Malware Analysis Crash Course

Save the DateKlick for the .ics file to save the date
 

This course provides a rapid introduction of the tools and methodologies used to perform malware analysis on executables found in Windows systems—using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and seeing how it modifies a system and its resources as it runs in a debugger.

Also, learn how to extract host and network-based indicators from a malicious program. We will cover dynamic analysis and the Windows APIs most often used by malware authors. Each section possesses in-class demonstrations and hands-on labs with real malware, which allows the students to practice their learnings.

CPE Credits Earn 24 CPE (Continuing Professional Education) for attending this training. Please request a confirmation during the registration process.
Location Hilton Zurich Airport Hotel
Hohenbuehlstrasse 10
8152 Opfikon-Glattbrugg

There are a lot of free park places available.
Train: railway station Zurich Airport – take the hotel shuttle

Date of Event 28th – 30th January 2020 (3 days)
Time 9:00 am – 5:00 pm
Language English
Participation Fee CHF 2’850.– (including refreshments, lunch and Apéro afterwards)

Learning Objectives

Basic Static Analysis – Learn to quickly perform a malware autopsy using a variety of techniques and tools without running the malware. By the end of this course, the learner will be able to explain how to extract meaningful characteristics from an unknown binary without execution.

The following topics are illustrated in this module:

  • Hashing
  • Strings
  • Open Source Intelligence
  • PE File Format
  • Packed Executables

Basic Dynamic Analysis – Analyze running malware by observing file system changes, function calls, network communications and other indicators. Be exposed to basic, yet effective methods for analyzing running malware in a safe environment. By the end of this course, the learner will be able to extract meaningful runtime characteristics from an unknown binary by allowing it to execute in a controlled environment.

The following topics are illustrated in this module:

  • Malware sandboxes
  • Virtualization and isolation
  • Host-based monitoring tools
  • Network-based monitoring tools
  • Launching binaries

Disassembly – Gain insight on the basics of the x86 assembly language to build a foundation of this commonly used communication as well as review the basics and build a foundation of the x86 assembly language. Also see how to use IDA Pro, the main tool for disassembly analysis, and recognize code constructs in the disassembly. By the end of this module, the learner will be able to explain x86 assembly language, use and navigate IDA pro, and stack x86 registers.

The following topics are illustrated in this module:

  • Introduction to Disassembly
  • X86 Architecture Review
  • Introduction to IDA Pro
  • Statics analysis basics in IDA Pro
  • Enhancing Disassembly in IDA Pro
  • Recognizing common Code Constructs

Debugging – Monitor and change malware behavior, as it runs, at a low level. By the end of this module, the learner will be able to manually debug a program a ta low level, set breakpoints, modify data, explain other key concepts, as well as describe how to use x64dbg.

The following topics are illustrated in this module:

  • Introduction to debuggers
    • Why debuggers?
    • Source level versus low level
    • Kernel mode versus user mode
    • Stepping
    • Breakpoints
    • Exceptions
  • Tool focus: x64dbg
    • Demonstration

Windows Internals – Hear about a wide range of Windows-specific concepts that are relevant to analyzing Windows malware. By the end of this module, the learner will be able to describe windows internal and how they are sorted out by functions, as well as describe the most common windows APIs.

The following topics are illustrated in this module:

  • Windows Architecture
  • Introduction to the Windows API
    • Windows Data Types and Structures
    • Function Prototypes
  • Windows API Tour
    • Windows Registry
    • Process Internals
    • Windows Services
    • Windows Networking
  • User-mode vs. Kernel-mode

Who Should Attend
The content and pace of this course is intended for software developers, information security professionals, incident responders, computer security researchers, corporate investigators, or others require an understanding of how malware operates, and the processes involved in performing malware analysis.

Prerequisites
Students should possess an excellent knowledge of computer and operating system fundamentals. Computer programming fundamentals and Windows Internals experience is highly recommended as well.

Course Requirements
Students must bring their own laptop computer with VMware Workstation 10+ or VMWare Fusion 7+ installed. Laptops should have at least 30GB of free space.

About your trainer

Christopher Gardner
Chris Gardner is a Reverse Engineer on FireEye’s FLARE team. He enjoys decoding malware network traffic and applying machine learning to malware classification. Prior to joining FireEye, Chris worked as a vulnerability researcher at a US government contractor.

Ryan Warns
Ryan Warns is a Staff Reverse Engineer working for FLARE’s Offensive Task Force (OTF). In his current role he acts as a reverse engineer performing malware analysis, and a security researcher specializing in vulnerability analysis and payload development in support of FireEye’s Red Team. Prior to joining FLARE he worked for the DoD specializing in Windows Internals, capability development, vulnerability research, and low-level software engineering.

Registration
Cancellations of registration are free of charge until 30 days before. Cancellations received beyond this point will incur 100% of the admission fee. You will get an invoice for the respective amount. In any case, however, a delegate may be sent at no additional costs.

Register here

Event Partner


Earn CPE Credits for
attenting SIGS Events