Advanced Malware Analysis
Overview
Malware authors sometimes take deliberate steps to thwart the reverse engineering of their malware. This course is focused on advanced topics related to combating malware defense mechanisms. Designed for the experience d malware analyst, a robust skill set in x86 architecture and the Windows APIs is essential. Students will learn how to specifically combat against anti-disassembly, anti-debugging and anti-virtual machine techniques. Students will also learn how to defeat packed and armored executables and will be challenged to demonstrate these skills several times throughout the course.
Additional topics covered will include malware stealth techniques, such as process injection and rootkit technology; analyses of samples written in alternate programming languages, such as Delphi and C++; and a review of available tools and techniques. All concepts and materials presented are reinforced with demonstrations, real-world case studies, follow-along exercises, and student labs to allow students to practice what they have learned. This class is taught by senior FLARE Malware Analysts who are experienced in fighting through the state-of-the-art malware armor.
Who Should Take this Course
Intermediate to advanced malware analysts, information security professionals, forensic investigators or others requiring an understanding of how to overcome difficult challenges in malware analysis.
Student Requirements
- Excellent knowledge of Windows operating system and API
- Strong knowledge of the x86 architecture is required
- Computer programming experience
- Some training or experience in malware analysis
- Experience using IDA Pro
What Students Should Bring
- Students must bring their own laptop with VMware Workstation, Server or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.
- A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.
What Students Will Be Provided With
- A student manual
- Class handouts
- Mandiant gear
Trainers
Claudiu Teodorescu is a Staff Reverse Engineer in FireEye's FLARE team. Prior to joining FireEye, Claudiu worked for Guidance Software, writing forensic parsers for different file formats to support the EnCase forensic tool. Also, as the Cryptographic Officer of the company, he supported EnCase integration with different disk/volume/file based encryption products including Bitlocker, McAfee EEPC, Checkpoint FDE, Symantec EEPC, etc. Claudiu has presented research on Windows Management Instrumentation database at B-Sides LV and Defcon 2015. He was also a member of the team that won the 2015 Volatility plugin contest with the
"shimcachemem" plugin.
Alex Berry is Senior Manager, FLARE Team at FireEye Inc
Tyler Dean is a Reverse Engineer with the FireEye Labs Advanced Reverse Engineering (FLARE) team. With the FLARE team, Tyler has taught several malware analysis classes and is the primary developer of the debugger scripting framework flare-dbg. Prior to the FLARE team, Tyler worked at two U.S. research labs, Sandia National Labs and SEI/CERT performing forensics and malware reverse engineering. Tyler received a master's degree from Carnegie Mellon University in information security.