Malware Analysis Training

Static Analysis

• Anti-Virus Scanning to Confirm Malware
• Hashes for Malware Identification
• Extracting Information from File Strings, Functions and Headers

Analyzing Malware in a Virtual Machine

• The Virtual Machine Structure
• Creating and Using Your Malware Analysis Machine
• Risks of Using VMware
• Introduction to the Record/Replay Feature of VMware

Dynamic Analysis

• Malware Sandbox
• Launching Executable Malware
• Windows Process Monitor
• Process Explorer – Microsoft Task Manager
• Regshot Comparisons
• Faking a Network
• Wireshark
• NetSim
• Using the Dynamic Tools for a Malware Analysis Setup

Disassembly

• Levels of Abstraction
• Reverse-Engineering
• x86 Architecture

Interactive Disassembler Professional (IDA Pro)

• Loading an Executable in IDA Pro
• IDA Pro Interface
• xref in IDA Pro
• IDA Pro Function Analysis
• 5 Graphing Options
• Disassembly Modification Features
• Extending Functionality with Plug-ins

C Code Constructs

• Local and Global Variables
• Disassembling Math Operations
• if Statements
• Loops and Repetitive Tasks
• Function Calls
• switch Statements
• Arrays and Structures
• Linked List

Malware Targeted to Windows Functionalities

• Windows API
• Windows Registry
• Networking API
• Uncovering Transfer Executions from Malware
• Kernel and User Modes
• Native API

Debugging

• Source and Low Level Debuggers
• Debugging a Program
• Gaining Control through Exceptions
• Modifying Program Execution

OllyDbg – x86 Debugger

• Loading Executables
• OllyDbg Interface and Memory Map
• Threads and Stacks
• Code Execution
• OllyDbg Supported Breakpoints
• Loading and Debugging DLLs
• Tracing Technique
• Exceptions and Patching
• Shellcode Analysis and Assistance Features
• Plug-Ins
• Scriptable Debugging

WinDbg – Kernel Debugger

• Kernel Code and Device Drivers
• Preparing for Kernel Debugging
• Using the WinDbg Functionality
• Symbols for Microsoft Functions and Variables
• Constructing Files from Kernel Space
• Rootkits
• Kernel Issues with Latest Versions of Windows

Malware Characteristics

• Downloaders and Launchers
• Backdoors
• Credential Stealing Programs
• Malware Persistence Mechanisms
• Escalating Privileges
• Rootkit Forms

Covert Launching Techniques

• Launchers
• Process Injection
• Process Replacement
• Windows Hook Injection
• Detours Library
• Asynchronous Procedure Call (APC) Injection

Data Encoding

• Purpose of Encoding
• Simple Encoding Techniques – Ciphers
• Modern Cryptography
• Encoding Schemes
• Decoding Content 

Network-Based Countermeasures

• Network Countermeasures
• Techniques for Secure Online Investigation
• Content-Based Network Countermeasures
• Dynamic and Static Analysis
• Perspective of the Attacker

Anti-Disassembly

• Overview of Anti-Disassembly
• Exploiting Weaknesses within Disassembler Algorithms
• Techniques for Exploiting Assumptions 
• Obscuring Flow Control
• Stack-Frame Construction Analysis

Anti-Debugging

• Detecting Windows Debuggers
• Debugging Behavior
• Interfering with Debugger Operation
• Vulnerabilities in Debugger Software

Anti-VM Techniques

• Artifacts
• Vulnerable Instructions
• VMware Settings
• Exploiting the VMware Vulnerabilities

Packers and Unpacking

• Anatomy of a Packer
• Packed Program Identification
• Three Unpacking Options
• Automated and Manual Unpacking Programs
• Tips and Techniques for Packers
• Analyzing a Malware Piece without Fully Unpacking
• Packing DLLs

Analyzing Shellcode

• Loading and Running Shellcode
• PIC (Position-Independent Code)
• Identifying the Execution Location
• Manual Symbol Resolution
• Shellcode Encodings
• NOP Slide
• Locating Shellcode

C++ Language Analysis

• Object-Oriented Programming
• Virtual and Nonvirtual Functions
• Constructor and Destructor Functions

Malware for 64-bit Architecture

• Overview of the 64-bit Process and Code
• Windows 64-bit vs. 32-bit Architecture
• Microsoft’s WOW64
• 64-bit Codes for Additional Insight to Malware Functionality