Day 1
1. Introduction to the main concepts and terms
a. Course program and plan;
b. Setting up needed software and safe environment;
c. Modern types of threats and malware classification;
d. Types of analysis (Basic static, static, dynamic / behaviour, advanced dynamic);
e. Disassemblers and decompilers;
2. x86 and x64 Architecture and Assembly
a. Processor architectures, CISC vs RISC;
b. Fundamental data types;
c. Endianness;
d. x86 and x64 architecture;
e. Memory organization – memory models, paging and virtual memory;
f. Register set, main purpose hardware registers;
g. Assembly language – instruction set, opcodes, mnemonics, operands and examples;
h. Stack and heap;
i. Function calls – calling conventions, stackframe, epilogue\prologue;
Day 2
3. Static Analysis
a. Basic static analysis. Approaches and mindset;
b. Strings, entropy and hash analysis;
c. Portable Executable header analysis;
d. PE resources, overlay, imports, compiler and protection analysis;
e. PE signature, publisher information and file icon analysis;
f. AV scanning, Virustotal and web research;
g. Advanced static analysis;
4. Dynamic Analysis
a. Dynamic Analysis: Why? When? How?;
b. Using system monitoring utilities to capture file system, registry and network activity;
c. Monitoring process activity;
d. Monitoring APIs;
e. Monitoring network;
Day 3
5. Malware behavior
a. Windows malware techniques;
b. Malware persistence;
c. Anti-analysis - obfuscation, anti-debugging, anti-emulation, etc.;
d. Packers, cryptors and protectors. Unpacking malicious samples.
e. Debugging windows applications using x64dbg and Windbg.
6. Non-windows malware - Linux
a. Statistics, attack vectors;
b. Operating system security basics;
c. Static analysis: ELF file format, IDA, HIEW;
d. Dynamic analysis: file behaviour, strace, unpacking.
Day 4
7. Non-windows malware – Mac OS
a. Statistics, attack vectors;
b. Operating system security basics, internal AV, single source application distribution;
c. Static analysis: MACH-O file format, objective-c constructions;
d. Dynamic analysis: ptrace.
8. Non-windows malware – Android
a. Statistics, attack vectors: unknown sources, exploit vector;
b. Operating system security basics: Sandbox, SafetyNet
c. Static analysis: APK file format, decompilation, pseudo Java.
Day 5
9. Project/Exercise Consultation and Feedback Assignment(s)
Assignments
There are 2 assignments to be completed and submitted to the trainer, within a month from the course end date. Further details on the assignments will be provided by the trainer during the 5-day course.
Certification
Participants who meet at least 75% of the required course attendance and attempt the assessment will be awarded the Certificate of Performance.