Build a secure environment for malware analysis: deploy sandbox and all necessary tools
Understand principles of Windows program execution
Unpack, debug and analyze malicious object, identify its functions
Detect malicious sites through script malware analysis
Conduct express malware analysis
Cyber or Security Department (CISO, Analysts, Researchers, SOC team, etc)
IT Department, System Admins (Training is suitable for IT-related professionals looking to acquire practical skills in malware analysis. Some programming experience is critical).
In order to reverse malicious code, it is necessary to understand the basics of modern OSs and processors instructions. The course starts with a Windows architecture overview, exploring the Application Programming Interface (API), kernel and user OS modes, kernel mode components (Hardware Abstraction Layer or HAL, device drivers, Windows PE launcher) and core Windows system files. Popular system libraries (DLLs) and WinAPI functions will be briefly addressed, with supporting materials. Web access to MSDN is advisable, but not essential.
Students will learn in detail about the main OS entities: processes, threads and process and thread environment blocks (PEB and TEB). We’ll describe multitasking, context switching, scheduling and other OS mechanisms.
After OS internals, the course moves to reverse engineering basics, starting with the Portable Executable (PE) file format: its headers, sections and directories. Assembler instructions for modern x86 processors are also in scope here. Students will gain an understanding of compilation, linking and decompilation processes, including real-world practical exercises on these topics, in course of the first day.
Introduction to malware analysis
There are two types of analysis – static and dynamic. Static analysis is performed without actually executing programs and provides a quick preliminary analysis. Students will practice surface analysis: looking for anomalies in PE headers, analyzing suspicious strings, resources and imported functions. They will learn to use different hashing algorithms for file integrity checking, validate digital signatures, and search for information about suspicious objects on the internet. Using real life samples, they will detect simple malware protections deployed by packers, and remove them with automatic tools. Students will also study methods of increasing the clarity of disassembled malware code and fast navigation through such code. They will learn how to understand and recover the whole malware algorithm and find the malicious code inside the programs.
Static analysis of applications
Static analysis techniques
Dynamic analysis helps to observe a program’s behavior directly, including aspects like network traffic, which APIs are used, how the application interacts with the registry and so on. Students will learn how to debug the applications, take memory dumps, monitor Windows API function calls, monitor registry activity, create a virtual network, imitate the real network functionality in the laboratory environment and inspect network traffic. All these tasks are learned through lab exercises. After trainers have demonstrated how each tool is used, students will themselves carry out the analysis of real samples.
Dynamic analysis of a local data
Dynamic analysis of a network data
Windows API is not the only programming interface for malware, so participants will also work with NET, Java and other popular languages during training. Students will learn all necessary tools for analysis acceleration due to p-code and intermediate languages decompilation.
Of course, malware goes far beyond the portable executable files. Even legitimate websites may be compromised by drive-by infections created by malefactors. To investigate these threats malware analysts use the script languages. The analysis of automation scripts (compiled beforehand into executable files), installers and other wrappers is all covered.