link to the online session (Zoom) beforehand.


    Randy Pargman is the VP of Threat Hunting & Counterintelligence at Binary Defense. In this role, Randy leads the Threat Hunting team in reverse engineering malware and developing new techniques for detecting signs of emerging threats and attacker behavior that evade or defeat traditional security solutions. He also leads the Counterintelligence and Intelligence Operations Teams in researching threat actors, finding threat information on Darknet hidden websites, criminal forums, dump sites and social media platforms.

    Joining Binary Defense in 2019, Pargman had previously spent 15 years at the Federal Bureau of Investigation as a Senior Computer Scientist with the Cyber Task Force in Seattle, Washington as well as the global Cyber Action Team.

    Randy has over 20 years of experience in technology, including software engineering, digital forensics, and security. Randy continues to develop software in support of not-for-profit organizations and causes, including a project to help private security researchers more effectively and efficiently notify organizations around the world when they have been victimized by cyber criminals.

    Randy enjoys giving back the security community by providing education and learning opportunities for others. Last year, he designed and taught classes in threat research using a shared-use security laboratory, and in 2022 he is teaching this malware reverse engineering class.

    Joshua Galloway is a security researcher passionate about malware reverse engineering. They have worked a range of roles in the cybersecurity for the past six years, and first finished the Flare-On reverse engineering CTF in 2020. They were able to finish Flare-On twice as quickly in 2021. When they are not researching the latest developments in malware, they spend time on language learning and researching a broad range of interests outside of security.

    Trainer(s) social media links:
    Joshua: N/A

    DATE:Aug 15th to 16th 2022
    TIME:9am to 5pm PDT
    VENUE:Caesars Forum Ballroom
    TRAINERS:Randy Pargman & Joshua Galloway

    - 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included

    Last edited by number6; July 30, 2022, 20:44.

  • #2