Malware Analysis 301

This course was formerly known as Advanced Topics in Malware Analysis.

Designed for experienced malware analysts, this course focuses on advanced topics related to combating a wider variety of more complex malware and malware defense mechanisms. It covers how to combat anti-disassembly, anti-debugging, and anti-virtual machine techniques. It also discusses how to defeat packed and armored executables, analyze encryption and encoding algorithms, and defeat various obfuscation techniques. Additional topics include malware stealth techniques, alternative languages, and alternative architectures.

Learners will be taught to use existing tools and techniques as well as research and develop their own IDA Pro scripts and plugins (IDA Pro license may be required for scripts/plugins). All concepts and materials are reinforced with demonstrations, real-world case studies, follow-along exercises, and student labs to allow learners to practice new skills. Instructors are senior FLARE malware analysts who are experienced in fighting through state-of-the-art malware armor.

Prerequisites: Robust skill set in x86 architecture and the Windows APIs. Exposure to software development is highly recommended. Completion of the Malware Analysis 201 is recommended but not required.

After completing this course, learners should be able to:

• Understand how malware hides its execution, including process injection and process replacement
• Grasp how shellcode works, including position independence, symbol resolution, and decoders
• Comprehend the inner workings and limitations of disassemblers, such as IDA Pro, as well as how to circumvent the anti-disassembly mechanisms that malware authors use to thwart analysis
• Understand how to combat anti-debugging, including bypassing timing checks, Windows debugger detection, and debugger vulnerabilities
• Fool malware so it cannot detect what is running in your safe environment
• Understand how malware analysis is influenced by C++ concepts like inheritance, polymorphism, and objects
• Recognize common C++ structures from the disassembly
• Use disassembler features to enhance the reverse engineering process of C++ binaries
• Unpack manually by studying various packer algorithms and generic techniques to quickly defeat them
• Grasp string obfuscation techniques that are commonly used by malware, then take malware communications and analyze network packet captures

Intermediate-to-advanced malware analysts, information security professionals, forensic investigators, and others who need to understand how to overcome difficult and complex challenges in malware analysis.

In-classroom instructor-led training

Five days (in-person delivery)

Students are required to bring their own laptop that meets the following specs:

• VirtualBox 7+
• At least 30 GB of free HDD space
• A licensed copy of IDA Pro that supports the x86 architecture is recommended; the free version of IDA Pro will suffice