Delivery Method: Online
Course Duration: N/A
Buy On-Demand Class
This course is a direct follow-on to our Assembly For Malware Reverse Engineers class. It consists of several capstone scenario labs for you to work through and practice analyzing malicious assembly code. The capstone scenarios are more than a set of skills for you to work on. Each lab consists of a scenario that sets up a problem, and then has multiple objectives for you to complete to solve the problem. There is no one right way to obtain your objectives and it’s up to you to decide on the best approach. All of the detailed lab answers are delivered through a video walkthrough showing one possible solution so that you can compare your approach with that of an experienced analyst.
Each lab is designed to test the skills required to analyze real malware. There is a small step up in difficulty from our AFMRE capstone lab. There is no guided walkthrough so it will be up to you to devise the analysis approach.
The samples are contrived and not live malware, but they are fully designed using common malicious techniques. The only difference between these binaries and real malware is the complexity. To allow optimal learning at this early stage, a few steps have been taken.
The assembly has been modified to reduce compiler optimizations so you can focus on the basic instructions and not get stuck on unusual optimizations. Much of the extraneous capabilities have been stripped out so that you don’t get overwhelmed. There will still be functions and code included that aren’t necessary to understand for completing the objectives, but the amount will be limited. Finally, some functions may be labeled to provide important context, allowing you to focus on the learning objectives instead of recognizing every function.
What You’ll Learn
Upon completion of the course, students will have learned how to:
- Identify locations of interest based on analysis goals
- Trace variable usage throughout a program
- Recognize indirect references to arrays
- Use context to make informed hypotheses
- Reverse engineer straight forward cryptographic algorithms
Students should have taken our Assembly For Malware Reverse Engineers course.
Alternatively, you need to have a basic understanding of reading assembly, the general analysis process for statically analyzing malicious assembly code, and you should be familiar with using Ghidra, the free disassembler. All lab files are delivered as saved Ghidra files.
This course does not provide the educational background needed to analyze malicious assembly code or use Ghidra. It is expected students have already obtained this from previous courses.
Students will need a 64 bit computer with:
- A virtualization program installed (VirtualBox, VMWare, etc.)
- The latest version of the free disassembler Ghidra installed
Information for obtaining a free analysis lab is provided in the course if you don’t have existing VM’s.
- Lab 1: Stolen Credentials
- Lab 2: Infinite C2 Domains
- Lab 3: Deciphering a File Structure
- Lab 4: Triggering Self-Destruct