Designed for experienced malware analysts, this course focuses on advanced topics related to combating a wider variety of more complex malware and malware defense mechanisms. It covers how to combat anti-disassembly, anti-debugging and anti-virtual machine techniques. It also discusses how to defeat packed and armored executables, analyze encryption and encoding algorithms and defeat various obfuscation techniques. Additional topics include malware stealth techniques (process injection and rootkit technology), analyses of samples written in alternate programming languages (C++) and popular software frameworks (.NET).
Learners will be taught to use existing tools and techniques as well as research and develop their own IDA Pro scripts and plugins. All concepts and materials are reinforced with demonstrations, real-world case studies, follow-along exercises and student labs to allow learners to practice new skills. Instructors are senior FLARE malware analysts who are experienced in fighting through state-of-the-art malware armor.
After completing this course, learners should be able to:
- Understand how malware hides its execution, including process injection, process replacement and user-space rootkits
- Grasp how shellcode works, including position independence, symbol resolution and decoders
- Comprehend the inner workings and limitations of disassemblers such as IDA Pro as well as how to circumvent the anti-disassembly mechanisms that malware authors use to thwart analysis
- Automate IDA Pro using Python and IDC to help analyze malware more efficiently
- Understand how to combat anti-debugging, including bypassing timing checks, Windows debugger detection and debugger vulnerabilities
- Fool malware so it cannot detect what is running in your safe environment
- Understand how malware analysis is influenced by C++ concepts like inheritance, polymorphism and objects
- Recognize common C++ structures from the disassembly
- Use disassembler features to enhance the reverse engineering process of C++ binaries
- Unpack manually by studying various packer algorithms and generic techniques to quickly defeat them
- See how x64 changes the game for malware analysis, including how WOW64 works and the architecture changes from x86
- Grasp string obfuscation techniques that are commonly used by malware, then take malware communications and analyze network packet captures
- Reverse engineer .NET bytecode and work with obfuscation techniques used by attackers
Who should attend
Intermediate-to-advanced malware analysts, information security professionals, forensic investigators and others who need to understand how to overcome difficult and complex challenges in malware analysis.
Robust skill set in x86 architecture and the Windows APIs. Exposure to software development is highly recommended. Completion of Malware Analysis Crash Course is recommended but not required.
In-classroom instructor-led training
What to bring
Students are required to bring their own laptop that meets the following specs:
- VMware Workstation Pro 12.5 or newer (installed with the ability to run a VM)
- At least 30 GB of free HDD space
- A licensed copy of IDA Pro that supports the MIPS architecture is recommended. The free version of IDA Pro will suffice.