Course Description

This course is a direct follow-on to our Crash Course In Assembly For Malware Reverse Engineers class.  It consists of several capstone scenario labs for you to work through and practice analyzing malicious assembly code.  The capstone scenarios are more than a set of skills for you to work on.  Each lab consists of a scenario that sets up a problem, and then has multiple objectives for you to complete to solve the problem.  There is no one right way to obtain your objectives and it’s up to you to decide on the best approach.  All of the detailed lab answers are delivered by a video walkthrough of one possible solution so you can compare your approach with that of an experienced analyst.

Each lab is designed to test the skills required to analyze real malware.  There is a small step up in difficulty from our AFMRE capstone lab.  There is no guided walkthrough so it will be up to you to devise the analysis approach.  

The samples are contrived and not live malware, but they are fully designed using common malicious techniques.  The only difference between these binaries and real malware is the complexity.  To allow optimal learning at this early stage, a few steps have been taken.  

The assembly has been modified to reduce compiler optimizations so you can focus on the basic instructions and not get stuck on unusual optimizations.  Much of the extraneous capabilities have been stripped out so that you don’t get overwhelmed. There will still be functions and code included that aren’t necessary to understand for completing the objectives, but the amount will be limited.  Finally, some functions may be labeled to provide important context, allowing you to focus on the learning objectives instead of recognizing every function.

What You’ll Learn

Upon completion of the course, students will have learned how to:

  • Identify locations of interest based on analysis goals

  • Trace variable usage throughout a program

  • Recognize indirect references to arrays

  • Use context to make informed hypotheses

  • Reverse engineer straight forward cryptographic algorithms

Student Prerequisites

Students should have taken our Assembly For Malware Reverse Engineers course.

Alternatively, you need to have a basic understanding of reading assembly, the general analysis process for statically analyzing malicious assembly code, and you should be familiar with using Ghidra, the free disassembler.  All lab files are delivered as saved Ghidra files.

This course does not provide the educational background needed to analyze malicious assembly code or use Ghidra.  It is expected students have already obtained this from previous courses.

Hardware Requirements

Students will need a 64 bit computer with:

  • A virtualization program installed (VirtualBox, VMWare, etc.)

  • The latest version of the free disassembler Ghidra installed

Information for obtaining a free analysis lab is provided in the course if you don’t have existing VM’s.

Course curriculum

  • 1

    Getting Started

    • How To Build An Analysis Lab

  • 2

    Getting Started with Ghidra

    • Using Ghidra

    • Configuring Ghidra User Settings

    • Ghidra Analysis Scripts

    • Ghidra Graph View vs Decompile View

    • Ghidra Overview

    • Ghidra Downloads

  • 3

    Lab 1: Stolen Credentials

    • Lab Guide

    • Lab Starting FIle

    • Written Solutions - Short Answers

    • Video Walkthrough

  • 4

    Lab 2: Infinite C2 Domains

    • Lab Guide

    • Lab Starting File

    • Written Solutions - Short Answers

    • Video Walkthrough

  • 5

    Lab 3: Deciphering a File Structure

    • Lab Guide

    • Lab Starting File

    • Written Solutions - Short Answers

    • Video Walkthrough

  • 6

    Lab 4: Triggering Self-Destruct

    • Lab Guide

    • Lab Starting File

    • Written Solutions - Short Answers

    • Video Walkthrough