Phoenix TS

Malware Analysis Training

This 4-day instructor-led training is aimed at It security professionals in a malware analyst or forensic investigator job role.

BONUS! Cyber Phoenix Subscription Included: All Phoenix TS students receive complimentary ninety (90) day access to the Cyber Phoenix learning platform, which hosts hundreds of expert asynchronous training courses in Cybersecurity, IT, Soft Skills, and Management and more!

Course Overview 

This course serves as a guide for instructing students on how to analyze malware once discovered within a Windows operating system. Since malicious software plays a role in almost every security incident or computer intrusion, the knowledge and skills attained through this class prove beneficial to individuals seeking to advance within the malware analyst profession. While this training focuses on Windows operating systems, the skills learned easily transfer to other operating systems. 


Currently, there are no public classes scheduled. Please contact a Phoenix TS Training Consultant to discuss hosting a private class at 301-258-8200.


Not seeing a good fit?

Let us know. Our team of instructional designers, curriculum developers, and subject matter experts can create a custom course for you.

Contact Us

Learn more about custom training

Course Outline

Static Analysis

  • Anti-Virus Scanning to Confirm Malware
  • Hashes for Malware Identification
  • Extracting Information from File Strings, Functions and Headers

Analyzing Malware in a Virtual Machine

  • The Virtual Machine Structure
  • Creating and Using Your Malware Analysis Machine
  • Risks of Using VMware
  • Introduction to the Record/Replay Feature of VMware

Dynamic Analysis

  • Malware Sandbox
  • Launching Executable Malware
  • Windows Process Monitor
  • Process Explorer – Microsoft Task Manager
  • Regshot Comparisons
  • Faking a Network
  • Wireshark
  • NetSim
  • Using the Dynamic Tools for a Malware Analysis Setup


  • Levels of Abstraction
  • Reverse-Engineering
  • x86 Architecture

Interactive Disassembler Professional (IDA Pro)

  • Loading an Executable in IDA Pro
  • IDA Pro Interface
  • xref in IDA Pro
  • IDA Pro Function Analysis
  • 5 Graphing Options
  • Disassembly Modification Features
  • Extending Functionality with Plug-ins

C Code Constructs

  • Local and Global Variables
  • Disassembling Math Operations
  • if Statements
  • Loops and Repetitive Tasks
  • Function Calls
  • switch Statements
  • Arrays and Structures
  • Linked List

Malware Targeted to Windows Functionalities

  • Windows API
  • Windows Registry
  • Networking API
  • Uncovering Transfer Executions from Malware
  • Kernel and User Modes
  • Native API


  • Source and Low Level Debuggers
  • Debugging a Program
  • Gaining Control through Exceptions
  • Modifying Program Execution

OllyDbg – x86 Debugger

  • Loading Executables
  • OllyDbg Interface and Memory Map
  • Threads and Stacks
  • Code Execution
  • OllyDbg Supported Breakpoints
  • Loading and Debugging DLLs
  • Tracing Technique
  • Exceptions and Patching
  • Shellcode Analysis and Assistance Features
  • Plug-Ins
  • Scriptable Debugging

WinDbg – Kernel Debugger

  • Kernel Code and Device Drivers
  • Preparing for Kernel Debugging
  • Using the WinDbg Functionality
  • Symbols for Microsoft Functions and Variables
  • Constructing Files from Kernel Space
  • Rootkits
  • Kernel Issues with Latest Versions of Windows

Malware Characteristics

  • Downloaders and Launchers
  • Backdoors
  • Credential Stealing Programs
  • Malware Persistence Mechanisms
  • Escalating Privileges
  • Rootkit Forms

Covert Launching Techniques

  • Launchers
  • Process Injection
  • Process Replacement
  • Windows Hook Injection
  • Detours Library
  • Asynchronous Procedure Call (APC) Injection

Data Encoding

  • Purpose of Encoding
  • Simple Encoding Techniques – Ciphers
  • Modern Cryptography
  • Encoding Schemes
  • Decoding Content 

Network-Based Countermeasures

  • Network Countermeasures
  • Techniques for Secure Online Investigation
  • Content-Based Network Countermeasures
  • Dynamic and Static Analysis
  • Perspective of the Attacker


  • Overview of Anti-Disassembly
  • Exploiting Weaknesses within Disassembler Algorithms
  • Techniques for Exploiting Assumptions 
  • Obscuring Flow Control
  • Stack-Frame Construction Analysis


  • Detecting Windows Debuggers
  • Debugging Behavior
  • Interfering with Debugger Operation
  • Vulnerabilities in Debugger Software

Anti-VM Techniques

  • Artifacts
  • Vulnerable Instructions
  • VMware Settings
  • Exploiting the VMware Vulnerabilities

Packers and Unpacking

  • Anatomy of a Packer
  • Packed Program Identification
  • Three Unpacking Options
  • Automated and Manual Unpacking Programs
  • Tips and Techniques for Packers
  • Analyzing a Malware Piece without Fully Unpacking
  • Packing DLLs

Analyzing Shellcode

  • Loading and Running Shellcode
  • PIC (Position-Independent Code)
  • Identifying the Execution Location
  • Manual Symbol Resolution
  • Shellcode Encodings
  • NOP Slide
  • Locating Shellcode

C++ Language Analysis

  • Object-Oriented Programming
  • Virtual and Nonvirtual Functions
  • Constructor and Destructor Functions

Malware for 64-bit Architecture

  • Overview of the 64-bit Process and Code
  • Windows 64-bit vs. 32-bit Architecture
  • Microsoft’s WOW64
  • 64-bit Codes for Additional Insight to Malware Functionality

Malware Analysis Training FAQs

Who should take this course?

This course is designed for CIO Officers, Forensics Investigators, and Malware Analysts.

What is the recommended experience for this course?

Students should have:
– At least two years of networking experience
– CompTIA Network+, CompTIA Security+, Certified Ethical Hacker (CEH) or hold equivalent experience and knowledge
– Basic understanding of C++ and assembly language

BONUS! Cyber Phoenix Subscription Included: All Phoenix TS students receive complimentary ninety (90) day access to the Cyber Phoenix learning platform, which hosts hundreds of expert asynchronous training courses in Cybersecurity, IT, Soft Skills, and Management and more!

Phoenix TS is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints re-garding registered sponsors may be submitted to the National Registry of CPE Sponsors through its web site: www.nasbaregistry.org

Subscribe now

Get new class alerts, promotions, and blog posts

Phoenix TS needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Download Course Brochure

Enter your information below to download this brochure!