Reverse Engineering & Malware Analysis - Intermediate Level

An Intermediate Level Course on Reverse Engineering and Analyzing Malware

4.55 (92 reviews)
Udemy
platform
English
language
Network & Security
category
instructor
9,207
students
5.5 hours
content
Nov 2021
last update
$49.99
regular price

What you will learn

Types of Malware and Terminologies

Static Analysis

Dynamic Analysis

Assembly Language Refresher and Malicious APIs

API Hooking, Process Hijacking, Dumping Memory

Identifying Standard and Custom Packers

Unpacking Packed Malware

Enumerating Breakpoints and Memory Tracing

Hooking VirtualProtect, VirtualAlloc, GetProcAddress, CreateProcessInternalW and other common API's

Using Scylla Plugin to Dump Memory, Fixing IAT Tables

Using Delphi Interactive Reconstructor

Dumping Memory from Memory Viewer, Process Hacker and Memory Maps

API Enumeration Count Trick To Know When to Dump

Self-Injection and Remote Thread Injection

Fixing Section Alignments, Unmapping and Re-Basing Dumped Files

and more...

Description

If you already have some basic reverse engineering and malware analysis knowledge and wish to go further, then this course is for you. I will take you from basic to intermediate level in reverse engineering and analyzing malware. You will learn using plenty of practical walk-throughs. The focus of this course will be on how to unpack malware. Most modern malware are packed in order to defeat analysis. Hence, this Intermediate Level Course provides the required knowledge and skills to unpack malware. All the needed tools will be introduced and explained. By the end of this course, you will have the intermediate level skill in malware analysis under your belt to further your studies in this field. Even if you do not intend to take up malware analysis as a career, still the knowledge and skills gained in reverse engineering and analysis would be beneficial to you to reverse software as well.

Everything is highly practical.  No boring theory or lectures. More like walk-throughs which you can replicate and follow along.  We will focus on API Hooking and Memory Analysis and Tracing to determine where and when to dump memory after a malware has unpacked its payload into memory. In this course, we will be using Oracle Virtual Machine installed with Flare-VM.  Take note that all software used in this course are free.


Topics include:

  1. Types of Malware and Terminologies

  2. Dynamic and Static Analysis

  3. Assembly Language Refresher and Malicious APIs

  4. API Hooking, Process Hijacking, Dumping Memory

  5. Fixing Section Alignments, Un-mapping and Re-Basing Dumped Files

  6. Enumerating Breakpoints and Memory Tracing

  7. Hooking VirtualProtect, VirtualAlloc, GetProcAddress, CreateProcessInternalW and other common API's

  8. Using Scylla Plugin to Dump Memory

  9. Using Delphi Interactive Reconstructor

  10. Dumping Memory from Memory Viewer, Process Hacker and Memory Maps

  11. API Enumeration Count Trick To Know When to Dump

  12. Self-Injection and Remote Thread Injection

  13. and more...


This course is suitable for:

  • Students who has already done a basic level malware analysis course

  • Hackers looking for additional tools and techniques to reverse software

  • Reverse Engineers who want to venture into malware analysis


The prerequisites:

  • Some basics in malware analysis or software reverse engineering.

  • Windows PC with Virtual Machine and Flare-VM Installed.


Note:

If you do not have the basics of malware analysis, it is recommended to take my earlier course first, which is entitled:

Reverse Engineering & Malware Analysis Fundamentals


Go ahead and enroll now. I will see you inside!

Screenshots

Reverse Engineering & Malware Analysis - Intermediate Level - Screenshot_01Reverse Engineering & Malware Analysis - Intermediate Level - Screenshot_02Reverse Engineering & Malware Analysis - Intermediate Level - Screenshot_03Reverse Engineering & Malware Analysis - Intermediate Level - Screenshot_04

Content

Introduction

Introduction

Types of Malware and Malware Analysis Terminologies

Types of Malware
Malware Analysis Terminologies

Lab: Analysis of .NET Trojan Spyware (Info-Stealers)

Dynamic Analysis of .NET Trojan - Part 1
Dynamic Analysis of .NET Trojan - Part 2
Static Analysis of .NET Trojan - Part 1
Static Analysis of .NET Trojan - Part 2

Assembly Language Refresher and Malicious APIs

Assembly Language Refresher
Malicious APIs

API Hooking, Process Hijacking and Dumping Memory

Using API Hooking to Analyze Malware - PandaBanker
Tracing Process Hijacking and Dumping Memory
Fixing Section Alignment, Unmapping, fixing IAT and Re-basing

Lab: Unpacking Emotet Trojan

Unpacking Part 1: Static Analysis of Emotet Trojan
Unpacking Part 2: Debugging of Emotet Trojan to Hunt For Unpacked Code
Unpacking Part 3: Dumping Memory and Unmapping Dumped File

Lab: Unpacking Hancitor Trojan

IDA Static Analysis and xdbg Enumerating Breakpoints
API Hooking and Memory Tracing
Dumping Memory and Unmapping File

Lab: Unpacking Vmprotect Trojan

API Hooking with VirtualProtect, VirtualAlloc and GetProcAddress
Memory Tracing and Scylla Dumping
PE-Studio and Interactive Delphi Reconstructor (IDR)

Lab: Unpacking Trickbot Trojan

Unpacking part 1: API Hooking
Unpacking part 2: Dumping from Memory Map
Unpacking part 3: Un-mapping Dumped File

Lab: Unpacking Dridex Trojan

Dridex - part 1 - Initial Analysis
Dridex - part 2 - API Enumeration Count
Dridex - part 3 - Self-Injection and Process Hacker Dumping
Dridex - part 4 - Unmapping the Dumped File

Lab: Unpacking Ramnit Trojan

Ramnit - part 1 - Using CreateProcessInternalW to Track Child Process
Ramnit - part 2 - Tracking VirtualAlloc to Identify When To Dump
Ramnit - part 3 - Unpacking UPX with CFF Explorer

Lab: Unpacking Remcos Trojan with xdbg and dnSpy

Remcos - part 1 - exploring .NET with xdbg
Remcos - part 2 - CreateProcessInternalW, WriteProcessMemory and NtResumeThread
Remcos - part 3 - Analysis with PE-Bear and PE-Studio
Remcos - part 4 - Unpacking with dnSpy by tracing Invoke

Lab: Unpacking Zloader Trojan

Zloader - part 1 - PE-Studio and API Hooking until VirtualProtect
Zloader - part 2 - Tracing Pointer to Unpacked Code for Dumping
Zloader - part 3 - PE-Studio and PE-Bear Analysis

Resources For Further Study

Bonus Lecture

Reviews

Sekar
May 31, 2022
Thank you Paul for the amazing course. I took both fundamental and intermediate course and learned a lot from it.
Jeffrey
October 14, 2021
A great course by a knowledgeable instructor. He is quick to respond if you have any questions about the course.
Francesco
September 10, 2021
As in all his courses, Prof. Chin manages to define the concepts in a clear and concise way. In particular, this course is suitable for those who have a base in Reverse Engineering and Malware Analysis (perhaps after having followed the basic course that the Prof. has published) and for those who want to learn how to unpack software in general. In this case we are talking about malware, but I am sure that these well explained techniques will allow the unpacking of software in general. Absolutely recommended, as well as the basic course! Thank you very much Prof. Paul!
Ronnie
August 17, 2021
Love the video it's practical and hands on. This is what security professionals are needing to help better secure their company.

Charts

Price

Reverse Engineering & Malware Analysis - Intermediate Level - Price chart

Rating

Reverse Engineering & Malware Analysis - Intermediate Level - Ratings chart

Enrollment distribution

Reverse Engineering & Malware Analysis - Intermediate Level - Distribution chart

Coupons

DateDiscountStatus
8/2/2021100% OFF
expired
10/27/202180% OFF
expired
11/16/202180% OFF
expired
1/6/202280% OFF
expired
4/18/202280% OFF
expired
4108556
udemy ID
6/8/2021
course created date
7/22/2021
course indexed date
Bot
course submited by