|
Dec 30, 2024
|
|
|
|
CVF 2201 - Malware Analysis Fundamentals & Malicious Code Analysis Credits: 3 Hours/Week: Lecture 2 Lab 2 Course Description: This course presents the key tools and techniques malware analysts use to examine malicious programs by exploring Windows malware in two phases. Behavioral analysis focuses on the program’s interactions with its environment, such as the registry, the network and the file system. Code analysis focuses on the specimen’s code and makes use of disassembler and debugger tools such as IDA Pro and OllyDbg. This course covers how to patch malicious executables to change their functionality during the analysis without recompiling them and redirect network traffic in the lab to better interact with malware. MnTC Goals None
Prerequisite(s): None Corequisite(s): None Recommendation: CVF 1065 and CVF 1205 with a grade of C or higher OR instructor consent. System administration experience on Microsoft Windows or Linux operating systems.
Major Content
- Configuring the malware analysis lab
- x86 Intel assembly language primer
- Handling anti-disassembling techniques
- Identifying key x86 assembly logic structures with a disassembler
- Patterns of common malware characteristics at the Windows API level (DLL injection, hooking, keylogging, sniffing, etc.)
- Assembling the toolkit for malware forensics
- Performing behavioral analysis of malicious Windows executables
- Performing static and dynamic code analysis of malicious Windows executables
- Additional learning resources for reverse-engineering malware
- Reinforcing the dynamic analysis concepts learned in 610.1
- Patching compiled malicious Windows executables
- Analyzing packed malicious executable files
- Intercepting network connections in the malware lab
- Analyzing Web browser malware implemented in JavaScript and Flash
- Core concepts for reverse-engineering malware at the code level
Learning Outcomes At the end of this course students will be able to:
- analyze encrypted binaries.
- discover heap overflows.
- discover stack overflows.
- explain hashing functions.
- reverse engineer UPX and other compression types.
- create a sandbox to isolate malware.
- identify malware communication channels.
- monitor registry changes.
- unpack malware code.
- analyze use of Thwart anti-debugger code.
- explain System vs. Code Level reversing.
- explain conditional branching statements.
- demonstrate uses of IDA Pro with hostile code.
- identify malware variables.
- use Ollydbg for runtime analysis of malware.
- perform kernel mode debugging with SoftICE.
- dump executables from memory with Dumpbin.
- explain Obfuscation of file formats.
- locate undocumented APIs.
Competency 1 (1-6) None Competency 2 (7-10) None Courses and Registration
Add to Portfolio (opens a new window)
|
|