Reverse Engineering Malware Analysis Intermediate Level
What you’ll learn
Types of Malware and Terminologies
Static Analysis
Dynamic Analysis
Assembly Language Refresher and Malicious APIs
API Hooking, Process Hijacking, Dumping Memory
Identifying Standard and Custom Packers
Unpacking Packed Malware
Enumerating Breakpoints and Memory Tracing
Hooking VirtualProtect, VirtualAlloc, GetProcAddress, CreateProcessInternalW and other common API’s
Using Scylla Plugin to Dump Memory, Fixing IAT Tables
Using Delphi Interactive Reconstructor
Dumping Memory from Memory Viewer, Process Hacker and Memory Maps
API Enumeration Count Trick To Know When to Dump
Self-Injection and Remote Thread Injection
Fixing Section Alignments, Unmapping and Re-Basing Dumped Files
and more…
Requirements
Windows PC with Virtual Machine and Flare-VM Installed
Some basics in malware analysis or software reverse engineering.
Description
If you already have some basic reverse engineering and malware analysis knowledge and wish to go further, then this course is for you. I will take you from basic to intermediate level in reverse engineering and analyzing malware. You will learn using plenty of practical walk-throughs. The focus of this course will be on how to unpack malware. Most modern malware are packed in order to defeat analysis. Hence, this Intermediate Level Course provides the required knowledge and skills to unpack malware. All the needed tools will be introduced and explained. By the end of this course, you will have the intermediate level skill in malware analysis under your belt to further your studies in this field. Even if you do not intend to take up malware analysis as a career, still the knowledge and skills gained in reverse engineering and analysis would be beneficial to you to reverse software as well.Everything is highly practical. No boring theory or lectures. More like walk-throughs which you can replicate and follow along. We will focus on API Hooking and Memory Analysis and Tracing to determine where and when to dump memory after a malware has unpacked its payload into memory. In this course, we will be using Oracle Virtual Machine installed with Flare-VM. Take note that all software used in this course are free.Topics include:Types of Malware and TerminologiesDynamic and Static AnalysisAssembly Language Refresher and Malicious APIsAPI Hooking, Process Hijacking, Dumping MemoryFixing Section Alignments, Un-mapping and Re-Basing Dumped FilesEnumerating Breakpoints and Memory TracingHooking VirtualProtect, VirtualAlloc, GetProcAddress, CreateProcessInternalW and other common API’sUsing Scylla Plugin to Dump MemoryUsing Delphi Interactive ReconstructorDumping Memory from Memory Viewer, Process Hacker and Memory MapsAPI Enumeration Count Trick To Know When to DumpSelf-Injection and Remote Thread Injectionand more…This course is suitable for:Students who has already done a basic level malware analysis courseHackers looking for additional tools and techniques to reverse softwareReverse Engineers who want to venture into malware analysisThe prerequisites:Some basics in malware analysis or software reverse engineering.Windows PC with Virtual Machine and Flare-VM Installed.Note:If you do not have the basics of malware analysis, it is recommended to take my earlier course first, which is entitled:Reverse Engineering & Malware Analysis FundamentalsGo ahead and enroll now. I will see you inside!
Overview
Section 1: Introduction
Lecture 1 Introduction
Section 2: Types of Malware and Malware Analysis Terminologies
Lecture 2 Types of Malware
Lecture 3 Malware Analysis Terminologies
Section 3: Lab: Analysis of .NET Trojan Spyware (Info-Stealers)
Lecture 4 Dynamic Analysis of .NET Trojan – Part 1
Lecture 5 Dynamic Analysis of .NET Trojan – Part 2
Lecture 6 Static Analysis of .NET Trojan – Part 1
Lecture 7 Static Analysis of .NET Trojan – Part 2
Section 4: Assembly Language Refresher and Malicious APIs
Lecture 8 Assembly Language Refresher
Lecture 9 Malicious APIs
Section 5: API Hooking, Process Hijacking and Dumping Memory
Lecture 10 Using API Hooking to Analyze Malware – PandaBanker
Lecture 11 Tracing Process Hijacking and Dumping Memory
Lecture 12 Fixing Section Alignment, Unmapping, fixing IAT and Re-basing
Section 6: Lab: Unpacking Emotet Trojan
Lecture 13 Unpacking Part 1: Static Analysis of Emotet Trojan
Lecture 14 Unpacking Part 2: Debugging of Emotet Trojan to Hunt For Unpacked Code
Lecture 15 Unpacking Part 3: Dumping Memory and Unmapping Dumped File
Section 7: Lab: Unpacking Hancitor Trojan
Lecture 16 IDA Static Analysis and xdbg Enumerating Breakpoints
Lecture 17 API Hooking and Memory Tracing
Lecture 18 Dumping Memory and Unmapping File
Section 8: Lab: Unpacking Vmprotect Trojan
Lecture 19 API Hooking with VirtualProtect, VirtualAlloc and GetProcAddress
Lecture 20 Memory Tracing and Scylla Dumping
Lecture 21 PE-Studio and Interactive Delphi Reconstructor (IDR)
Section 9: Lab: Unpacking Trickbot Trojan
Lecture 22 Unpacking part 1: API Hooking
Lecture 23 Unpacking part 2: Dumping from Memory Map
Lecture 24 Unpacking part 3: Un-mapping Dumped File
Section 10: Lab: Unpacking Dridex Trojan
Lecture 25 Dridex – part 1 – Initial Analysis
Lecture 26 Dridex – part 2 – API Enumeration Count
Lecture 27 Dridex – part 3 – Self-Injection and Process Hacker Dumping
Lecture 28 Dridex – part 4 – Unmapping the Dumped File
Section 11: Lab: Unpacking Ramnit Trojan
Lecture 29 Ramnit – part 1 – Using CreateProcessInternalW to Track Child Process
Lecture 30 Ramnit – part 2 – Tracking VirtualAlloc to Identify When To Dump
Lecture 31 Ramnit – part 3 – Unpacking UPX with CFF Explorer
Section 12: Lab: Unpacking Remcos Trojan with xdbg and dnSpy
Lecture 32 Remcos – part 1 – exploring .NET with xdbg
Lecture 33 Remcos – part 2 – CreateProcessInternalW, WriteProcessMemory and NtResumeThread
Lecture 34 Remcos – part 3 – Analysis with PE-Bear and PE-Studio
Lecture 35 Remcos – part 4 – Unpacking with dnSpy by tracing Invoke
Section 13: Lab: Unpacking Zloader Trojan
Lecture 36 Zloader – part 1 – PE-Studio and API Hooking until VirtualProtect
Lecture 37 Zloader – part 2 – Tracing Pointer to Unpacked Code for Dumping
Lecture 38 Zloader – part 3 – PE-Studio and PE-Bear Analysis
Section 14: Resources For Further Study
Lecture 39 Bonus Lecture
Students who has already done a basic level malware analysis or reverse engineering course,Hackers looking for additional tools and techniques to reverse software,Reverse Engineers who want to venture into malware analysis
Course Information:
Udemy | English | 5h 33m | 3.53 GB
Created by: Paul Chin
You Can See More Courses in the IT & Software >> Greetings from CourseDown.com