Reverse Engineering Malware
Reverse Engineering Malware is an intermediate course that exposes students to the theoretical knowledge and hands-on techniques to analyze malware of greater complexity. Students will learn to analyze malicious Windows programs, debug user-mode and kernel-mode malware with WinDbg, identify common malware functionality, in addition to reversing covert and encoded malware.
Objectives
This course will provide students with a working knowledge of analyzing malicious Windows programs, debugging user mode & kernel-mode malware, identifying common malware functionality, & other related topics
Course Duration
5 days
Audience
This course is intended for junior malware analysts and reverse engineers who want to increase their skills to better understand more complex malicious code.
Prerequisites
Students should have significant training or experience in a high level language such as C / C++, x86 architecture and x86 Assembly language, as well as operating system principles.
Day 1
- Windows API
- Handles & file system functions
- Common registry functions & autoruns
- Networking APIs
- Processes, threads & mutexes
Day 2
- Kernel vs. User-mode debugging
- Software & hardware breakpoints
- Modifying program execution & patching
- OllyDbg overview
- Memory maps
- Executing code, breakpoints & tracing
- OllyDbg plugins
Day 3
- Kernel debugging with WinDbg
- Configuring kernel debugging environment
- Analyzing functions, structures and driver objects
- Rootkit analysis
- Downloaders, launchers & backdoors
- Analyzing various persistence mechanisms & user-mode rootkits
Day 4
- Covert malware
- Abusing resource section of PE file
- Process injection & process replacement
- Windows hooks & detours
- APC injection from kernel space
Day 5
- Analyzing encoding algorithms
- XOR, BASE64 & custom encoding
- Common crypto algorithms
- KANAL
- Custom decoding scripts in Python
- Instrumentation for generic decryption
- Is there a discount available for current students?UMBC students and alumni, as well as students who have previously taken a public training course with UMBC Training Centers are eligible for a 10% discount, capped at $250. Please provide a copy of your UMBC student ID or an unofficial transcript or the name of the UMBC Training Centers course you have completed. Asynchronous courses are excluded from this offer.
- What is the cancellation and refund policy?Student will receive a refund of paid registration fees only if UMBC Training Centers receives a notice of cancellation at least 10 business days prior to the class start date for classes or the exam date for exams.
- What is Live Online training?Classes marked Live Online have the same content and expert instructors as our classroom training, but are delivered entirely online through our virtual classroom environment. Each class session is live, and led by an Instructor.