The most trusted source for computer security training, certification and research.

select a course
San Francisco, CA - March 12 - 17, 2007
Global Information Assurance Certification

SANS gives real world examples of tools and how to use them.
-Nichole Kennedy, OKDOC

SECURITY 601

Reverse-Engineering Malware - Hands-On

Thursday, March 15, 2007 - Friday, March 16, 2007 : 9am - 5pm
Stephen Sims, SANS Certified Instructor
6 CPE Credits Per Day

Promo Trailer for the REM Course on YouTube

Please note that SEC601 Reverse Engineering Malware alumni will receive 50% discount when registering for the entire SEC610 course. Please contact tuition@sans.org to receive your discount code.

SEC610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques offers the full course with option to add a certification attempt.
SEC601: Reverse-Engineering Malware: The Essentials of Malware Analysis is days 1 & 2 of SEC610.
SEC602: Reverse-Engineering Malware: Additional Tools and Techniques is days 3 & 4 of SEC610.

Regarding Reverse Engineering, the person who authorized my trip to take the course said, 'That investment has already paid for itself.' -Chet Langin, Information Security Analyst, Southern Illinois University


Expand your capacity to fight malicious code by learning how to analyze viruses, worms, and trojans. This two-day course discusses the essential techniques for examining malware using a variety of system monitoring tools, a disassembler, and a debugger. Although it is an advanced course, it does not assume that the students are familiar with malware analysis; however, the difficulty level of concepts and techniques increases quickly as the course progresses.

This course covers essential aspects of reverse-engineering malicious code. The instructor explains how to set up an inexpensive and flexible laboratory for understanding inner-workings of malware, and demonstrate the process by exploring capabilities of real-world specimens. You will learn to examine the program's behavioral patterns and assembly code, and study techniques for bypassing common code obfuscation techniques. The course also takes a look at analyzing browser-based malware.

Hands-on workshop exercises are an essential part of this course, and allow you to apply reverse-engineering techniques by examining malicious code in a carefully-controlled environment. When performing the analysis, you will study the program's behavioral patterns, and examine key portions of its assembly code.

  • Who Should Attend
    • Individuals responsible for protecting the organization from malicious code
    • Anyone who is curious about inner-workings of malicious code
  • Prerequisites
    • Students should have a computer system that matches the laptop requirements note (some software needs to be installed before you come to class).
    • Students should be familiar with using Windows and Linux operating environments, and with troubleshooting general connectivity and setup issues.
    • Students should have a general understanding of programming concepts such as stacks and function calls.
  • Topics Covered by the Course Include
    • Configuring the laboratory environment
    • Assembling the analysis toolkit
    • Performing behavioral and code analysis
    • Bypassing authentication mechanisms
    • Examining protected executables
    • Intercepting network connections
    • Patching compiled executables
    • Analyzing browser-based malware
  • You Will Learn How To Reverse-Engineer Malicious Software Using Tools Such As
    • System Monitor, Process Explorer, Regshot
    • BinText, LordPE, FireBug
    • VMware, IDA Pro, OllyDbg
    • Snort, NetCat, Honeyd, fakeDNS

The instructors are very knowledgeable, humorous, and give excellent resources/tools I never knew of, but can use to help enhance my security skills.
-LaTrease Coleman, Vanguard Group