About The Training

With the increasing geopolitical tension and high reputational and financial risks associated with potential compromises, malware analysis is becoming more and more in demand. While it is possible in some cases to get a basic understanding of malware capabilities using behavioral analysis, it will show at best only part of the picture. In this course, we are going to follow the comprehensive approach covering the fundamental prerequisites before diving deep into all the nuances of static and dynamic analysis of various types of Windows executables operating in user mode so that it can be done fast and efficiently with nothing missed. During the course, we are going to work with real malware samples of various complexity.

Basic - Intermediate - Advanced
 

Day 1: Fundamentals: x86 platform & Windows executables

Relevant essentials of informatics:

• Binary and hexadecimal number systems
• Bitwise operations
• Data units and types
• String encodings

Fundamentals of x86 platform (32- and 64-bit):

• CPU
• Memory
• Stack
• Instruction set
• Breakpoints
• Calling conventions

Day 2: Level up: unpacking & decryption

Basics of Windows internals:

• WinAPIs
• PE file structure

101 of Unpacking:

• Methodology
• Manual unpacking
• Memory dumping & import reconstruction

Cryptography essentials:

• Overview
• Modes of operation
• RC4, AES and RSA in detail
• Applications in malware

Decryption workflow:

• Searching and identification
• Basics of cryptanalysis
• Handling encrypted data

Day 3: Beyond assembly: VB & .NET-based threats

Bytecode explained:
Handling Visual Basic malware:

• Overview
• File structure and P-code instructions
• Static and dynamic analysis

Exploring .NET threats:

• Overview
• File format and CIL
• Static and dynamic analysis
• Handling obfuscated .NET malware

• Bring a laptop capable of running an x64 virtual machine (it should have a compatible CPU, at least 4 Gb of RAM and plenty of disk space) with VirtualBox or VMware software installed.
• The VM will be provided, it is strongly recommended to download it IN ADVANCE as its size is several gigabytes.
• Create a free account on VirusShare service to download lab and homework samples, follow https://virusshare.com/about
  steps to obtain a free account there

The course is designed to suit all levels of expertise, from complete beginners to mature reverse engineers who want to level up and fill in potential gaps in their knowledge. Some prior knowledge of informatics, C programming, or reverse engineering will help speed up the process but is not obligatory.

SOC analysts, incident responders, malware analysts, IT engineers who want to enter the cybersecurity field, or anyone who is interested in malware analysis and wants to level up their career.

By the end of the course, you should become able to confidently analyze various types of Windows executables of pretty much any level of complexity.

A virtual machine set up to analyze malware safely with all the required software pre-installed there

Because the course duration is only 3 days, we won't be able to cover absolutely all possible aspects of Windows malware including but not limited to script- or macro-based malware, exploits, kernel-mode threats, or more advanced topics like process injections or anti-RE techniques, these will be subject of future courses.