Reverse engineering and intermediate malware analysis

This one-day training is an extension for our Malware analysis course. It covers intermediate techniques for dynamic and static analysis and reverse engineering of compiled code for Windows operating systems, along with development of signatures for malicious code on network level and endpoint level.

The course is highly practical in nature and gives trainees a chance to try out a multitude of different tools and techniques for analysis of different types of compiled code, shellcode and EXE files.


Contents

  1. Internal structure and functionality of PE files
  2. Introduction to x86/x64 assembly
  3. Debuggers, disassemblers, decompilers and other tools useful for analysis of compiled code
    • Ghidra
    • IDA Pro
  4. Techniques for analysis of various types of PE files and compiled code
    • Compiled code vs. intermediate code and differences in their analysis
    • Differences in executable code developed in different languages
    • Basics of static analysis and reverse engineering of PE files
    • Techniques for shellcode analysis
  5. Results and outputs from analysis
    • Reporting recommendations
    • Extraction of IoCs and TTPs
    • Development of YARA rules and other signatures

The course is aimed at

  • Senior Security Operations Center (SOC) analysts
  • Computer Security Incident Response Team (CSIRT) operators
  • Junior malware analysts
  • Anyone who want to learn basics of reverse engineering

Prerequisites

  • Knowledge and skills corresponding to the Malware analysis course
  • Experience with C/C++ programming
  • Previous exposure to x86/x64 assembly is beneficial but not required

Additional requirements

A properly configured laptop with installed hypervisor capable of creating “snaphots” of virtual machines is required to participate in the course. The laptop has to be able to allocate 2 vCPUs, 8 GB RAM and 100 GB of storage space to a virtual machine, which will be used during the training. A virtual machine, based on the Windows 10 operating system, has to be individually prepared by each participant according to provided instructions before start of the course.

Materials

Trainees will receive an electronic version of the study materials.

Duration

1 day

Currently available training dates

This training is only available on demand for closed groups of participants - either in combination with the Malware analysis course, as a two-day training, or as a standalone one-day training. If you are interested in a private run of this training for your organization, don’t hesitate to contact us.