Malware Analysis Workshop

מק"ט: #7549 | משך קורס: 32 שעות אק'

Malicious software, or malware, plays a part in most computer intrusion and security incidents. Any software that does something that causes harm to a user, computer, or network can be considered malware, including viruses, trojan horses, worms, rootkits, scareware, and spyware. While the various malware incarnations do all sorts of different things, as malware analysts, we have a core set of tools and techniques at our disposal for analyzing malware.

Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it. And you don’t need to be an uber-hacker to perform malware analysis.

הקורס פעיל לקבוצות מטעם ארגונים בלבד, ניתן לשלוח פנייה רק אם מדובר בקבוצה
*שדות חובה


  • Describe types of malware, including rootkits, Trojans, and viruses.
  • Perform basic static analysis with anti-virus scanning and strings
  • Perform basic dynamic analysis with a sandbox
  • Perform advanced static analysis with IDA Pro
  • Explain malware behavior, including launching, encoding, and network signatures
  • Recognize common packers and how to unpack them

קהל היעד

  • Researchers, defense and law authorities
  • System, media, information security personnel

תנאי קדם

  • Practical experience in a command line environment, especially with Linux
  • Knowledge of communication protocols - TCP / IP
  • Background and experience in code writing


#1: Malware Analysis overview

  • The Goals of Malware Analysis
  • Malware Analysis Techniques
  • Types of Malware
  • General Rules for Malware Analysis

#2: Basic Static Techniques

  • Antivirus Scanning: A Useful First Step
  • Hashing: A Fingerprint for Malware
  • Finding Strings
  • Packed and Obfuscated Malware
  • Portable Executable File Format
  • Linked Libraries and Functions
  • Static Analysis in Practice
  • The PE File Headers and Sections


#3: Basic Dynamic Analysis

  • Sandboxes: The Quick-and-Dirty Approach
  • Running Malware
  • Monitoring with Process Monitor
  • Viewing Processes with Process Explorer
  • Comparing Registry Snapshots with Regshot
  • Faking a Network
  • Packet Sniffing with Wireshark
  • Using INetSim
  • Basic Dynamic Tools in Practice


#4: A Crash Course in X86 Disassembly

  • Levels of Abstraction
  • Reverse-Engineering
  • The x86 Architecture


#5: IDA Pro

  • Loading an Executable
  • The IDA Pro Interface
  • Using Cross-References
  • Analyzing Functions
  • Using Graphing Options
  • Enhancing Disassembly
  • Extending IDA with Plug-ins


#6: Malware Behaviour

  • Downloaders and Launchers
  • Backdoors
  • Credential Stealers
  • Persistence Mechanisms
  • Privilege Escalation
  • Covering Its Tracks—User-Mode Rootkits


#7: Covert Malware Launching

  • Launchers
  • Process Injection
  • Process Replacement
  • Hook Injection
  • Detours
  • APC Injection

#8: Data Encoding

  • The Goal of Analyzing Encoding Algorithms
  • Simple Ciphers
  • Common Cryptographic Algorithms
  • Custom Encoding
  • Decoding

#9: Malware Focused Network Signatures

  • Network Countermeasures
  • Safely Investigate an Attacker Online
  • Content-Based Network Countermeasures
  • Combining Dynamic and Static Analysis Techniques
  • Understanding the Attacker’s Perspective