8 Days Left to Save $400 for SANS Security West 2010 >> More Info

The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

SANS is a great place to enhance your technical and hands on skills and tools. I thoroughly recommend it.
-Aaron Waugh, Datacom NZ Ltd.

SECURITY 602

Reverse-Engineering Malware: Additional Tools and Techniques

6 CPE Credits Per Day

Regarding Reverse Engineering, the person who authorized my trip to take the course said, 'That investment has already paid for itself.' -Chet Langin, Information Security Analyst, Southern Illinois University


Deepen your understanding of malware analysis tools and approaches with this two-day course, building upon the concepts covered in SEC601: Reverse Engineering Malware: The Essentials of Malware Analysis.

You will begin this course by reviewing key assembly language concepts. You will focus on static code analysis, learning to examine malicious code to understand its flow by identifying key logic structures and patterns, looking at examples of bots, rootkits, key loggers, and so on. You will understand how to work with PE headers and handle DLL interactions. Next, you will develop skills for analyzing self-defending malware through unpacking techniques and bypassing code-protection mechanisms. Finally, you will discover how to bypass obfuscation techniques employed by browser-based malicious scripts.

This course explores tools and techniques for examining inner-workings of malicious software that build upon fundamental malware analysis concepts. You should already understand the fundamentals of reverse-engineering malware, and must be able to perform key behavioral and code analysis tasks covered in the companion course SEC601.

Hands-on workshop exercises are an essential aspect of this course, and allow you to apply reverse-engineering techniques by examining malicious code in a carefully-controlled environment. When performing the analysis, you will study the supplied specimen's behavioral patterns, and examine key portions of its assembly code.

  • Who Should Attend
    • You will benefit from this course if your job ever requires you to understand key aspects of malicious programs.
    • Individuals who found this course particularly useful often had responsibilities in the areas of incident handling, forensic analysis, Windows security, and system administration.
    • Attendees of this course often focus on supporting their organizations’ internal security needs. The class also frequently includes engineers from security product and service companies who are looking to deepen their malware analysis expertise.
    • Individuals who attend this class already understand essential reverse-engineering concepts related to behavioral and code analysis of malware.
  • Topics Covered by the Course Include
    • Core code reversing concepts
    • Assembly language primer
    • Identifying assembly logic structures
    • Reversing seen in common malware categories
    • Working with PE headers
    • Handling DLL interactions and API hooking
    • Packer identification
    • Manual and automated unpacking
    • Bypassing code-defense mechanisms
    • Analyzing advanced browser malware
  • You Will Learn to Get the Most out of Tools Such as
    • IDA Pro, OllyDbg, OllyDump, OllyScript, LordPE
    • Rhino, Malzilla, SpiderMonkey
    • Microsoft Script Editor, Microsoft Script Debugger
  • Prerequisites
    • Students should have a computer system that matches the stated laptop requirements: some software needs to be installed before you come to class.
    • Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.
    • Students should have a solid understanding of essential behavioral and code malware analysis techniques.

GIAC certs are concerned with real applications and principles, rather than vendor products and implementations.
-Rob VandenBrink

Training Events By Course