Dec 04, 2024  
2021-2022 Course Catalog 
    
2021-2022 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 2202 - Malicious Documents and Memory Forensics

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: This course explores several techniques malware authors commonly employ to protect malicious Windows executables from being analyzed, often with the help of packers. The course deals with how to bypass analysis defenses, such as structured error handling for execution flow, PE header corruption, fake memory breakpoints, tool detection, integrity checks and timing controls. It touches on Web browser malware, the use of additional tools and approaches for analyzing more complex malicious scripts written in VBScript and JavaScript by exploring common patterns of assembly instructions often used to gain initial access to the victim’s computer, how to analyze malicious Microsoft Office documents, covering tools such as Office MalScanner and explore steps for analyzing malicious PDF documents with utilities such as Origami and PDF Tools.
MnTC Goals
None

Prerequisite(s): CVF 1065  with a grade of C or higher or instructor consent. 
Corequisite(s): None
Recommendation: CVF 2201  with a grade of C or higher.

Major Content
  1. Identifying packers
  2. Manual unpacking of packed and otherwise protected malicious Windows executables
  3. Tips and tricks for bypassing anti-analysis mechanisms built into malware
  4. Additional techniques for analyzing obfuscated browser scripts using tools such as SpiderMonkey
  5. Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF documents
  6. Examining shellcode in the context of malicious files
  7. Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  8. Using memory forensics to analyze rootkit infections

Learning Outcomes
At the end of this course students will be able to:

  1. describe IDA Plug-in architecture and setup.
  2. explain the Kernel API used by malware authors.
  3. use IDA configuration for programmatic reversing and script writing.
  4. describe common rootkit technologies.
  5. use WinDBG for kernel debugging.
  6. explain PE Anti-reversing techniques: De-obfuscating executables for IDA.
  7. explain user-mode obfuscation methods.
  8. demonstrate Anti-RE Techniques: Detecting debuggers, virtual machines, and other tricks.
  9. describe kernel assisted obfuscation.
  10. describe rootkit process / DLL injection.
  11. explain rootkit process / DLL injection.
  12. analyze reverse kernel-mode botnet bots.
  13. describe Metasploit’s Shikata-ga-nai.
  14. utilize Saffron and Ether during malware analysis.
  15. analyze physical memory with memorize.
  16. identify common algorithms inside worms.
  17. analyze Virtual Machine based packers.
  18. describe reverse Themida and other VM packers.
  19. demonstrate reverse storm’s C&C protocol.
  20. demonstrate reverse .NET byte code.

Competency 1 (1-6)
None
Competency 2 (7-10)
None


Courses and Registration



Add to Portfolio (opens a new window)