I also tweet, blog and . Contact Me|Professional

Reverse-Engineering: Malware Analysis Tools and Techniques Training

This malware analysis course prepares forensic investigators, incident responders and malware specialists to reverse-engineer malicious software using practical tools and techniques.

The Reverse-Engineering Malware (REM) course, which I present at SANS Institute, teaches a practical approach to examining malicious programs—spyware, bots, trojans, etc.—that target or run on Microsoft Windows. This training also looks at reversing web-based malware, such as JavaScript and Flash files, as well as malicious document files. By the end of the course, you'll learn how to reverse-engineer malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and other tools for turning malware inside-out!

On this page you will find:

Course Overview: Learn Malware Analysis to Improve Incident Response and Forensics Skills

This unique course provides a rounded approach to reverse-engineering by covering both behavioral and code phases of the analysis process. As a result, the course makes malware analysis accessible even to individuals with a limited exposure to programming concepts. The materials do not assume that the students are familiar with malware analysis; however, the complexity of concepts and techniques increases as the course progresses.

The malware analysis process taught in this class helps incident responders assess the severity and repercussions of a situation that involves malicious software. It also assists in determining how to contain the incident and plan recovery steps. Forensics investigators also learn how to understand key characteristics of malware present on compromised systems, including how to establish indicators of compromise (IOCs) for scoping and containing the intrusion.

REM Methodology: A Methodical Approach to Reverse-Engineering

The course begins by covering fundamental aspects of malware analysis. You'll learn how to set up an inexpensive and flexible laboratory for understanding the inner-workings of malicious software and will understand how to use the lab for exploring characteristics of real-world malware. Then you'll learn to examine the program's behavioral patterns and code. Afterwards, you'll experiment with reverse-engineering compiled Windows executables and browser-based malware.

The course continues by discussing essential x86 assembly language concepts. You'll examine malicious code to understand the program's key components and execution flow. Additionally, you'll learn to identify common malware characteristics by looking at Windows API patterns and will examine excerpts from bots, rootkits, keyloggers, and downloaders. You'll understand how to work with PE headers and handle DLL interactions. Furthermore, you'll learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.

Towards the end of the course, you'll learn to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help understand the context of an incident involving malicious software.

Exercises: Hands-On Training for Malware Analysis and Reversing

Hands-on workshop exercises are a critical aspect of this course and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you'll study the supplied specimen's behavioral patterns and examine key portions of its code. You'll examine malware on a Windows virtual machine that you'll infect during the course and will use the supplied Linux virtual machine (REMnux) that includes tools for examining and interacting with malware.

Topics Covered Covered in this Reverse-Engineering Malware Course Include

You Will Learn How to Use Malware Analysis Tools Such As

Complexity of the Course: Formalizing and Expanding Your Malware Analysis Skills

While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from an introductory level and quickly progresses to discuss malware analysis tools and techniques of intermediate complexity.

Neither programming experience, nor the knowledge of assembly is required to benefit from the course. However, you should have a general idea about core programming concepts, such as variables, loops, and functions. The course spends some time discussing essential aspects of x86 assembly to allow malware analysts navigate through malicious executables using a debugger and a disassembler.

Who Should Attend this Reverse-Engineering Malware Course?

Individuals who found this course particularly useful often had responsibilities in the areas of incident response, forensic investigation, Windows security, and system administration.

You'll benefit from this course if you deal with incidents involving malware and would like to learn how to understand key aspects of malicious programs.

The majority of course participants have a strong understanding of core systems and networking concepts and have had a limited exposure to programming and assembly concepts.

Some individuals who attended the course have experimented with aspects of malware analysis prior to the course and were looking to formalize and expand their malware forensics expertise.

Skill Prerequisites for the Course

When and Where Can You Attend?

The FOR610 course is presented at SANS conferences and also on-line. For the latest schedule of planned FOR610 classes, please see the FOR610 course schedule on the SANS website.

Interviews Related to Malware and Reversing

If you'd like to learn more about my perspective on malicious software and the reversing process, check out the following podcast and text-based conversations in which I participated:

Related Content