Aperçu du cours
Training objectives : Learn how to analyse a malware throughout several real-life cases
Prérequis
- Experience in programming (any language)
- Good understanding of Windows and Linux (registry, command line, configuration …)
- Understanding of compiled programs libraries (dynamic and static linking, DLL files)
- Basic knowledge in networking (HTTP protocol, TCP/IP sockets)
- Recommended : C/C++ programming (pointer manipulation, object-oriented programming)
- Recommended : Basic understanding of x86 assembly (stack, heap, sections …)
- Recommended : Basic knowledge of Win32 API (File operations, Registry operations, HTTP requests …)
Objectifs pédagogiques
- Learn the methods and technics to analyse malwares
- Understand the functionalities of the analyzed malware
- Learn the steps taken by the malware
Public ciblé
- Cybersecurity expert
Programme de formation
-
MALWARE ANALYSIS PRIMER
-
Goals of Malware Analysis
-
Analysis Techniques (Static Analysis, Dynamic Analysis)
-
Types of malwares
-
General Rules for Analysis
-
-
BASIC STATIC TECHNIQUES
-
Antivirus Scanning (IRMA…)
-
Hashing: A Fingerprint for Malware
-
Finding Strings
-
Packed and Obfuscated Malware
-
Portable Executable File Format
-
Linked Libraries and Functions
-
The PE File Headers and Sections
-
ELF file format
-
-
Practical exercises
-
Basic analysis of different pieces of software
-
Basic analysis of a first version the malwar
-
-
BASIC DYNAMIC ANALYSIS
-
pocmon, regshot, processexplorer, sandbox
-
-
Practical exercises
-
Basic dynamic analysis of the first version of the malware
-
Usage of a sandbox
-
-
BOOT COURSE IN X86 DISASSEMBLY
-
The x86 Architecture
-
-
IDA INTRO
-
Usage from loading to extending functions
-
-
DEBUGGING
-
Basic usage of a debugger (Windows and Linux)
-
-
RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY
-
Global vs. Local Variables
-
Recognizing Loops
-
Understanding Function Call Conventions
-
Analyzing switch Statements
-
-
Practical exercises
-
Analysis of the first version of the malware
-
Analysis on an ELF file
-
-
PACKING AND CLASSIC PATTERNS
-
Usual functions and algorithms
-
Introduction to packing and unpacking
-
Introduction to C++
-
-
Practical exercises
-
Analysis of small examples
-
Unpacking of a new version of the malware
-
-
.NET REVERSE
-
Introduction to .NET reverse engineering
-
-
Practical exercises
-
Analysis of a small .Net executable
-
-
Understanding of malware behavior
-
Backdoors (RAT, Botnets…), Downloaders, Launchers, Persistence, PrivEsc
-
Network signatures (DNS, calling home functions, Intro to SNORT/SURICATA…)
-
-
ANTI REVERSE
-
ANTI-DEBUGGING
-
ANTI-VIRTUAL MACHINE
-
-
Practical exercises:
-
Analysis of a final version of the malware
-
Writing detection rules
-
Instructeur
