Malware Analysis Crash Course
Overview
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.
What You Will Learn:
- Hands-on malware dissection
- How to create a safe malware analysis environment
- How to quickly extract network and host-based indicators
- How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
- How to debug malware and modify control flow and logic of software
- To analyze assembly code after a crash course in the Intel x86 assembly language
- Windows internals and APIs
- How to use key analysis tools like IDA Pro and OllyDbg
- What to look for when analyzing a piece of malware
- The art of malware analysis - not just running tools
Who Should Take this Course
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.
Student Requirements
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended
What Students Should Bring
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.
A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.
What Students Will Be Provided With
- A student manual
- Class handouts
- Mandiant gear
Trainers
Peter Kacherginsky is a Reverse Engineer on the FireEye Labs Advanced Reverse Engineering Team (FLARE) based in San Francisco, CA. He has over 10 years of experience in the security industry. Since joining Mandiant/FireEye, he has reverse engineered both targeted and commodity malware samples of varying complexity, taught malware analysis classes, and developed a number of tools used to aid malware analysis and penetration testing tasks such as FakeNet-NG. Peter created IDA Sploiter which won the IDA Pro plug-in contest in 2014. He also developed a number of open source security tools such as DNSChef, PACK (Password Analysis and Cracking Kit), SEAT (Search Engine Assessment Tool), WiCrawl and others. A number of these tools are included in the Kali Linux and other security distributions.
Matt Williams is a Senior Reverse Engineer on the FireEye Labs Advanced Reverse Engineering Team (FLARE) team. Prior to joining the FLARE team, he was the Principal Malware Analyst and Incident Responder for a Department of Defense (DoD) SOC. After earning his B.S. in Computer Science, Matt also spent time at the National White Collar Crime Center (NW3C) developing and delivering digital forensics training to law enforcement agencies nationwide.
Jon Erickson is a reverse engineer within the Flare team at FireEye, the intelligence-lead security company. Before joining FireEye, Jon made the rounds with various government contractors and before that served in the United States Air Force. Jon has worked in the security industry for more than 10 years and has a master's degree from George Mason University. Jon has spoken at numerous conferences including Blackhat Asia, CodeBlue, and SyScan 360. He's contributed to a number of CVE's and continuously works to help new security researchers better themselves within the field.
