the most trusted source for computer security training, certification and research
select a course
Global Information Assurance Certification

Real life - real solutions changed the way I look at security.
-Richard B. Williams, US Army ALTESS

SECURITY 610

Reverse-Engineering Malware: Malware Analysis Tools and Techniques

6 CPE Credits Per Day

SEC610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques offers the full course with option to add a certification attempt.
SEC601: Reverse-Engineering Malware: The Essentials of Malware Analysis is days 1 & 2 of SEC610.
SEC602: Reverse-Engineering Malware: Additional Tools and Techniques is days 3 & 4 of SEC610.

Regarding Reverse Engineering, the person who authorized my trip to take the course said, 'That investment has already paid for itself.' -Chet Langin, Information Security Analyst, Southern Illinois University


Expand your capacity to fight malicious code by learning how to analyze bots, worms, and trojans. This recently-expanded four-day course discusses practical approaches to examining malware using a variety of system monitoring utilities, a disassembler, a debugger, and other tools useful for reverse-engineering malicious software. You don't have to be a full-time malware searcher to benefit from this course — as organizations increasingly rely on their staff to act as first responders during a security incident, malware analysis skills become increasingly important.

By covering both behavioral and code analysis approaches, this unique course provides a rounded approach to reverse-engineering. As a result, the course makes malware analysis accessible even to individuals with a limited exposure to programming concepts. The materials do not assume that the students are familiar with reverse-engineering; however, the difficulty level of concepts and techniques increases quickly as the course progresses.

In the first half of the course, the instructor explains how to set up an inexpensive and flexible laboratory for understanding inner-workings of malware, and demonstrate the process by exploring capabilities of real-world specimens. You will learn to examine the program's behavioral patterns and assembly code, and study techniques for bypassing common code obfuscation mechanisms. The course also takes a look at analyzing browser-based malware.

In the second half of the course, you will review key assembly language concepts. You will focus on static code analysis, learning to examine malicious code to understand its flow by identifying key logic structures and patterns, looking at examples of bots, rootkits, key loggers, and so on. You will understand how to work with PE headers and handle DLL interactions. Next, you will develop skills for analyzing self-defending malware through unpacking techniques and bypassing code-protection mechanisms. Finally, you will discover how to bypass obfuscation techniques employed by browser-based malicious scripts.

Hands-on workshop exercises are an essential aspect of this course, and allow you to apply reverse-engineering techniques by examining malicious code in a carefully-controlled environment. When performing the analysis, you will study the supplied specimens' behavioral patterns, and examine key portions of their assembly code.

  • Who Should Attend
    • You will benefit from this course if your job ever requires you to understand key aspects of malicious programs.
    • Individuals who found this course particularly useful often had responsibilities in the areas of incident handling, forensic analysis, Windows security, and system administration.
    • Attendees of this course often focus on supporting their organizations' internal security needs. The class also frequently includes engineers from security product and service companies who are looking to deepen their malware analysis expertise.
  • Topics Covered by the Course Include
    • Configuring the laboratory environment
    • Assembling the analysis toolkit
    • Performing behavioral and code analysis
    • Bypassing authentication mechanisms
    • Reverse-engineering protected executables
    • Intercepting network connections
    • Patching compiled executables
    • Examining shellcode
    • Malware analysis shortcuts
    • Core code reversing concepts
    • Assembly language primer
    • Identifying assembly logic structures
    • Reversing seen in common malware categories
    • Working with PE headers
    • Handling DLL interactions and API hooking
    • Packer identification
    • Manual and automated unpacking
    • Bypassing code-defense mechanisms
    • Analyzing advanced browser malware
  • You Will Learn to Analyze Malware Using Tools Such As
    • System Monitor, Process Explorer, Regshot
    • BinText, LordPE, FireBug, VMware
    • IDA Pro, OllyDbg, OllyDump, OllyScript
    • Rhino, Malzilla, SpiderMonkey
    • Microsoft Script Editor, Microsoft Script Debugger
    • Snort, NetCat, Honeyd, fakeDNS
  • Prerequisites
    • Students should have a computer system that matches the stated laptop requirements: some software needs to be installed before you come to class.
    • Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.
SECURITY 610 :: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
SANS Network Security 2008 Las Vegas, NV September 28, 2008 - October 06, 2008
SANS Cyber Defense Initiative 2008 Washington, DC December 10, 2008 - December 16, 2008
SANS WhatWorks Summit in Forensics, and Incident Response Las Vegas, NV October 10, 2008 - October 20, 2008
Mentor Session - Security 610 São Paulo, Brazil September 01, 2008 - September 04, 2008
Mentor Session - Security 610 Toronto, ON December 17, 2008 - March 04, 2009
SANS OnDemand Online Anytime