Malware Reverse Engineering and Why It’s Essential: My Experience with IMBT from InvokeRE

Hi everyone, I am continuing my journey and I completed the Introduction to Malware Binary Triage course from InvokeRE in February IDA Edition and March the Binary Ninja Edition. I am very excited to share my experience and what I learned from the course.

The course is designed to provide a comprehensive introduction to malware reverse engineering, focusing on the practical aspects of analyzing and triaging malicious binaries. It covers various topics, including static and dynamic analysis techniques, reverse engineering tools, and methodologies for identifying and understanding malware behavior.

1. Introduction #

Malware RE is the process of analyzing malicious software to understand its behavior, functionality, and potential impact. It involves dissecting the code, identifying its components, and determining how it operates. This is crucial for cybersecurity professionals to defend against threats effectively.

I decided to take the IMBT course from InvokeRE to improve my skills in reverse engineering and consenquently learn more about the process of malware analysis.

I wanted to learn from qualified experts in the field and gain hands-on experience with real-world malware samples and Joshua Reynolds is a very experienced professional worked for reputable companies and spoken at conferences: REcon, RSA and DEF CON.

2. Why Malware Reverse Engineering Is Important #

Malware reverse engineering (RE) is a critical skill in the cybersecurity landscape. It allows professionals to dissect and understand malicious software, providing insights into its behavior, communication methods, and propagation techniques. for my goals I view it as a fundamental skills for red teaming, blue teaming and exploit development as you will not only understand how the malware works but also improve your reverse engineering skills that can be used on red teaming engagements and blue teaming incident response.

3. Why the skills matters for Red Teaming and Blue Teaming (Personal Perspective) #

I am interested in Red Teaming and Blue Teaming, and I believe that understanding malware RE is essential for both roles. For Red Teamers, it helps in crafting more effective attack simulations by understanding how real-world malware operates, for example you can reverse engineer a malware sample in the wild to understand the TTPs (Tactics, Techniques, and Procedures) and implement the idea or technique on your engagement for example if the malware uses an inovate or creative way to persist. For Blue Teamers, its obsviously useful for understandting the impact and in building better detection mechanisms and incident response strategies. I see malware RE a very important skills because it can be used in Web Pentesting (white box testing) and Penetration Testing specially the reverse engineering part where you need to understand how the application works and how it interacts with the system.

4. My Goals for the Course #

I am interested in Advanced Windows Exploit Development and my goal in the next few years to enroll for OSEE (EXP-401 course) from Offsec which involve understanding the Operating System and have a deep knowledge on reverse engineering and learning Malware RE is beneficial for my goals and in my opnion is a very important skills and the skills gained I can use it as well on different domains of Cybersecurity. I believe that this course helped me achieve that and I will also suplement with the knowledge from Zero2Automate course which I am also enrolled, I have not started yet.

5. My Experience with the IMBT Course by InvokeRE #

The IMBT covers introduction to malware binary triage where you will learn the concepts and the different types of malware then you will learn how to set up your own virtual machine focused for malware analysis and reverse engineering.

The course covers the tools used for malware analysis such as IDA, x64dbg, Dnspy, PE Bear and several others tools and mostly important you will learn about PE structure, you will learn how to dissect malware through static analysis using disassembler (IDA) from a compiled malware and decompiler tool (Dnspy) to analyze malware created on .NET which is a very common language used by malware authors.

You will also learn how to use x64dbg for dynamic analysis and how to analyze the malware behavior and how to use the tools effectively. Obfuscation techniques are also covered in the course and you will learn how to unpack malware and how to analyze the C2 (Command and Control) communication.

The course is very hands-on and you will have a lot of labs and exercises to practice what you learned. You will learn how to analyze malware traffic using Wireshark, InetSim and other tools. The course is very well structured and you will learn a lot of concepts and techniques that are used in the industry. The course format: Videos, labs, challenges, and hands-on exercises with a final exam which you will be provided with a malware sample and you will need to analyze the malware to answer the final exam questions.

I chose InvokeRE because of the instructor reputation in the industry and the depth of their content. I was looking for a course that focused on hands-on learning and practical applications, and IMBT delivered that. The course is designed to provide real-world scenarios and challenges that you would encounter in the field.

What I Learned #

6. Biggest challenges, difficult moments. #

I initially struggled with the identification of the proper padding bytes for the key to decrypt the malware statically, sometimes the algorithms used requires padding and its not easy as its not always clear and easy to understand, but with experience and practice I was able to overcome the challenge, you will get familiar with the encryption nuances as you analyze more and more malware samples. I have completed the offsec OSED Certification which helped me on the assembly and IDA or Binary Ninja subject as I have a good understanding of the assembly language, that was ok for me, and the Windows API, the course provided me with a good understanding of the malware analysis process and methodology and how to apply it in real-world scenarios.

7. How the Course Helped Me See the Real-World Value of Malware RE #

The course provided me with a good understanding of the malware analysis process and how important it is for cybersecurity professionals to understand the behavior of malware more than ever as the malware is becoming more sophisticated and the attacks are becoming more targeted through social engineering and phishing attacks.

I feel more confident in my ability to analyze malware and understand its behavior. I have a better understanding of the different techniques used by malware authors and how to apply them in real-world scenarios. I also feel more comfortable using the tools and techniques used for malware analysis.Tips for those new to malware RE.

I improved my RE skills through IDA, Binary Ninja and x64dbg for static and dynamic analysis of malware samples. I have also brushed up how on analyzing the PE structure of a malware sample and how to identify the different sections and their purpose. I feel more confident in my ability to analyze malware and understand its behavior.

8. What version of the course did I take ? #

I have taken and completed the IMBT IDA Version and IMBT Binary Ninja Version, I recommend taking both versions if you can as you will learn and become familiar with both tools and you will be able to choose the one that fits your needs on each moment. In my opnion the Binary Ninja API is easier to interact than IDA APIs, but learning both tools will make you a more versatile professional, sometimes a tool will be better than other tool on certain situations, its like the old discussion about linux vs Windows, as professional you will have to use both and learn both and sometimes windows will be better than linux and sometimes linux will be better than windows, it depends on the situation.

9. Final Thoughts & Advice #

I would recommend IMBT to anyone interested in malware reverse engineering and analysis and also for Penetration Testers including Red Teamers, Blue teamers of course. The course is well-structured, hands-on, and provides a solid foundation in the field. It is suitable for beginners as well as those with some experience in reverse engineering. I always like to take courses because provide me different perspectives how other professionals approach the same problem and I believe that this is a very important skills for anyone in the cybersecurity field. I love when someone does something different than me and I can learn from them, I believe that this is the best way to learn and improve your skills. My advice is keep learning and do what you love, don’t be afraid to ask questions and seek help from others. if you have questions you can reach out to me on X (twitter) platform.

10. What’s Next #

I will be continuing on my journey, I have started The Beginner Malware Analysis course from offset to see the instructor approach and solidify my knowledge and I will start the Zero2Automate course from Offset to learn more about malware analysis and reverse engineering. I will also be taking the OSEE (EXP-401) course from Offsec in the future, probably in next 3 years to improve my skills in exploit development and reverse engineering.

Certificate of Completion #

• IMBT IDA Edition
• IMBT Binary Ninja Edition

If you are interested in malware analysis you can go to InvokeRE