Introduction
The course equips students with the necessary knowledge and skills in the field of malware analysis (from basic concepts to advanced techniques). The main contents of the course focus on the classification of malware and the characteristics, structures, behaviors, and concealment mechanisms that malware often uses; detection methods, analysis, and handling of malware. Specifically:
– Overview of malware detection and tracing techniques, as well as static analysis, dynamic analysis, and network behavior analysis methods.
– Camouflage and concealment techniques such as anti-VM and anti-debug, helping students understand how malware is often used to avoid detection.
– Tools, methods, and practical skills needed to perform effective malware analysis.
After completing the course, students will clearly understand the process and proficiently use the tools used in malware analysis while accumulating more practical skills. Students will also gain a deeper understanding of CPU architecture and the operating principles of operating systems such as Windows and Linux. In addition, students will also be trained in using virtualization software such as VMware and VirtualBox and how to install, configure, and set up an analysis environment on both operating systems.
Content
| Content | ||
| Day 1 | Morning | I. Overview 1. Concept of malware 2. Classification of malware 3. Ways of spreading malware II. Methods of analyzing malware 1. Static analysis 2. Dynamic analysis 3. Automatic analysis |
| Afternoon | Practice 1: Setting up a Malware Analysis Environment 1. Windows Operating System 2. Linux Operating System | |
| Day 2 | Morning | III. Static Malware Analysis 1. Concepts and Tools 2. Static Analysis Process 3. Some Static Analysis Techniques |
| Afternoon | Exercise 2: Static Malware Analysis 1. Deploy and Install the Tool 2. Perform the Analysis | |
| Day 3 | Morning | I. Reverse Engineering 1. CPU Architecture and Basic Operating Principles 2. Software RE: Concepts and Applications 3. Assembly Language 4. Tools Used in Software RE |
| Afternoon | Practice 3: Software RE Tools 1. Deploy and Install the Tool 2. Perform the Analysis | |
| Day 4 | Morning | I. Overview of Windows executable programs 1. Windows system architecture (System architecture, threads, processes, memory management, registry) 2. PE file structure (PE file format, PE header and section) 3. Execution mechanism in Windows (Windows loader, Windows API, IAT, Import & Export function) 4. PE file management (PE files on disk and in memory) |
| Afternoon | Practice 4: File Analysis on Windows 1. Deploy and Install Process and Memory Monitoring Tools 2. Perform PE File Analysis | |
| Day 5 | Morning | VI. Dynamic Malware Analysis 1. Concepts and Tools 2. Common Dynamic Analysis Techniques 3. Dynamic Analysis Process 4. Dynamic Analysis in Virtual Environments (Sandbox, Emulation) |
| Afternoon | Practice 5: Dynamic Malware Analysis 1. Deploy the tool 2. Perform analysis in a sandbox environment | |
| Day 6 | Morning | VII. Some Anti RE techniques 1. Serial number bypass technique 2. Byte patching technique 3. Obfuscation technique 4. Anti-debug technique 5. Anti memory dumping technique 6. Anti-VM technique |
| Afternoon | Practice 6: Analysis of some Anti RE techniques 1. Deployment and installation of tools 2. Byte patching techniques 3. Obfuscation techniques 4. Anti-debug, Anti-VM techniques | |
| Day 7 | Morning | VIII. Advanced static malware analysis 1. x86 and x64 architectures 2. Disassemblers and decompilers 3. Advanced analysis techniques with disassembler IDA |
| Afternoon | Practice 7: Advanced Static Malware Analysis 1. Installing and Configuring IDA 2. Advanced Static Analysis Using Reverse Engineering | |
| Day 8 | Morning | IX. Advanced Dynamic Malware Analysis 1. Introduction to Debuggers 2. Debugging in User Mode and Kernel Mode 3. Introduction to Packing/Unpacking (using Automated Tools) 4. Some Code Injection and Hooking Techniques 5. Dynamic Malware Analysis Using OllyDbg |
| Afternoon | Practice 8: Advanced Dynamic Malware Analysis 1. Practice Pack/Unpack (using automated tools) 2. Extract packed malware from memory 3. Analyze fileless malware 4. Analyze obfuscated malware 5. Analyze multi-technology malware | |
| Day 9 | Morning | I. AI technology in static analysis 1. Introduction to AI, ML, DL, LLM technology and applications in information security problems 2. Malware analysis process using AI technology (Collecting malware and extracting features, representing malware data, building AI models, testing and evaluating the performance of AI models) 3. Application of CNN model in static analysis (PE header, bytecode, opcode) |
| Afternoon | Practice 12: AI in Static Analysis 1. Deep learning model (CNN) in static analysis 2. Testing and evaluating the effectiveness of the model | |
| Day 10 | Morning | II. AI Technology in Dynamic Analysis 1. Sequence2sequence (DGA) Model 2. Graph Neural Network (Network Traffic) Model |
| Afternoon | Practice 13: AI in Dynamic Analysis 1. Sequence2sequence Model 2. Graph Neural Networks | |
| Day 11 | Morning | XII. Incident Handling Practice 1. Incident Handling and Threat Hunting Procedures 2. Incident Handling and System Recovery Drills |
| Afternoon | Presentation on mini projects | |
| Day 12 | Morning | Course Exam |
| Afternoon | Course Summary and Closing | |