As reverse engineers, a significant part of our daily work involves writing and maintaining artifact extractors for multiple malware families, ranging from stealers and RATs to loaders and banking trojans. Our primary goal is to create C2 protocol emulators when applicable and useful. This requires extracting a broad array of artifacts to accurately emulate bot behavior for each malware sample. While some artifacts are straightforward to extract, others demand a certain level of skill. This workshop zeros in on the latter, providing a hands-on opportunity to delve into the real challenges we encounter in this process and how to navigate them efficiently. The use-cases we explore span various malware families and encompass a range of approaches and techniques, including but not limited to the use of regular expressions, manipulation of PE dumps, utilization of the Unicorn code emulation library and of the Capstone disassembly framework.

Prerequisites: IDA Free (or a disassembler of choice) and Python >= 3.10 installed. Malware samples will be provided by the instructors.