FOR710: Reverse-Engineering Malware: Advanced Code Analysis

  • In Person (5 days)
  • Online
36 CPEs
Developing deep reverse-engineering skills requires consistent practice. FOR710: Reverse-Engineering Malware - Advanced Code Analysis prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.

What You Will Learn

As defenders hone their analysis skills and automated malware detection capabilities improve, malware authors have worked harder to achieve execution within the enterprise. The result is malware that is more modular with multiple layers of obfuscated code that executes in-memory to reduce the likelihood of detection and hinder analysis. Malware analysts must be prepared to tackle these advanced capabilities and use automation whenever possible to handle the volume, variety and complexity of the steady stream of malware targeting the enterprise.

FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course leaves off, helping students who have already attained intermediate-level malware analysis capabilities take their reversing skills to the next level. Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe.

Developing deep reverse-engineering skills requires consistent practice. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.

“As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators.” – Anuj Soni

FOR710 Advanced Code Analysis Will Prepare You To:

  • Tackle code obfuscation techniques that hinder static code analysis, including the use of steganography.
  • Identify the key components of program execution to analyze multi-stage malware in memory.
  • Locate and extract deobfuscated shellcode during program execution.
  • Develop comfort with non-executable file formats during malware analysis.
  • Probe the structures and fields associated with a PE header.
  • Use WinDBG Preview for debugging and assessing key process data structures in memory.
  • Identify encryption algorithms in ransomware used for file encryption and key protection.
  • Recognize Windows APIs that facilitate encryption and articulate their purpose.
  • Investigate data obfuscation in malware, pinpoint algorithm implementations, and decode underlying content.
  • Create Python scripts to automate data extraction and decryption.
  • Build rules to identify functionality in malware.
  • Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse engineering workflows.
  • Write Python scripts within Ghidra to expedite code analysis.
  • Use Binary Emulation frameworks to simulate code execution.

Course Topics:

  • Code deobfuscation
  • Program execution
  • Shellcode analysis
  • Steganography
  • Multi-stage malware
  • WinDbg Preview
  • Encryption algorithms
  • Data obfuscation
  • Python scripting for malware analysis
  • Dynamic Binary Instrumentation (DBI) Frameworks
  • Binary emulation frameworks
  • Payload and config extraction
  • Scripting with Ghidra
  • YARA rules
  • Yara-python
  • SMDA disassebler

What You Will Receive With This Course:

  • Windows 10 VM with pre-installed malware analysis and reversing tools.
  • Real-world malware samples to examine during and after class.
  • Coursebooks and workbook with detailed step-by-step exercise instruction.

Listen to course author Anuj Soni as he provides a course preview in this livestream

Syllabus (36 CPEs)

Download PDF
  • Overview

    Malware authors complicate execution and obfuscate code to hide data, obscure code, and hinder analysis. Using evasion techniques and in-memory execution, malicious developers continue to thwart detection and complicate reverse engineering efforts. To facilitate an in-depth discussion of code deobfuscation and execution, this section first discusses the creative use of steganography to hide malicious content. Then, we discuss the key steps in program execution, so we can identify how code is launched and label functions accordingly. This includes a review of the Windows loader and an inspection of the Portable Executable (PE) file format. Finally, we cover how to analyze shellcode with the support of WinDbg Preview, a powerful Windows debugger.

    Exercises
    • Investigating Code Deobfuscation Using Steganographic Techniques
    • Analyzing Malicious Program Execution
    • Analyzing Shellcode Execution
    Topics
    • Analyzing Code Deobfuscation
      • Common approaches to code obfuscation
      • Steganography approaches
      • Key assembly operations
      • Multi-component malware
      • Windows memory allocation
    • Identifying Program Execution
      • Portable Executable (PE) headers and fields
      • Key steps in program execution
      • Memory-mapped files
      • Entry point identification
    • Understanding Shellcode Execution
      • Identifying and extracting shellcode
      • API hashing
      • The Process Environment Block (PEB) and related structures
      • WinDbg Preview for shellcode analysis
  • Overview

    This section tackles a critical area of reverse-engineering malware: the use of encryption in malware. Cryptography is used by adversaries for a variety of reasons, including to encrypt files, protect keys, conceal configuration settings, and obfuscate command and control (C2) communications. To perform comprehensive investigations of high-impact malware, skillful reverse engineers must be prepared to investigate routines that implement encryption and articulate their purpose.

    Exercises
    • Encryption Essentials Knowledge Quiz
    • Identifying File Encryption and Key Protection in Ransomware
    • Analyzing Data Encryption In Malware
    Topics
    • Encryption Essentials
      • Use cases for crypto usage in malware
      • Symmetric vs. asymmetric encryption
      • Block vs. stream ciphers
      • Modes of operation
      • Common algorithms in malware
      • Microsoft CryptoAPI
    • File Encryption and Key Protection
      • Identifying algorithms in code
      • Common implementations in malware
      • Locating encryption functions
      • Differentiating similar ciphers
    • Data Encryption in Malware
      • Common uses cases for data encryption in malware
      • Symmetric algorithms used for data protection
      • Identifying the cipher
      • Extracting key information
      • Decrypting data
  • Overview

    In this section, we discuss approaches to automating malware analysis. We introduce the Python programming language and write scripts to decrypt configuration data, deobfuscate strings, and extract payloads. We also explore a Dynamic Binary Instrumentation (DBI) framework, and students use this capability to inject and execute code within a process to examine its internals. We write Python scripts to automate the debugging process and dump unpacked code.

    Exercises
    • Automating Config Extraction with Python
    • Automating Payload Extraction with Frida
    Topics
    • Python for Malware Analysis
      • Introduction to Python programming
      • Visual Studio Code
      • Jupyter Notebooks
      • Modules for PE file analysis
      • Config decryption and extraction
    • Malware Analysis with Dynamic Binary Instrumentation (DBI) Frameworks
      • Introduction to DBI frameworks
      • Using DBI frameworks to automate debugging
      • Writing Frida Python scripts to decrypt data and dump code
  • Overview

    In this section, we continue discussing approaches to automating malware analysis. We introduce Ghidra’s API and write Python scripts to accelerate static code analysis. We also examine the value of binary emulation frameworks and use the Qiling framework to simulate execution and deobfuscate code and data.

    Exercises
    • Scripting with Ghidra
    • Emulating Code with Qiling (using Ghidra)
    • Emulating Code with Qiling (using SMDA)
    Topics
    • Automating Analysis within Ghidra
      • Flat and Program APIs

      • Python scripting with Ghidra

      • Automating data deobfuscation

    • Binary Emulation Frameworks

      • Emulating code execution with Qiling

      • Ghidra’s headless analyzer

      • SMDA disassembler

      • Implementing hooks

      • YARA rule development and yara-python

  • Overview

    The final section of this course gives students an opportunity to flex their new knowledge and skills in a more independent, competitive environment. Participants will have extended access (beyond a 5-day live class) to a capture the flag (CTF) platform, where they will attempt a combination of multiple choice and short-answer challenges. Students must recall key concepts and perform workflows discussed in class to successfully navigate the tournament and accumulate points. Whether or not competition motivates you, this section presents an excellent opportunity to analyze real-world, complex malware samples and reinforce your new advanced code analysis skills.

Prerequisites

FOR710 is an advanced level Windows reverse-engineering course that skips over introductory and intermediate malware analysis concepts. This course assumes that students have knowledge and skills equivalent to those discussed in the SANS FOR610 Reverse-Engineering Malware course. Students should have at least six months of experience performing behavioral analysis, dynamic code analysis (i.e., using a debugger), and static code analysis (i.e., analyzing disassembled executable content). In addition, students should have some prior exposure to the Ghidra reverse engineering framework. If you're not familiar with this capability, consider watching this brief introduction by Anuj Soni.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR710 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 200GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY FOR710 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download VMware Workstation Pro 17.5.X+ for Windows hosts or VMWare Fusion Pro 13.5.X+ for macOS hosts prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. This course requires a "Pro" version of VMware software. The "Player" versions are not sufficient.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators" - Anuj Soni

Reviews

I really enjoyed this course. I felt that it was a good and logical next step after taking FOR610. The material made sense and was relevant to what I see at work every day.
Daniel R.
CrowdStrike
I was recently named our IR lead, and coming from purple teaming/pentesting I needed the content of this course to make meaningful improvements to the program. I feel well prepared to tackle the challenges ahead now
Ryan M.
The labs and exercises for the automation were excellent and really showed off what is needed to perform RE through automation.
Daniel T.
DOJ

    Register for FOR710

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...