Dec 30, 2024  
2018-2019 Course Catalog 
    
2018-2019 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 2201 - Malware Analysis Fundamentals & Malicious Code Analysis

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: This course presents the key tools and techniques malware analysts use to examine malicious programs by exploring Windows malware in two phases. Behavioral analysis focuses on the program’s interactions with its environment, such as the registry, the network and the file system. Code analysis focuses on the specimen’s code and makes use of disassembler and debugger tools such as IDA Pro and OllyDbg. This course covers how to patch malicious executables to change their functionality during the analysis without recompiling them and redirect network traffic in the lab to better interact with malware.
MnTC Goals
None

Prerequisite(s): None
Corequisite(s): None
Recommendation: CVF 1065  and CVF 1205  with a grade of C or higher OR instructor consent. System administration experience on Microsoft Windows or Linux operating systems.

Major Content
  1. Configuring the malware analysis lab
  2. x86 Intel assembly language primer
  3. Handling anti-disassembling techniques
  4. Identifying key x86 assembly logic structures with a disassembler
  5. Patterns of common malware characteristics at the Windows API level (DLL injection, hooking, keylogging, sniffing, etc.)
  6. Assembling the toolkit for malware forensics
  7. Performing behavioral analysis of malicious Windows executables
  8. Performing static and dynamic code analysis of malicious Windows executables
  9. Additional learning resources for reverse-engineering malware
  10. Reinforcing the dynamic analysis concepts learned in 610.1
  11. Patching compiled malicious Windows executables
  12. Analyzing packed malicious executable files
  13. Intercepting network connections in the malware lab
  14. Analyzing Web browser malware implemented in JavaScript and Flash
  15. Core concepts for reverse-engineering malware at the code level

Learning Outcomes
At the end of this course students will be able to:

  1. analyze encrypted binaries.
  2. discover heap overflows.
  3. discover stack overflows.
  4. explain hashing functions.
  5. reverse engineer UPX and other compression types.
  6. create a sandbox to isolate malware.
  7. identify malware communication channels.
  8. monitor registry changes.
  9. unpack malware code.
  10. analyze use of Thwart anti-debugger code.
  11. explain System vs. Code Level reversing.
  12. explain conditional branching statements.
  13. demonstrate uses of IDA Pro with hostile code.
  14. identify malware variables.
  15. use Ollydbg for runtime analysis of malware.
  16. perform kernel mode debugging with SoftICE.
  17. dump executables from memory with Dumpbin.
  18. explain Obfuscation of file formats.
  19. locate undocumented APIs.

Competency 1 (1-6)
None
Competency 2 (7-10)
None


Courses and Registration



Add to Portfolio (opens a new window)