SANS FOR710 – Reverse-Engineering Malware – Advanced Code Analysis
English | Tutorial | Size: 17.01 GB
FOR710: Reverse-Engineering Malware – Advanced Code Analysis prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.
What You Will Learn
As defenders hone their analysis skills and automated malware detection capabilities improve, malware authors have worked harder to achieve execution within the enterprise. The result is malware that is more modular with multiple layers of obfuscated code that executes in-memory to reduce the likelihood of detection and hinder analysis. Malware analysts must be prepared to tackle these advanced capabilities and use automation whenever possible to handle the volume, variety and complexity of the steady stream of malware targeting the enterprise.
FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course leaves off, helping students who have already attained intermediate-level malware analysis capabilities take their reversing skills to the next level. Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe.
Developing deep reverse-engineering skills requires consistent practice. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.
“As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators.” – Anuj Soni
FOR710 Advanced Code Analysis Will Prepare You To:
Tackle code obfuscation techniques that hinder static code analysis, including the use of steganography.
Identify the key components of program execution to analyze multi-stage malware in memory.
Locate and extract deobfuscated shellcode during program execution.
Develop comfort with non-executable file formats during malware analysis.
Probe the structures and fields associated with a PE header.
Use WinDBG Preview for debugging and assessing key process data structures in memory.
Identify encryption algorithms in ransomware used for file encryption and key protection.
Recognize Windows APIs that facilitate encryption and articulate their purpose.
Investigate data obfuscation in malware, pinpoint algorithm implementations, and decode underlying content.
Create Python scripts to automate data extraction and decryption.
Build rules to identify functionality in malware.
Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse engineering workflows.
Write Python scripts within Ghidra to expedite code analysis.
Use Binary Emulation frameworks to simulate code execution.
Course Topics:
Code deobfuscation
Program execution
Shellcode analysis
Steganography
Multi-stage malware
WinDbg Preview
Encryption algorithms
Data obfuscation
Python scripting for malware analysis
Dynamic Binary Instrumentation (DBI) Frameworks
Binary emulation frameworks
Payload and config extraction
Scripting with Ghidra
YARA rules
Yara-python
SMDA disassebler
What You Will Receive With This Course:
Windows 10 VM with pre-installed malware analysis and reversing tools.
Real-world malware samples to examine during and after class.
Coursebooks and workbook with detailed step-by-step exercise instruction.
Listen to course author Anuj Soni as he provides a course preview in this livestream
Syllabus (36 CPEs)
Download PDF
FOR710.1: Code Deobfuscation and Execution
FOR710.2: Encryption in Malware
FOR710.3: Automating Malware Analysis
FOR710.4: Automating Malware Analysis (Continued)
FOR710.5: Advanced Malware Analysis Tournament (Extended Access)
Prerequisites
FOR710 is an advanced level Windows reverse-engineering course that skips over introductory and intermediate malware analysis concepts. This course assumes that students have knowledge and skills equivalent to those discussed in the SANS FOR610 Reverse-Engineering Malware course. Students should have at least six months of experience performing behavioral analysis, dynamic code analysis (i.e., using a debugger), and static code analysis (i.e., analyzing disassembled executable content). In addition, students should have some prior exposure to the Ghidra reverse engineering framework. If you’re not familiar with this capability, consider watching this brief introduction by Anuj Soni.
Laptop Requirements
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can’t responsible for your system or data.
MANDATORY FOR710 SYSTEM HARDWARE REQUIREMENTS:
CPU: 64-bit Intel i5/i7 (4th generation+) – x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class. Important – Please Read: a 64-bit system processor is mandatory.
CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
BIOS settings must be set to enable virtualization technology, such as “Intel-VT”. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it before class!
16 GB (Gigabytes) of RAM or higher is mandatory for this class Important – Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.
USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. Therefore, a Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices – test your system with a USB drive before class to ensure you can load the course data.
200 Gigabytes of Free Space on your System Hard Drive. Free Space on Hard Drive is critical to host the VMs we distribute.
Local Administrator access is required. This is absolutely required. Don’t let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
Wi-Fi 802.11 capability is mandatory. You’ll need to connect to an in-class Wi-Fi network when participating in this course at a life event. Without working Wi-Fi, you’ll be unable to participating in important aspects of the course.
MANDATORY FOR710 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS:
Host Operating System: Your system must be running either Windows 10 Pro, Linux or macOS 10.14 or later that also can install and run VMware virtualization products described below.
It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
Download and install 7-Zip (for Windows Hosts) or Keka (macOS). Without these extraction tools, you’ll be unable to extract large archives we’ll supply to you in class.
INSTALL VMWARE “PRO” SOFTWARE:
Download and install the latest version of VMware Workstation Pro or VMware Fusion Pro versions before class. Our students experienced issues with VMware being compatible with the latest underlying OS unless they were also using the latest version of VMware.e class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
You must get the versions of the products that have “Pro” in their name. The free non-Pro versions of these products (e.g., VMware Workstation Player) are not sufficient for this course because they do not support snapshot functionality, which we will need to use.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they’re enabled on your system, by following instructions from VMware.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
Author Statement
“As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators” – Anuj Soni
RAPIDGATOR
rapidgator.net/file/844b0b932b2b0341d4a9894ff96cf112/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part01.rar.html
rapidgator.net/file/65c2a9fc19b4fc58e8090ba5c8525ee2/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part02.rar.html
rapidgator.net/file/f1d891230aa7dc26155ff684bf63a8d5/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part03.rar.html
rapidgator.net/file/bc63eaa713a6f40bccecdf9db0734016/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part04.rar.html
rapidgator.net/file/dd2ae8df346a6bfe98d13d87dc5e9647/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part05.rar.html
rapidgator.net/file/bfe121691f9960dd2b14ab52ec360d87/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part06.rar.html
rapidgator.net/file/6e6b5d83012dd41fb26ae441cc0d2254/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part07.rar.html
rapidgator.net/file/9e793f13e16e5cc80df9b4a5f9c3034f/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part08.rar.html
rapidgator.net/file/00a7be6772b98301692b0e532eed4072/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part09.rar.html
rapidgator.net/file/26aad3ec336b970d50c83f95d7599f05/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part10.rar.html
rapidgator.net/file/6538631c14d162be475fea96685c3942/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part11.rar.html
rapidgator.net/file/3471068ad2e746c98442873befc3a05f/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part12.rar.html
rapidgator.net/file/bf206027aca301e9b471f9af71896530/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part13.rar.html
rapidgator.net/file/b75067e0d77527db52af48081c8d2373/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part14.rar.html
rapidgator.net/file/3c8b113abcf7f51e0d2e733911f35bc2/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part15.rar.html
rapidgator.net/file/17c9cfd00b7202d790587b42dba4c5c2/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part16.rar.html
rapidgator.net/file/3d50008754d6c11349f923ba8db83189/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part17.rar.html
rapidgator.net/file/edcb7f7d1146f9b0a1ef6fc32ce44d3c/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part18.rar.html
rapidgator.net/file/cfc5c64791ffb5cb7bbb2503098dc28b/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part19.rar.html
rapidgator.net/file/beaa7b9fe728f2a9f3c48ef898d10b18/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part20.rar.html
rapidgator.net/file/94ad9aac2d8e002d869adee230f8d3de/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part21.rar.html
rapidgator.net/file/78cd2d40e0d9d72d1945217e875d4edd/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part22.rar.html
rapidgator.net/file/8f73f15a2126d3904f2f14a32e048406/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part23.rar.html
rapidgator.net/file/1e4f1d49efe7adf366027fd402d5c97a/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part24.rar.html
rapidgator.net/file/ee9dac6de65f598c8b3c0c05455b47e6/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part25.rar.html
rapidgator.net/file/d5db27780a44d9ab9034a0bf89b8d8c9/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part26.rar.html
NITROFLARE
nitroflare.com/view/4BA628F222FA04C/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part01.rar
nitroflare.com/view/B037373EE874453/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part02.rar
nitroflare.com/view/CC63BDDCDDD13A9/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part03.rar
nitroflare.com/view/DA904B710756FF0/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part04.rar
nitroflare.com/view/B6580D96400F7D0/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part05.rar
nitroflare.com/view/CF508CB6060894C/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part06.rar
nitroflare.com/view/72ABC8BFAEBEF87/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part07.rar
nitroflare.com/view/393F03DFE16ADCF/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part08.rar
nitroflare.com/view/C9927A9611AA1C2/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part09.rar
nitroflare.com/view/38728B1C672F22E/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part10.rar
nitroflare.com/view/39408AA042B03D4/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part11.rar
nitroflare.com/view/A7F05ED2A745517/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part12.rar
nitroflare.com/view/DA7FA9BB77A5B8E/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part13.rar
nitroflare.com/view/C15C70B2629E6E4/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part14.rar
nitroflare.com/view/9EEBEAECD237C9D/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part15.rar
nitroflare.com/view/A0E52CC1571C25B/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part16.rar
nitroflare.com/view/7FE6C3B23998EC5/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part17.rar
nitroflare.com/view/EB40BFE25D827C5/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part18.rar
nitroflare.com/view/0A3756C09795181/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part19.rar
nitroflare.com/view/2D8C773F33B0986/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part20.rar
nitroflare.com/view/E15ACB1CDAF655C/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part21.rar
nitroflare.com/view/40842C1E154BC64/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part22.rar
nitroflare.com/view/A486FA452D030CE/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part23.rar
nitroflare.com/view/33BAA002E0AA824/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part24.rar
nitroflare.com/view/5206C0A505C8052/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part25.rar
nitroflare.com/view/5445584FA07E86D/SANS_FOR710_-_Reverse-Engineering_Malware_-_Advanced_Code_Analysis.part26.rar