Apr 19, 2024  
2019-2020 Course Catalog 
    
Catalog Navigation
  Catalog Home
  Introduction to Century College
  Mission, Vision, Values

  College Calendar

  Course Descriptions and Outlines
  Programs (Century Academic Pathway)
  Programs (Department)
  Programs (A-Z)

  Academic Policies and Program Requirements
  Admissions and Registration
  Application for Admission
  Student Services and Resources
  Student Handbook
  Transfer

  Continuing Education and Customized Training
  College Administration and Faculty
  Maps and Directions
  Archived Catalogs
  My Portfolio
HELP
2019-2020 Course Catalog [ARCHIVED CATALOG]

Facebook this Page (opens a new window)
Tweet this Page (opens a new window)
Add to Portfolio (opens a new window)

CVF 2202 - Malicious Documents and Memory Forensics

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: This course explores several techniques malware authors commonly employ to protect malicious Windows executables from being analyzed, often with the help of packers. The course deals with how to bypass analysis defenses, such as structured error handling for execution flow, PE header corruption, fake memory breakpoints, tool detection, integrity checks and timing controls. It touches on Web browser malware, the use of additional tools and approaches for analyzing more complex malicious scripts written in VBScript and JavaScript by exploring common patterns of assembly instructions often used to gain initial access to the victim’s computer, how to analyze malicious Microsoft Office documents, covering tools such as Office MalScanner and explore steps for analyzing malicious PDF documents with utilities such as Origami and PDF Tools.
MnTC Goals
None

Prerequisite(s): CVF 1065  with a grade of C or higher or instructor consent.
Corequisite(s): None
Recommendation: CVF 2201  with a grade of C or higher.

Major Content
  1. Identifying packers
  2. Manual unpacking of packed and otherwise protected malicious Windows executables
  3. Tips and tricks for bypassing anti-analysis mechanisms built into malware
  4. Additional techniques for analyzing obfuscated browser scripts using tools such as SpiderMonkey
  5. Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF documents
  6. Examining shellcode in the context of malicious files
  7. Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  8. Using memory forensics to analyze rootkit infections

Learning Outcomes
At the end of this course students will be able to:

  1. describe IDA Plug-in architecture and setup.
  2. explain the Kernel API used by malware authors.
  3. use IDA configuration for programmatic reversing and script writing.
  4. describe common rootkit technologies.
  5. use WinDBG for kernel debugging.
  6. explain PE Anti-reversing techniques: De-obfuscating executables for IDA.
  7. explain user-mode obfuscation methods.
  8. demonstrate Anti-RE Techniques: Detecting debuggers, virtual machines, and other tricks.
  9. describe kernel assisted obfuscation.
  10. describe rootkit process / DLL injection.
  11. explain rootkit process / DLL injection.
  12. analyze reverse kernel-mode botnet bots.
  13. describe Metasploit’s Shikata-ga-nai.
  14. utilize Saffron and Ether during malware analysis.
  15. analyze physical memory with memorize.
  16. identify common algorithms inside worms.
  17. analyze Virtual Machine based packers.
  18. describe reverse Themida and other VM packers.
  19. demonstrate reverse storm’s C&C protocol.
  20. demonstrate reverse .NET byte code.

Competency 1 (1-6)
None
Competency 2 (7-10)
None


Courses and Registration


Facebook this Page (opens a new window)
Tweet this Page (opens a new window)
Add to Portfolio (opens a new window)