Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery.
+ The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage.
+The next exercise will teach attendees how to use PEFile to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
The next exercise will teach attendees how to use Binary Refinery to carve binary files from the decrypted resource
