Windows Malware Analysis for Hedgehogs - Beginner Training
What you'll learn
- Triage and reverse engineering of potentially malicious samples
- Determine if a file is malicious, clean, potentially unwanted, grayware, corrupt or junk
- Write malware reports
- Know the common types of malware and how to identify them
- Know how and when to use a disassemblers, debuggers, meta data viewers
- Identify malware families
- Windows internals necessary for malware analysis, e.g., Windows registry
- Packer types, identification, basics of unpacking
- Analysis of native and .NET executables, installers, wrappers, scripts
- Basics of disinfection
- You know how to program in at least one language (e.g. Python, C, C#, Java, ...)
- You are able to read x86 assembly
This course teaches more than just reverse engineering because as a malware analyst you need a variety of other skills. You will learn how to classify samples into malware types, how to identify malware families and how to determine file verdicts like clean, malicious, potentially unwanted programs, junk, grayware, or corrupt. Additionally, you will learn how malware persists, how to identify malicious autostart entries and clean infected systems.
The course aims to dispel common myths such as "trojan in a detection name means the file is a trojan horse" or "antivirus detection names are a malware classification".
As a malware analyst with experience working at an antivirus company since 2015, I have trained many beginners in the field. I understand the usual pitfalls and the concepts that you need to grasp to become proficient. I focus on building strong foundations that make you flexible in the face of new malware advancements, rather than providing shortcuts with step-by-step recipes.
I will teach you how to differentiate between different types of files, including installers, wrappers, packed files, non-packed files, hybrid, and native compiled files. You will learn which tools to apply in which situations and how to analyse samples efficiently. To do that I give you example approaches that work for most situations.
This course is ideal for you if you already have some IT background, such as hobby or professional programmers, computer enthusiasts, administrators, computer science students, or gamers with an interest in the inner workings of software or IT security.
If you have a strong interest in the topic but lack the necessary IT background, I recommend that you learn programming first. Please refer to the course requirements for more information.
All the tools and web services that we use during the course are free:
PortexAnalyzer CLI and GUI
VirusTotal (without account)
Speakeasy by Mandiant
C# Online Compiler programwiz
You should have a strong understanding of at least one programming language, such as Python, C, C++, Java, or C#. This is a crucial requirement for the course, not only because we create small scripts during the course but because reverse engineering needs an understanding of software as foundation. The specific language does not matter, as you cannot learn every language you may encounter during analysis anyways. The concepts of programming must be clear, though.
If you are not there yet, you should not buy this course and start learning C instead. C is great because it is low-level and will integrate well with x86 assembly language.
Additionally, you must be able to read (not write) x86 assembly to understand everything in the course. Without assembly you will only be able to understand two-thirds of the content. So if you consider starting this course right away and learning assembly alongside it, that should work fine.
During this course we look at samples that use the following execution environments:
x86, x64 assembly
However, you do not need to learn all of these languages. Because an analyst encounters new languages all the time, your skillset is rather in using the available documentation, manuals and help provided for those environments and languages. I also show you during the course how to use the documentation for ,e.g., PowerShell.
Out of scope
Malware analysis is a broad field, so there are inevitably topics that I will not teach during this course because they would rather require their own course. Some of these topics are: assembly language, programming, how computers work, URL and website analysis, networks, analysis of malware for other platforms than Windows, mobile malware, IoT malware.
Who this course is for:
- ideal for people with some IT experience or IT enthusiasts who are beginners in malware analysis and reverse engineering
- entry-level or aspiring malware analysts
- computer science graduates
- software developers
- SOC analysts
- hobby programmers
I've been fighting malware professionally since 2015 at an antivirus company, where I work on improving antivirus and mEDR protection. I hold a master's degree in computer science and have a passion for malware analysis.
My interest in malware analysis began as a teenager when my computer was infected, and I received help from strangers on the internet to remove it. Their skills and knowledge intrigued me, and I was fascinated by viruses, which seemed like artifical life to me. Alongside writing my master's thesis on malware detection, I completed a one-year training in malware removal and became a volunteer helper for system disinfection myself.
Every day, more and more people were seeking help for malware infections and we struggled to keep up. It was especially disheartening when dealing with ransomware, where the damage was often irreversible. I realized that I wanted to do more than just help people after their systems were infected; I wanted to prevent infections from happening in the first place. That's why I decided to shift my focus towards more holistic goals: Providing people with the knowledge and tools to help themselves and others.