reverse engineering

REVERSE ENGINEERING AND MALWARE ANALYSIS

Course Description

Every computer incident involves a Trojan, backdoor, virus, or rootkit. Incident responders must be able to perform rapid analysis on the malware encountered in an effort to cure current infections and prevent future ones.

During malware analysis, the analyst must determine how it operates, what functionality is built in and what attacker controlled domains or Internet Protocol (IP) addresses it communicates with. Failing to understand the malware functionality threatens all remediation efforts.

This course provides a quick introduction to the tools and methodologies used to perform malware analysis on executable found on Windows systems using a practical, hands-on approach. Students will learn how to extract host and network based indicators from a malicious program using dynamic and static analysis techniques.

Candidate will also learn the basics of how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system as it runs in a debugger.

Who Should Attend

This training course is intended for professionals who have at least 2 years of full-time professional work experience information security domain. The training seminar is ideal for those working in positions such as, but not limited to:

  • Information security professionals, Forensic Investigators, Security Practitioners, Incident response team members, Law enforcement officers, anyone who have dealt with incidents involving malware.

Course Duration

  • 24 Hours

Course Content

Malware Analysis Fundamentals

  • Assembling a toolkit for effective malware analysis
  • Examining static properties of suspicious programs
  • Performing behavioural analysis of malicious Windows executables
  • Performing static and dynamic code analysis of malicious Windows executables
  • Interacting with malware in a lab to derive additional behavioural characteristics

Reversing Malicious Code

  • Understanding core x86 assembly concepts to perform malicious code analysis
  • Identifying key assembly logic structures with a disassembler
  • Following program control flow to understand decision points during execution
  • Recognizing common malware characteristics at the Windows API level (registry manipulation, keylogging, HTTP communications, droppers)
  • Extending assembly knowledge to include x64 code analysis

Malicious Web and Document Files

  • Interacting with malicious websites to assess the nature of their threats
  • De-obfuscating malicious JavaScript using debuggers and interpreters
  • Analyzing suspicious PDF files
  • Examining malicious Microsoft Office documents, including files with macros
  • Analyzing malicious RTF document files

In-Depth Malware Analysis

  • Recognizing packed malware
  • Getting started with unpacking
  • Using debuggers for dumping packed malware from memory
  • Analyzing multi-technology and file-less malware
  • Code injection and API hooking
  • Using memory forensics for malware analysis

Examining Self-Defending

  • How malware detects debuggers and protects embedded data
  • Unpacking malicious software that employs process hollowing
  • Bypassing the attempts by malware to detect and evade the analysis toolkit
  • Handling code misdirection techniques, including SEH and TLS Callbacks
  • Unpacking malicious executable by anticipating the packer's actions