Anti-Analysis: Analyzing Smokeloader
In this lab, you'll practice reverse engineering and defeating anti-analysis techniques in low-level languages (C / ASM). When you're finished with this lab, you'll have an understanding for how malware mangles, manipulates, and prevents disassembly and debugging through certain techniques. You'll also identify what these techniques look like through reverse engineering and how to remove/patch them to complete your analysis.
Terms and conditions apply.
Challenge
Getting Started in the Lab Environment
Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!
Challenge
Initial Extraction (Stage 1)
SmokeLoader is a advanced sample that contains several embedded payloads. Our goal for this first challenge is to identify the first stage of shellcode and extract it.
Challenge
Stage 2
This challenge will focus on debugging the extracted shellcode from Stage1 and extracting the heavily obfuscated Stage2 shellcode stub. This version of SmokeLoader contains two different shellcode stubs that perform the decryption and loading of Stage2 into memory.
Challenge
Final Stage
We will focus on the final two stages of SmokeLoader in this challenge. The heavily obfuscated Stage2 shellcode with opaque predicates, encrypted functions and anti-debugging techniques. Then, we will be extracting the final Stage3 shellcode and extracting its RC4 encrypted configuration.
Challenge
The Last Challenge
Welcome to the final challenge! This is your last chance to experiment in the environment. Clicking Finish Lab will end this little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Guided walkthrough
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
Recommended prerequisites
- Some experience static analysis / reverse engineering with IDA/Ghidra
- Some experience performing dynamic analysis through a debugger
- Familiar with x86/x64 assembly (Intel)
- Familiar with Microsoft's Win32 API