Malware Analysis Master Course

Designed for experienced malware analysts, this course focuses on advanced topics related to combating a wider variety of more complex malware and malware defense mechanisms. It covers how to combat anti-disassembly, anti-debugging and anti-virtual machine techniques. It also discusses how to defeat packed and armored executables, analyze encryption and encoding algorithms and defeat various obfuscation techniques. Additional topics include malware stealth techniques (process injection and rootkit technology), analyses of samples written in alternate programming languages (C++) and popular software frameworks (.NET).

Learners will be taught to use existing tools and techniques as well as research and develop their own IDA Pro scripts and plugins. All concepts and materials are reinforced with demonstrations, real-world case studies, follow-along exercises and student labs to allow learners to practice new skills. Instructors are senior FLARE malware analysts who are experienced in fighting through state-of- the-art malware armor.

Learning Objectives

After completing this course, learners should be able to:

  • Understand how malware hides its execution, including process injection, process replacement and user-space rootkits
  • Grasp how shellcode works, including position independence, symbol resolution and decoders
  • Comprehend the inner workings and limitations of disassemblers such as IDA Pro as well as how to circumvent the anti-disassembly mechanisms that malware authors use to thwart analysis
  • Automate IDA Pro using Python and IDC to help analyze malware more efficiently
  • Understand how to combat anti-debugging, including bypassing timing checks, Windows debugger detection and debugger vulnerabilities
  • Fool malware so it cannot detect what is running in your safe environment
  • Understand how malware analysis is influenced by C++ concepts like inheritance, polymorphism and objects
  • Recognize common C++ structures from the disassembly
  • Use disassembler features to enhance the reverse engineering process of C++ binaries
  • Unpack manually by studying various packer algorithms and generic techniques to quickly defeat them
  • See how x64 changes the game for malware analysis, including how WOW64 works and the architecture changes from x86
  • Grasp string obfuscation techniques that are commonly used by malware, then take malware communications and analyze network packet captures
  • Reverse engineer .NET bytecode and work with obfuscation techniques used by attackers

Who Should Attend

Intermediate-to-advanced malware analysts, information security professionals, forensic investigators and others who need to understand how to overcome difficult and complex challenges in malware analysis.

Prerequisites

Robust skill set in x86 architecture and the Windows APIs. Exposure to software development is highly recommended. Completion of Malware Analysis Crash Course is recommended but not required.

Course Requirements

Laptop computer with VMware Workstation 10+ or VMware Fusion 7+, and at least 30 GB of free HDD space. A licensed copy of IDA Pro is highly recommended to participate in all labs, but the free version can be used in most cases.

Duration

5 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.