Take your malware analysis skills to the next level with Malware Analyst Professional Level 2! Led by Uriel Kosayev. This course dives into advanced malware dissection, attacker methods, and reverse engineering tools like IDA Pro and x64dbg. Covering x86 architecture, Windows API analysis, code injection, packed malware, and shellcode, it equips you to excel as a professional malware analyst.
Overview
Syllabus
- Introduction to Reverse Engineering
- This section lays the foundation for reverse engineering in the context of malware analysis. It begins with a course overview by Uriel Kosayev, detailing the advanced topics to be covered. The lessons then introduce reverse engineering as the process of uncovering the inner workings of software, using tools such as disassemblers, decompilers, and debuggers. Core concepts of x86 architecture, including CPU components, memory layouts, and the interaction between RAM, the CPU, and registers, are explained in detail. Further, the section delves into assembly language operations like PUSH, POP, and control flow instructions, emphasizing their importance in analyzing malicious binaries. The final lesson explores bitwise operations (AND, OR, NOT, XOR) and their applications, providing practical examples to enhance understanding. By the end of this section, students acquire a solid technical foundation for diving deeper into malware reverse engineering.
- Understanding Windows API Functions
- This section explores the critical role of Windows API functions in malware analysis and reverse engineering. It begins with an introduction to how these functions serve as a bridge between software and the operating system, enabling processes to interact with system resources. Students learn to configure debug symbols to enhance the debugging experience and navigate MSDN documentation to understand API functions effectively. Advanced lessons delve into analyzing API calls, identifying their purpose, and using tools like IDA Pro and x64dbg to trace their execution. By the end of this section, students gain a comprehensive understanding of Windows APIs and their significance in dissecting malware functionality.
- Code Injection
- This section dives into the techniques and mechanisms of code injection, a common tactic used by malware to manipulate processes. It starts with an introduction to the concept of code injection and its relevance in cybersecurity. Lessons cover the classification of various injection methods, including their characteristics and use cases. The section provides an in-depth exploration of process injection techniques, such as CreateRemoteThread, which allows injecting code into remote processes, and Process Hollowing, a method for replacing legitimate code with malicious payloads. These techniques are broken down into practical steps, with examples and tools to help students identify, analyze, and counteract such methods. By the end, students gain valuable skills to detect and understand code injection, a critical component of advanced malware analysis.
- Dancing with Self-defending Malware
- This section explores the sophisticated techniques used by malware to evade detection and analysis, equipping students with the skills to counter these defensive measures. The introduction sets the stage by explaining the concept of anti-analysis tactics employed by malware. Subsequent lessons dive into anti-debugging methods that hinder debugging tools, and anti-virtual machine (anti-VM) techniques that detect and avoid running in virtualized environments. Finally, the section addresses anti-antivirus (anti-AV) strategies, illustrating how malware bypasses traditional security software. Through practical examples and detailed explanations, students gain insights into recognizing and overcoming these self-defense mechanisms, a critical aspect of malware analysis.
- Fighting Packed Malware to the Death
- This section delves into the methods used to unpack and analyze packed malware, a common tactic employed by attackers to obscure their malicious code. The lessons start with an introduction to packers and the unpacking process, explaining how packing works and its role in hindering analysis. Students then analyze real-world examples, such as unpacking the infamous WannaCry ransomware, to understand these techniques in action. Practical sessions cover manual unpacking of malware packed with tools like UPX, PECompact, and ASPack, guiding students through the step-by-step process of bypassing these layers of obfuscation. By the end of this section, participants are equipped with the skills needed to effectively combat and analyze packed malware.
- Malicious Shellcode Analysis
- This section focuses on the analysis and reverse engineering of shellcode, a compact and powerful piece of malicious code used in exploitation. It begins with an introduction to shellcode analysis, explaining its purpose, structure, and role in cyberattacks. Subsequent lessons guide students through the reverse engineering process, covering practical techniques to dissect shellcode. Using step-by-step examples, the course demonstrates how to identify entry points, decode obfuscated instructions, and understand the payload’s functionality. By the end of the section, participants gain the expertise needed to analyze and counteract shellcode, a critical skill in advanced malware analysis and cybersecurity.
- Ransomware Reverse Engineering
- This section provides an in-depth exploration of ransomware analysis, focusing on the DarkSide ransomware. Through hands-on exercises, students delve into the techniques used by ransomware developers to obfuscate and encrypt malicious payloads. Lessons cover initial analysis, identifying packed or encrypted sections, and using tools like IDA Pro to unpack and analyze runtime code.
- Reverse Engineering .NET Malware
- This section focuses on analyzing .NET-based malware using advanced techniques. The lessons center on the SolarWinds Sunburst Backdoor, a sophisticated .NET-based threat. Students learn to decompile and examine malware using tools like dnSpy, explore function call trees, and uncover hidden malicious payloads embedded in legitimate code. Topics include understanding fingerprinting methods like concatenating machine GUIDs and MAC addresses, validating execution environments, and detecting domain-joined computers. The course also covers how the malware conducts extensive enumeration of services, processes, and system drivers to evaluate attack viability and escalate privileges. Through step-by-step analysis, participants learn how the malware interacts with DNS and C2 servers, builds HTTP requests with disguised user agents, and exfiltrates config files containing sensitive system data. This section equips students with essential skills to dissect .NET malware and understand its stealth techniques.
Taught by
Uriel Kosayev
