Class Details

Price: $1,990

Course Includes:

  • Class exercises in addition to training instruction
  • Courseware books, notepads, pens, highlighters and other materials
  • Full breakfast with variety of bagels, fruits, yogurt, doughnuts and juice
  • Tea, coffee, and soda available all day
  • Freshly baked cookies every afternoon - * only at participating locations

This course serves as a guide for instructing students on how to analyze malware once discovered within a Windows operating system. Since malicious software plays a role in almost every security incident or computer intrusion, the knowledge and skills attained through this class prove beneficial to individuals seeking to advance within the malware analyst profession.

While this training focuses on Windows operating systems, the skills learned easily transfer to other operating systems. 

Get Your Group Trained for Less with Our Federal Training Dollars Savings Plan


Course Outline

Module 1: Static Analysis

  • Lesson 1A: Anti-Virus Scanning to Confirm Malware
  • Lesson 1B: Hashes for Malware Identification
  • Lesson 1C: Extracting Information from File Strings, Functions and Headers

Module 2: Analyzing Malware in a Virtual Machine

  • Lesson 2A: The Virtual Machine Structure
  • Lesson 2B: Creating and Using Your Malware Analysis Machine
  • Lesson 2C: Risks of Using VMware
  • Lesson 2D: Introduction to the Record/Replay Feature of VMware

Module 3: Dynamic Analysis

  • Lesson 3A: Malware Sandbox
  • Lesson 3B: Launching Executable Malware
  • Lesson 3C: Windows Process Monitor
  • Lesson 3D: Process Explorer – Microsoft Task Manager
  • Lesson 3E: Regshot Comparisons
  • Lesson 3F: Faking a Network
  • Lesson 3G: Wireshark
  • Lesson3H: INetSim
  • Lesson I: Using the Dynamic Tools for a Malware Analysis Setup

Module 4: Disassembly

  • Lesson 4A: Levels of Abstraction
  • Lesson 4B: Reverse-Engineering
  • Lesson 4C: x86 Architecture

Module 5: Interactive Disassembler Professional (IDA Pro)

  • Lesson 5A: Loading an Executable in IDA Pro
  • Lesson 5B: IDA Pro Interface
  • Lesson 5C: xref in IDA Pro
  • Lesson 5D: IDA Pro Function Analysis
  • Lesson 5E: 5 Graphing Options
  • Lesson 5F: Disassembly Modification Features
  • Lesson 5G: Extending Functionality with Plug-ins

Module 6: C Code Constructs

  • Lesson 6A: Local and Global Variables
  • Lesson 6B: Disassembling Math Operations
  • Lesson 6C: if Statements
  • Lesson 6D: Loops and Repetitive Tasks
  • Lesson 6E: Function Calls
  • Lesson 6F: switch Statements
  • Lesson 6G: Arrays and Structures
  • Lesson 6H: Linked List

 

Module 7: Malware Targeted to Windows Functionalities

  • Lesson 7A: Windows API
  • Lesson 7B: Windows Registry
  • Lesson 7C: Networking API
  • Lesson 7D: Uncovering Transfer Executions from Malware
  • Lesson 7E: Kernel and User Modes
  • Lesson 7F: Native API

Module 8: Debugging

  • Lesson 8A: Source and Low Level Debuggers
  • Lesson 8B: Debugging a Program
  • Lesson 8C: Gaining Control through Exceptions
  • Lesson 8D: Modifying Program Execution

Module 9: OllyDbg – x86 Debugger

  • Lesson 9A: Loading Executables
  • Lesson 9B: OllyDbg Interface and Memory Map
  • Lesson 9C: Threads and Stacks
  • Lesson 9D: Code Execution
  • Lesson 9E: OllyDbg Supported Breakpoints
  • Lesson 9F: Loading and Debugging DLLs
  • Lesson 9G: Tracing Technique
  • Lesson 9H: Exceptions and Patching
  • Lesson 9I: Shellcode Analysis and Assistance Features
  • Lesson 9J: Plug-Ins
  • Lesson 9K: Scriptable Debugging

Module 10: WinDbg – Kernel Debugger

  • Lesson 10A: Kernel Code and Device Drivers
  • Lesson 10B: Preparing for Kernel Debugging
  • Lesson 10C: Using the WinDbg Functionality
  • Lesson 10D: Symbols for Microsoft Functions and Variables
  • Lesson 10E: Constructing Files from Kernel Space
  • Lesson 10F: Rootkits
  • Lesson 10G: Kernel Issues with Latest Versions of Windows

Module 11: Malware Characteristics

  • Lesson 11A: Downloaders and Launchers
  • Lesson 11B: Backdoors
  • Lesson 11C: Credential Stealing Programs
  • Lesson 11D: Malware Persistence Mechanisms
  • Lesson 11E: Escalating Privileges
  • Lesson 11F: Rootkit Forms

Module 12: Covert Launching Techniques

  • Lesson 12A: Launchers
  • Lesson 12B: Process Injection
  • Lesson 12C: Process Replacement
  • Lesson 12D: Windows Hook Injection
  • Lesson 12E: Detours Library
  • Lesson 12F: Asynchronous Procedure Call (APC) Injection

Module 13: Data Encoding

  • Lesson 13A: Purpose of Encoding
  • Lesson 13B: Simple Encoding Techniques – Ciphers
  • Lesson 13C: Modern Cryptography
  • Lesson 13D: Encoding Schemes
  • Lesson 13E: Decoding Content 

Module 14: Network-Based Countermeasures

  • Lesson 14A: Network Countermeasures
  • Lesson 14B: Techniques for Secure Online Investigation
  • Lesson 14C: Content-Based Network Countermeasures
  • Lesson 14D: Dynamic and Static Analysis
  • Lesson 14E: Perspective of the Attacker

Module 15: Anti-Disassembly

  • Lesson 15A: Overview of Anti-Disassembly
  • Lesson 15B: Exploiting Weaknesses within Disassembler Algorithms
  • Lesson 15C: Techniques for Exploiting Assumptions 
  • Lesson 15D: Obscuring Flow Control
  • Lesson 15E: Stack-Frame Construction Analysis

Module 16: Anti-Debugging

  • Lesson 16A: Detecting Windows Debuggers
  • Lesson 16B: Debugging Behavior
  • Lesson 16C: Interfering with Debugger Operation
  • Lesson 16D: Vulnerabilities in Debugger Software

Module 17: Anti-VM Techniques

  • Lesson 17A: Artifacts
  • Lesson 17B: Vulnerable Instructions
  • Lesson 17C: VMware Settings
  • Lesson 17D: Exploiting the VMware Vulnerabilities

Module 18: Packers and Unpacking

  • Lesson 18A: Anatomy of a Packer
  • Lesson 18B: Packed Program Identification
  • Lesson 18C: Three Unpacking Options
  • Lesson 18D: Automated and Manual Unpacking Programs
  • Lesson 18E: Tips and Techniques for Packers
  • Lesson 18F: Analyzing a Malware Piece without Fully Unpacking
  • Lesson 18G: Packing DLLs

Module 19: Analyzing Shellcode

  • Lesson 19A: Loading and Running Shellcode
  • Lesson 19B: PIC (Position-Independent Code)
  • Lesson 19C: Identifying the Execution Location
  • Lesson 19D: Manual Symbol Resolution
  • Lesson 19E: Shellcode Encodings
  • Lesson 19F: NOP Slide
  • Lesson 19G: Locating Shellcode

Module 20: C++ Language Analysis

  • Lesson 20A: Object-Oriented Programming
  • Lesson 20B: Virtual and Nonvirtual Functions
  • Lesson 20C: Constructor and Destructor Functions

Module 21: Malware for 64-bit Architecture

  • Lesson 21A: Overview of the 64-bit Process and Code
  • Lesson 21B: Windows 64-bit vs. 32-bit Architecture
  • Lesson 21C: Microsoft’s WOW64
  • Lesson 21D: 64-bit Codes for Additional Insight to Malware Functionality

Register for Class

Date Location
12/17/18 - 12/20/18, 4 days, 8:30AM – 4:30PM Online Register
02/19/19 - 02/22/19, 4 days, 8:30AM – 4:30PM Columbia, MD Register
02/19/19 - 02/22/19, 4 days, 8:30AM – 4:30PM Online Register
07/08/19 - 07/11/19, 4 days, 8:30AM – 4:30PM Columbia, MD Register
07/08/19 - 07/11/19, 4 days, 8:30AM – 4:30PM Online Register