Malware Analysis Crash Course
Overview
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.
What You Will Learn:
- Hands-on malware dissection
- How to create a safe malware analysis environment
- How to quickly extract network and host-based indicators
- How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
- How to debug malware and modify control flow and logic of software
- To analyze assembly code after a crash course in the Intel x86 assembly language
- Windows internals and APIs
- How to use key analysis tools like IDA Pro and OllyDbg
- What to look for when analyzing a piece of malware
- The art of malware analysis - not just running tools
Who Should Take this Course
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.
Student Requirements
- Excellent knowledge of computer and operating system fundamentals
- Computer programming fundamentals and Windows Internals experience is highly recommended
What Students Should Bring
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.
A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.
What Students Will Be Provided With
- A student manual
- Class handouts
- Mandiant gear
Trainers
Dominik Weber is a member of the FireEye Labs Advanced Reverse Engineering (FLARE) team functioning as a Senior Manager and Research Engineer, Dominic has 13+ years of computer forensic experience researching NTFS, ExFAT and the Windows key management. If you've used EnCase, you've used his C++/ Windows code. Previously Dominic worked on 3D full body motion capture / rendering and video games.
Nick Harbour is Senior Staff Reverse Engineer at FireEye Labs Advanced Reverse Engineering (FLARE) Team.
Peter Kacherginsky is a Reverse Engineer with the FireEye Labs Advanced Reverse Engineering Team (FLARE) who works in Mandiant's San Francisco, CA, office. He has over 10 years of experience in the security industry. Since joining Mandiant, he has reverse engineered both targeted and commodity malware samples of varying complexity, taught malware analysis training, and developed a number of tools used to aid malware analysis and penetration testing tasks.
Peter is a big fan of IDA Pro and is a winner of the IDA Pro plugin contest. He also frequently publishes open source security tools with a number of them appearing in the Kali Linux (previously called Backtrack) security distribution.