Reverse Malware Analysis
Formation créée le 16/09/2022.
Version du programme : 1
Programme de la formation
Training objectives : Learn how to analyse a malware throughout several real-life cases
Objectifs de la formation
- Learn the methods and technics to analyse malwares
- Understand the functionalities of the analyzed malware
- Learn the steps taken by the malware
Profil des bénéficiaires
Pour qui
- Cybersecurity expert
Prérequis
- Experience in programming (any language)
- Good understanding of Windows and Linux (registry, command line, configuration …)
- Understanding of compiled programs libraries (dynamic and static linking, DLL files)
- Basic knowledge in networking (HTTP protocol, TCP/IP sockets)
- Recommended : C/C++ programming (pointer manipulation, object-oriented programming)
- Recommended : Basic understanding of x86 assembly (stack, heap, sections …)
- Recommended : Basic knowledge of Win32 API (File operations, Registry operations, HTTP requests …)
Contenu de la formation
-
MALWARE ANALYSIS PRIMER
- Goals of Malware Analysis
- Analysis Techniques (Static Analysis, Dynamic Analysis)
- Types of malwares
- General Rules for Analysis
-
BASIC STATIC TECHNIQUES
- Antivirus Scanning (IRMA...)
- Hashing: A Fingerprint for Malware
- Finding Strings
- Packed and Obfuscated Malware
- Portable Executable File Format
- Linked Libraries and Functions
- The PE File Headers and Sections
- ELF file format
-
Practical exercises
- Basic analysis of different pieces of software
- Basic analysis of a first version the malwar
-
BASIC DYNAMIC ANALYSIS
- pocmon, regshot, processexplorer, sandbox
-
Practical exercises
- Basic dynamic analysis of the first version of the malware
- Usage of a sandbox
-
BOOT COURSE IN X86 DISASSEMBLY
- The x86 Architecture
-
IDA INTRO
- Usage from loading to extending functions
-
DEBUGGING
- Basic usage of a debugger (Windows and Linux)
-
RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY
- Global vs. Local Variables
- Recognizing Loops
- Understanding Function Call Conventions
- Analyzing switch Statements
-
Practical exercises
- Analysis of the first version of the malware
- Analysis on an ELF file
-
PACKING AND CLASSIC PATTERNS
- Usual functions and algorithms
- Introduction to packing and unpacking
- Introduction to C++
-
Practical exercises
- Analysis of small examples
- Unpacking of a new version of the malware
-
.NET REVERSE
- Introduction to .NET reverse engineering
-
Practical exercises
- Analysis of a small .Net executable
-
Understanding of malware behavior
- Backdoors (RAT, Botnets...), Downloaders, Launchers, Persistence, PrivEsc
- Network signatures (DNS, calling home functions, Intro to SNORT/SURICATA...)
-
ANTI REVERSE
- ANTI-DEBUGGING
- ANTI-VIRTUAL MACHINE
-
Practical exercises:
- Analysis of a final version of the malware
- Writing detection rules
Équipe pédagogique
Professionnel expert technique et pédagogique
Suivi de l'exécution et évaluation des résultats
- Feuilles de présence
- Questions orales ou écrites (QCM)
- Mises en situation
- Formulaires d'évaluation de la formation
- Certificat de réalisation de l’action de formation
Ressources techniques et pédagogiques
- Espace numérique de travail
- Documents supports de formation projetés
- Exposés théoriques
- Etude de cas concrets
- Quiz en salle
- Mise à disposition en ligne de documents supports à la suite de la formation
Qualité et satisfaction
Taux de satisfaction des apprenants, nombre d'apprenants, taux et causes des abandons, taux de retour des enquêtes, taux d'interruption en cours de prestation...