Reverse Malware Analysis

Formation créée le 16/09/2022.
Version du programme : 1

Type de formation

Formation à distance

Durée de formation

28 heures (4 jours)

Reverse Malware Analysis


Training objectives : Learn how to analyse a malware throughout several real-life cases

Objectifs de la formation

  • Learn the methods and technics to analyse malwares
  • Understand the functionalities of the analyzed malware
  • Learn the steps taken by the malware

Profil des bénéficiaires

Pour qui
  • Cybersecurity expert
Prérequis
  • Experience in programming (any language)
  • Good understanding of Windows and Linux (registry, command line, configuration …)
  • Understanding of compiled programs libraries (dynamic and static linking, DLL files)
  • Basic knowledge in networking (HTTP protocol, TCP/IP sockets)
  • Recommended : C/C++ programming (pointer manipulation, object-oriented programming)
  • Recommended : Basic understanding of x86 assembly (stack, heap, sections …)
  • Recommended : Basic knowledge of Win32 API (File operations, Registry operations, HTTP requests …)

Contenu de la formation

MALWARE ANALYSIS PRIMER
  • Goals of Malware Analysis
  • Analysis Techniques (Static Analysis, Dynamic Analysis)
  • Types of malwares
  • General Rules for Analysis
BASIC STATIC TECHNIQUES
  • Antivirus Scanning (IRMA...)
  • Hashing: A Fingerprint for Malware
  • Finding Strings
  • Packed and Obfuscated Malware
  • Portable Executable File Format
  • Linked Libraries and Functions
  • The PE File Headers and Sections
  • ELF file format
Practical exercises
  • Basic analysis of different pieces of software
  • Basic analysis of a first version the malwar
BASIC DYNAMIC ANALYSIS
  • pocmon, regshot, processexplorer, sandbox
Practical exercises
  • Basic dynamic analysis of the first version of the malware
  • Usage of a sandbox
BOOT COURSE IN X86 DISASSEMBLY
  • The x86 Architecture
IDA INTRO
  • Usage from loading to extending functions
DEBUGGING
  • Basic usage of a debugger (Windows and Linux)
RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY
  • Global vs. Local Variables
  • Recognizing Loops
  • Understanding Function Call Conventions
  • Analyzing switch Statements
Practical exercises
  • Analysis of the first version of the malware
  • Analysis on an ELF file
PACKING AND CLASSIC PATTERNS
  • Usual functions and algorithms
  • Introduction to packing and unpacking
  • Introduction to C++
Practical exercises
  • Analysis of small examples
  • Unpacking of a new version of the malware
.NET REVERSE
  • Introduction to .NET reverse engineering
Practical exercises
  • Analysis of a small .Net executable
Understanding of malware behavior
  • Backdoors (RAT, Botnets...), Downloaders, Launchers, Persistence, PrivEsc
  • Network signatures (DNS, calling home functions, Intro to SNORT/SURICATA...)
ANTI REVERSE
  • ANTI-DEBUGGING
  • ANTI-VIRTUAL MACHINE
Practical exercises:
  • Analysis of a final version of the malware
  • Writing detection rules

Équipe pédagogique

Professionnel expert technique et pédagogique

Suivi de l'exécution et évaluation des résultats

  • Feuilles de présence
  • Questions orales ou écrites (QCM)
  • Mises en situation
  • Formulaires d'évaluation de la formation
  • Certificat de réalisation de l’action de formation

Ressources techniques et pédagogiques

  • Espace numérique de travail
  • Documents supports de formation projetés
  • Exposés théoriques
  • Etude de cas concrets
  • Quiz en salle
  • Mise à disposition en ligne de documents supports à la suite de la formation

Qualité et satisfaction

Taux de satisfaction des apprenants, nombre d'apprenants, taux et causes des abandons, taux de retour des enquêtes, taux d'interruption en cours de prestation...