We're offering 20% off September Live Online classes! See which courses are applicable.   |   Details >

  
AccountIcon BigDataIcon BlogIcon default_resource_icon CartIcon checkmark_icon cloud_devops_icon computer_network_admin_icon cyber_security_icon gsa_schedule_icon human_resources_icon location_icon phone_icon plus_icon programming_software_icon project_management_icon redhat_linux_icon search_icon sonography_icon sql_database_icon webinar_icon

Search UMBC Training Centers

Cybersecurity

Malcare (Reverse Engineering Malware)

+ View more dates & times
    
    
    
    
                     
  • Overview

    This course, developed and delivered by our partner, Rendition Infosec, introduces students to the principles, practices, and tools used in reversing engineer. Once students are comfortable with these foundational concepts, they will take a deep-dive into the concepts and practices around reverse engineering malicious software. Students will perform many hands-on lab exercises to examine the characteristics of multiple different malware samples. Students will gain a better understanding of the capabilities of different types of malware, how they are created, how they propagate, persistence mechanisms, obfuscation techniques, packing techniques, and antidebugging features used to attempt to defeat analysis, reverse engineering, and forensic investigation. The ultimate goal of this course is to gain experience with practical application of reverse engineering malicious software to better understand threat actors in order to best protect our organizations.

  • Who Should Take This Course

    Prerequisites

    Knowledge of TCP/IP networking, hacking / penetration testing methodology, system/network
    defense practices, and familiarity with basic concepts of malware are required. Students should
    have recent experience with both C programming and Assembly language.

  • Why You Should Take This Course

    Upon completing this course, students will be able to:

    • Understand Windows APIs
    • Use the offline version of MSDN to look up documentation and calling conventions
    • Examine PE files to identify info about the origin and capabilities of unknown executables
    • Use Python to convert between number systems and evaluate results of logical operations
    • Use dumpbin.exe as a command line tool for generating disassembly
    • Manually verify call targets and identify dumpbin binary disassembly failures
    • Use basic features of IDA Pro
    • Understand how common control flow structures in C are compiled into assembly
    • Use Immunity Debugger to analyze malware samples
    • Use behavioral analysis techniques and tools to analyze a suspect executable
    • Explore processes, threads, memory and modules on Windows using Process Hacker
    • Understand basic operation of GMER and use it to identify rootkits
    • Examine malware samples that use Mutexes
    • Understand how a typical dropper operates
    • Investigate and identify process injection
    • Identify the behaviors in an obfuscated binary that contains anti-debugging features
    • Examine compiled scripts
    • Examine malware that performs string obfuscation to resist static analysis
    • Use tools such as IDA Pro and OllyDbg to identify signs that a binary has been packed
    • Manually unpack a packed executable using several methods
    • Understand automated unpacking tools such as AoRE and QUnpack
    • Identify malware using registry keys for persistence
    • Use IDA Pro to investigate a process that reads values from and sets values in the registry
    • Examine malware that uses file time modification to hamper forensic examination
    • Identify malware using service creation for persistence
    • Examine malware that checks for an active Internet connection before beaconing
    • Use Immunity Debugger to examine obfuscated binaries with anti-debugging features
  • Schedule
  • Course Outline

    Schedule

    5 Days (Rapid pacing for lecture and fewer labs)
    10 Days (Moderate pacing for lecture and more labs)

    Outline

    1. Module 1 – Reverse Engineering Definitions and Concepts
      a. Introduction to RE
      b. Common RE Project Goals
      c. Intro to compiled code/compilers
    2. Module 2 – Malware Taxonomy
      a. Keyloggers
      b. Backdoors
      c. Droppers
      d. DDoS Malware
      e. Worms
      f. Click Fraud
      g. Spyware
      h. Trojans
      i. Rootkits
    3. Module 3 – Categories of Malware Analysis
      a. Static Analysis
      b. Dynamic Analysis
      c. Behavioral Analysis
      d. Metadata Analysis
    4. Module 4 – Windows API
      a. Windows API’s
      b. APIs and constants
      c. Windows SDK
      d. CreateProcessA vs CreateProcessW
      e. RegCreateKey vs RegCreatKeyEx
      f. Using MSDN
    5. Module 5 – PE Header Analysis
      a. Executable Headers
      b. PE Format
      c. PE Header
      d. IAT Intro
    6. Module 6 – Numerical Conversions and Logical Operators
      a. Numbering Systems
      b. Intro to base
      c. Hex (Counting/Conversions)
      d. Binary (Numbering/Conversions)
      e. Bitwise (AND/OR/NOT/XOR)
    7. Module 7 – Intro to Assembly Language
      a. Memory
      b. Modules
      c. Processes
      d. Threads
      e. Registers
      f. Pointers
      g. Stack
    8. Module 8 – Intro to IDA Pro
      a. Basic use of IDA Pro
      b. Disassembly
    9. Module 9 – Compilers, Linkers, and Calling Conventions
      a. Compiler
      b. Linker
      c. Function Calling Conventions
      d. Control Flow Statements in Assembly
    10. Module 10 – Debuggers – Dynamic Analysis
      a. Intro to debuggers
      b. Attaching vs Starting
      c. Control Flow
      d. Breakpoints (Software/Hardware/Memory)
    11. Module 11 – Leveraging Behavioral Analysis to Jumpstart Malware RE
      a. Intro to Behavioral Analysis
      b. Network Isolation
      c. RegMon/FileMon tools
      d. API/File/Registry monitors
      e. Live Tools
    12. Module 12 – Process Hacker
      a. Intro to Process Hacker tool
      b. Services
      c. Network
      d. Process Memory
      e. Creating/Reading Dumps
    13. Module 13 – Rootkits
      a. Intro to rootkits
      b. Hooking (detecting in malware)
      c. Kernel Mode Rootkits
      d. IRP Hooking
    14. Module 14 – Components of Execution
      a. Standalone Executables
      b. Dynamic Link Libraries (DLLs)
      c. Device Drivers
      d. Generic Plugins
    15. Module 15 – Mutexes
      a. Intro to Mutexes
      b. Why use a Mutex
      c. APIs/Alternatives/Significance
    16. Module 16 – Resources and Droppers
      a. PE format
      b. Resource APIs/Dropper/Alternatives/Obfuscation
    17. Module 17 – Code Injection
      a. What is code injection
      b. Why?
      c. Code Injection methods
      d. API calls
    18. Module 18 – Compiled Scripts
      a. Script files (RE)
      b. Intro to compiled script files
      c. Offensive countermeasures
      d. Common languages
    19. Module 19 – Bot Lifecycle
      a. Intro to bots
      b. Internet/Intranet scale lifecycles
      c. C2 Architectures
      d. Botnet RE Goals
    20. Module 20 – String Obfuscation
      a. Intro to packing
      b. Defeating string obfuscation
      c. Static/Dynamic analysis
      d. Character arrays
    21. Module 21 – Setting Persistence
      a. Registry persistence
      b. APIs
      c. Setting persistence without APIs
    22. Module 22 – Using the Registry for Operations (Other than persistence)
      a. Registry values
      b. APIs
      c. Registry notifications
    23. Module 23 – File and Directory Manipulation
      a. Files/Directories and malware
      b. Temp directory
      c. Environmental variables
      d. Malwares ability to read/write files
      e. Finding dropped files
      f. Randomly named files
      g. File times/MFT entries
    24. Module 24 – Service Control Manager
      a. Intro to SCM
      b. Registry interaction
      c. Registry vs SCM API
      d. Device Drivers (start types)
    25. Module 25 – Network Operations
      a. Networking APIs
      b. Listening vs Beaconing
      c. Identifying C2 Domains
      d. WinInet
    26. Module 26 – Windows Firewall
      a. Intro to Windows Firewall
      b. Dorking
      c. netsh
      d. Registry
      e. APIs
    27. Module 27 – Anti-Debugging Techniques
      a. Intro to Anti-Debugging
      b. Detecting all/specific debuggers
      c. Breakpoint Detection
      d. Timing/Exceptions
  • FAQs
    • Is there a discount available for current students?UMBC students and alumni, as well as students who have previously taken a public training course with UMBC Training Centers are eligible for a 10% discount, capped at $250. Please provide a copy of your UMBC student ID or an unofficial transcript or the name of the UMBC Training Centers course you have completed. Online courses are excluded from this offer.
    • What is the cancellation and refund policy?Student will receive a refund of paid registration fees only if UMBC Training Centers receives a notice of cancellation at least 10 business days prior to the class start date for classes or the exam date for exams.
    • What is Live Online training?Classes marked Live Online have the same content and expert instructors as our classroom training, but are delivered entirely online through our virtual classroom environment. Each class session is live, and led by an Instructor.

Contact Us