GCC Global Cybersecurity Camp

GCC 2022 Taiwan Lecture 3

Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts

Abstract

C++ is widely used in a variety of malware, such as RATs and banking Trojans, etc. Malware written in C++ is often object-oriented. Analyzing it requires knowledge and experience with classes and their inheritance, vtable, and basic strings, in addition to knowledge of analyzing malware written in C. In this course, attendees will learn how to quickly find and deal with such features.

In this course, we will use IDA Free for analysis. Although Ghidra, which is popular among CTF players these days, is useful for analyzing simple and/or small programs, and under certain conditions, it is still inferior to IDA in many aspects, such as processing speed, decompiler accuracy, and a variety of third-party scripts and plug-ins. IDA is still the de facto standard reverse engineering tool.

One of the trainers has developed and released a third party plug-in for IDA called CTO (Call Tree Overviewer). He will also explain how to use it to perform analysis more efficiently.

In this course, while learning how to use IDA, we will analyze actual malware written in C++, and aim to learn the techniques including the know-how. Afterwards, we will practice the techniques we have learned through CTF-style games, having fun, cooperating and competing with each other.

Trainer

Name: Hiroshi Suzuki and Hisao Nashiwa
Bio :

Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for a Japanese ISP, Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 16 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan), Virus Bulletin, and FIRST conference (Annual and TC) multiple times.

Hisao Nashiwa is a threat analyst, working for Internet Initiative Japan as a CSIRT member of the company. His main jobs include incident response, analyzing malware and analyzing network traffic. He has observed malicious activities for over ten years. He researches cyber crimes, He has eight years of experience and knowledge in analyzing malware. He has been a speaker and a trainer for international conferences such as Black Hat and FIRST (Annual and TC) multiple times.

Back to GCC 2022 Taiwan Page