Designed for experienced malware analysts, this course focuses on advanced topics related to combating a wider variety of more complex malware and malware defense mechanisms. It covers how to combat anti-disassembly, anti-debugging and anti-virtual machine techniques. It also discusses how to defeat packed and armored executables, analyze encryption and encoding algorithms and defeat various obfuscation techniques. Additional topics include malware stealth techniques (process injection and rootkit technology), analyses of samples written in alternate programming languages (C++) and popular software frameworks (.NET).
Learning Objectives
After completing this course, learners should be able to: • Understand how malware hides its execution, including process injection, process replacement and user-space rootkits • Grasp how shellcode works, including position independence, symbol resolution and decoders • Comprehend the inner workings and limitations of disassemblers such as IDA Pro as well as how to circumvent the anti-disassembly mechanisms that malware authors use to thwart analysis • Automate IDA Pro using Python and IDC to help analyze malware more efficiently • Understand how to combat anti-debugging, including bypassing timing checks, Windows debugger detection and debugger vulnerabilities • Fool malware so it cannot detect what is running in your safe environment • Understand how malware analysis is influenced by C++ concepts like inheritance, polymorphism and objects
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Specialty Areas
- Exploitation Analysis
Feedback
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.