(Required)

CNIT 126: Practical Malware Analysis

Fall 2020 Sam Bowne

78188 Tue 6:10 - 9 PM

Schedule · Lecture Notes · Projects · Links · Home Page

Class meets Tuesday evenings
at 6:10 PM Pacific Time

https://zoom.us/j/4108472927

Password: student1

Free Textbook Access

  • Go here
  • Click "Safari Online"
  • In the "Select your Institution" drop-down list box, click "Not listed? Click here"
  • Enter your CCSF email address
  • Enter the book's title the "Find a Solution..." field

(Optional)

Catalog Description

Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Advisory: CS 110A or equivalent familiarity with programming

Upon successful completion of this course, the student will be able to:
  1. Describe types of malware, including rootkits, Trojans, and viruses.
  2. Perform basic static analysis with antivirus scanning and strings
  3. Perform basic dynamic analysis with a sandbox
  4. Perform advanced static analysis with IDA Pro
  5. Perform advanced dynamic analysis with a debugger
  6. Operate a kernel debugger
  7. Explain malware behavior, including launching, encoding, and network signatures
  8. Understand anti-reverse-engineering techniques that impede the use of disassemblers, debuggers, and virtual machines
  9. Recognize comTue packers and how to unpack them

Textbook

"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901 Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

CCSF students should take quizzes in the CCSF online Canvas system: https://ccsf.instructure.com/

Non-CCSF students: Enroll Here (reset password, if needed)

Discussion Board

Each CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due.

For the topics and requirements, see the Discussion board in Canvas.

Live Streaming

Live stream at:

https://zoom.us/j/4108472927

Classes will also be recorded and published on YouTube for later viewing.

Email

For class-related questions, please send messages inside Canvas or email
cnit.126sam@gmail.com

Schedule (may be revised)

Note: Chapter Numbers are one too high in the E-Book
Chapter 0 is mislabelled as Chapter 1, etc.
DateQuizTopic

Tue 8-18  0: Malware Analysis Primer &
1: Basic Static Techniques


Tue 8-25 Quiz: Ch 0-1 *
Quiz: Ch 2-3 *
Proj 30 or 20 due *
2: Malware Analysis in Virtual Machines &
3: Basic Dynamic Analysis


Tue 9-1 Quiz: Ch 4 *
Proj 101 & 102 due *
4: A Crash Course in x86 Disassembly


Fri 9-4 Last Day to Add Classes

Tue 9-8 Quiz: Ch 8
Proj 201 (if using a local VM) due
8: Debugging


Tue 9-15Quiz: Ch 9
Proj 221 & 301 due
9: OllyDbg


Tue 9-22Quiz: Ch 5
Proj 401 due
Discussion 1 due
5: IDA Pro


Tue 9-29No Quiz
Proj 110 due
Discussion 2 due
More about file headers and DLLs, and the Assembler CTF


Tue 10-6Quiz: Ch 6
Proj 402 due
Discussion 3 due
6: Recognizing C Code Constructs in Assembly


Tue 10-13Quiz: Ch 7
Proj 303 or 303c due
Discussion 4 due
7: Analyzing Malicious Windows Programs


Tue 10-20Quiz: Ch 10
Proj 304 due
Discussion 5 due
10: Kernel Debugging with WinDbg


Tue 10-27Quiz: Ch 11
Proj 410c or 410 due
Discussion 6 due
11: Malware Behavior


Tue 11-3No Quiz
No Proj due
Discussion 7 due

In Space, No One Can Hear You Hack

Kaitlyn Handelman,
Security Engineer, NTT Data

Talk will
not be
recorded,
must be
viewed live


Tue 11-10Quiz: Ch 12
Discussion 8 due
12: Covert Malware Launching


Kippy McGehee Arcara and Jenn Mvongo

Tue, Nov 17, 6 PM



Kippy McGehee Arcara, awesome Security program manager,
and Jenn Mvongo, product security at Qualcomm

This talk is less hardcore technical, and more about how
to run the programs that Cybersecurity desperately needs.)


Tue 11-24Quiz Ch 13
Proj 420 & 421 due
Discussion 9 due
13: Data Encoding


Tue 12-1Quiz Ch 14
Discussion 10 due
14: Malware-Focused Network Signatures


Tue 12-8No Quiz
All Extra Credit due
Last Official Class Meeting
15: Anti-Disassembly


Anna Fita & Doc McConnell

Tue, Dec 15, 6 PM



Anna Fita, counter intelligence at the FBI, and
Doc McConnell who is Cybersecurity Policy Advisor
for the Office of Management and Budget.

Government jobs and interesting stories

Will be recorded and posted on YouTube


Fri 12-11 -
Fri 12-18
Final Exam available online throughout the week.
You can only take it once.
All quizzes due 30 min. before class
* No late penalty until 9-8

Lecture Notes

Policy (pdf)
Syllabus (pdf)

Basic Analysis

0: Malware Analysis Primer & 1: Basic Static Techniques · KEY · PDF
2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis · KEY · PDF

Advanced Static Analysis

4: A Crash Course in x86 Disassembly · KEY · PDF
5: IDA Pro · KEY · PDF
6: Recognizing C Code Constructs in Assembly · KEY · PDF
7: Analyzing Malicious Windows Programs · KEY

Advanced Dynamic Analysis

8: Debugging · KEY
9: OllyDbg · KEY
10: Kernel Debugging with WinDbg (Updated for 2019) · KEY · PDF

Malware Functionality

11: Malware Behavior     KEY    PDF
12: Covert Malware Launching     KEY    PDF
13: Data Encoding     KEY    PDF
14: Malware-Focused Network Signatures     KEY

Anti-Reverse-Engineering

15: Anti-Disassembly     KEY
16: Anti-Debugging
17: Anti-Virtual Machine Techniques
18: Packers and Unpacking

Special Topics

19: Shellcode Analysis
20: C++ Analysis
21: 64-Bit Malware

Review Questions

Click a lecture name to see it on SlideShare.
If you want to use other formats, you may find this useful:
Cloud Convert.

Projects

Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

Cloud-Based (Recommended)

PMA 30: Windows 2016 Cloud Machine for Malware Analysis (15 pts)

PMA 101c: Basic Static Techniques (20 pts + 30 pts extra)
PMA 102c: Unpacking (15 pts + 10 extra)
PMA 110: capa (15)
PMA 131: Custom UPX (25 pts extra)

PMA 221: Basic Dynamic Analysis (30 pts + 30 extra)
PMA 222: Making a Windows Keylogger (10 pts extra)

PMA 301: Jasmin (10 pts + 10 extra)
PMA 303c: IDA Pro (20 pts + 20 extra)
PMA 304: C Constructs in Assembly (15 pts)

PMA 401. Simple EXE Hacking with Ollydbg (30 pts + 90 extra)
PMA 402: Hacking Minesweeper with Ollydbg (15 pts + 30 extra)
PMA 403: API Monitor (15 pts extra)
PMA 410c: Kernel Debugging Windows 2016 Server (15 pts)
PMA 420: Bootkit Analysis with Bochs (15 pts)
PMA 421: Understanding the MBR (15 pts + 55 extra)

Assembler CTF (269 extra)

FLARE VM (Extra Credit)

PMA 60: Cloud Server on Azure (15 extra)
PMA 40: FLARE-VM (20 extra)
PMA 121: Unpacking with OllyDbg and pestudio (50 pts extra)
PMA 122: PE Headers (50 pts extra)
PMA 123: Importing DLLs (45 pts extra)
PMA 124: DLL Hijacking (15 pts extra)
PMA 125: Installing Visual Studio 2019 (10 pts extra)
PMA 126: DLL Proxying (20 pts extra)
PMA 430: WinDbg Preview (15 pts extra)
PMA 431: WinDbg Preview: Source-Level Debugging (10 pts extra)
PMA 432: WinDbg Preview: Kernel Debugging (35 pts extra)
PMA 433: Kernel Debugging with Breakpoints (30 pts extra)
PMA 434: Debugging a Driver (30 pts extra)

Ghidra (Extra Credit)

PMA 510: Starting with Ghidra (10 extra)
PMA 511: Ghidra Data Displays (40 extra)

Using Local VM (Legacy) (Being Revised)

PMA 20: Malware Analysis Virtual Machine (15 pts)
PMA 101: Basic Static Techniques (20 pts + 30 extra)
PMA 102: Unpacking (15 pts + 10 extra)
PMA 201: Basic Dynamic Analysis (30 pts)
PMA 202: Keylogger (30 extra)
PMA 302: Assembly Code in Masm32 (20 pts extra)
PMA 303: IDA Pro (20 pts + 20 extra)
PMA 410: Kernel Debugging on Windows 2008 Server (15 pts)
PMA 411: SSDT Hooking on Windows 2008 Server (25 extra)

SPACE
(Off-Topic But Awesome)

SP 100: APT Decode (10 pts)
SP 101: GNU Radio Introduction (20 pts)
SP 102: BPSK--Phasor (20 pts)
SP 103: Two Line Elements (TLE) (40 pts)

Virtual Machine Resources
(Not Recommended)

Download Textbook Labs Here

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

Links

Lab Files

Download Textbook Labs Here

Chapter Links

Ch 1a: Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades (Aug. 2012)
Ch 1b: Fake FBI warning tricks man into surrendering himself for possession of child porn

Ch 2a: VirusTotal - Free Online Virus, Malware and URL Scanner
Ch 2b: UPX NotCompressibleException
Ch 2c: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
Ch 2d: Dependency Walker (depends.exe) Home Page
Ch 2e: PEview Download
Ch 2f: Resource Hacker
Ch 2g: Download PEiD 0.95
Ch 2h: UPX: the Ultimate Packer for eXecutables - Download Ch 2i: BinText 3.03 McAfee Free Tools

Ch 3a: Process Monitor Download
Ch 3b: Process Explorer Download
Ch 3c: RegShot download
Ch 3d: Regshot user guide
Ch 3e: ApateDNS Download
Ch 3f: 3 Free Tools to Fake DNS Responses for Malware Analysis

Ch 5a: OpenRCE -- Free IDA Scripts

Ch 6a: Entry points for Windows programs

Ch 7b: Autoruns for Windows
Ch 7c: Anatomy of a Program in Memory
Ch 7d: assembly - The point of test eax eax
Ch 7e: CurrentControlSetServices Subkey Entries
Ch 7f: Globally unique identifier - Wikipedia
Ch 7g: SEH in x86 Environments
Ch 7h: assembly - What is the 'FS''GS' register intended for?
Ch 7i: winapi - FS register in Win32
Ch 7j: Ring (computer security) - Wikipedia

Ch 8a: Exploit Development for Mere Mortals Joe McCray - YouTube
Ch 8b: x86 Protected Mode Exceptions
Ch 8c: Enabling Postmortem Debugging - Windows 10 hardware dev
Ch 8d: Using Windows Event Viewer to debug crashes
Ch 8e: LiveKd for Virtual Machine Debugging

Ch 9a: Download OllyDbg 1.10
Ch 9b: OllyDbg v. 2.01 is EVIL; just misses functions found in v. 1.10
Ch 9c: OLLYDBG TUTORIALS! The Legend Of Random
Ch 9d: OpenRCE OllyDbg Plugins (down on 10-14-13)
Ch 9e: shell-storm Shellcodes Database

Ch 10a: Download Windows Symbol Packages
Ch 10b: ntoskrnl.exe - Wikipedia, the free encyclopedia
Ch 10c: Choosing the 32-Bit or 64-Bit Debugging Tools (Windows Debuggers)
Ch 10d: How To: Debug the WRK on Mac OS X Using VMware Fusion
Ch 10e: Assembly Code Debugging in WinDbg (Windows Debuggers)
Ch 10f: Microsoft Windows library files - HAL runs in kernel mode
Ch 10g: Windbg Tutorials
Ch 10h: A word for WinDbg
Ch 10i: Kernel Patch Protection - Wikipedia
Ch 10j: On Windows Syscall Mechanism and Syscall Numbers Extraction Methods
Ch 10k: The Sysenter Instruction and 0x2e Interrupt
Ch 10l: Hooking the System Service Dispatch Table (SSDT)
Ch 10m: Common WinDbg Commands (Thematically Grouped)

Ch 11a: Portable Executable - Wikipedia
Ch 11b: Resource Hacker
Ch 11c: Capturing Windows 7 Credentials at Logon Using a Custom Credential Provider (Replaces MSGINA.DLL)
Ch 11d: Detecting DLL Hijacking on Windows | SANS Institute (2015)
Ch 11e: Windows 10 Hooking Nirvana explained (2016)

Ch 13a: Tools for Examining XOR Obfuscation for Malware Analysis
Ch 13b: Base64 Decode and Encode - Online
Ch 13c:: Download FindCrypt2 (IDA Pro Plug-In)
Ch 13d: Kanal Free Download
Ch 13e: Entropy (information theory) - Wikipedia
Ch 13f: IDA Entropy Plugin
Ch 13g: IDA Entropy Plugin 0.1 -- working download link
Ch 13h: Ent -- entropy visualizer that works on Windows

Ch 15a: The Bastard Linux Disassembler (Linear)
Ch 15b: JUMP and CALL - Stack Overflow

Training Materials

Introductory: Chapter 0

Introduction to Malware Analysis Slides by Lenny Zeltser
Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser
Analysis of Malware Samples -- EXCELLENT TIPS FOR PROCESS MONITOR
Sam's Honeynet "Reverse Engineering Malware" Class Notes (Mar. 2012)

Assembly Language: Chapter 4

Windows Assembly Language Megaprimer -- VIDEO
Introductory Intel x86: Architecture, Assembly --Free class materials!
PE Structure--Excellent Diagram
Download jasmin x86 Assembler Interpreter
Jasmin tutorial - Java Assembler Interpreter

Windows Internals: Chapter 7

Windows 0wn3d By Default Mark Baggett -- VIDEO

Debugging: Chapter 8

Exploit Development for Mere Mortals Joe McCray -- VIDEO OllyDbg Tricks for Exploit Development

OllyDbg: Chapter 9

Exploit Dev Night School Day 2 - YouTube -- HIGHLY RECOMMENDED, MORE DEBUGGER DEMOS
Reverse Engineering 101 on Vimeo

Other Links

Catalog of key Windows kernel data structures
Malware Analysis Resources
Pwning a Spammer's Keylogger - SpiderLabs Anterior
SANS Memory Forensics Cheat Sheet (PDF)
An interesting case of Mac OSX malware
Picking Apart Malware In The Cloud - The business need for malware analysis
FakeNet -- Dynamic malware analysis tool
Static Analysis Talk
Worm 2.0, or LilyJade in action
Pwning the Herpes bothet and it's creator
A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability - Microsoft Malware Protection Center - Site Home - TechNet Blogs
Virtual USB Analyzer - Tutorial
PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion
FileInsight McAfee Free Tools
McAfee FileInsight -- recommended malware analysis tool
CSI:Internet - PDF timebomb
Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1
Deconstructing an ELF File
Malware Analysis Course Lecture Slides
Defeating Flame String Obfuscation with IDAPython
System Forensics: MBR Malware Analysis
Malware Hunting with the Sysinternals Tools
Honeypot Alert PHP-CGI Vuln Targeted For Database Dumping
Th3-0uTl4wS Database -- bot source code
Fuzzy Hashing presentation by Jesse Kornblum
Malware Unpacking Level: Pintool
WireShnork and other Forensics plugins for Wireshark
IntroductionToReverseEngineering
Tweaking Metasploit Modules To Bypass EMET -- Part 1
corkami - reverse engineering experiments and documentations
Modifying VirtualBox settings for malware analysis
What was that Wiper thing? - EXCELLENT MALWARE ANALYSIS
Malware Must Die!: Racing with time to get the latest payload of Blackhole Exploit Kit
Extracting EXE file (in HTTP stream) from captured packets file with Wireshark
Analyzing Unknown Malware: #2 Disclosure of an interesting Botnet - The Executable (Part 1)
Malware Analysis as a Hobby slides --Cuckoo looks great!
Shamoom The Wiper: further details (Part II) - Securelist
Backdoors are Forever: Hacking Team and the Targeting of Dissent
The Case of the Unexplained FTP Connections
Analysis of malware that infects virtual machines
Deobfuscating "PluginDetect"
To Russia With Targeted Attack
Windows DLL Injection Basics
Reverse engineering challenge intended for women
India APT Attack -- Several useful tools demonstrated
MFT vs Super Timeline: Part 1
Stack Smashing On A Modern Linux System -- Good gdb examples
Nothink.org -- EXCELLENT HONEYPOT DATA
Oh, you found a remote OpenSSH 0-day on Pastebin? Don't trust it.
KernelMode.info -- Site to get real malware samples
MalwareURL -- Site to get real malware samples
Malc0de Database -- Site to get real malware samples
PEiD 0.95 Free - Detects packers, cryptors and compilers
QUnpack -- recommended unpacker
ThreatExpert - Automated Threat Analysis
TCPView for Windows -- traffic monitoring
Total Uninstall Analyze, monitor and uninstall programs -- useful for malware analysis
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- recommended book
Volatility Cheat Sheet
Good analysis of the malware at speedtest.net
Free Online Malware Analysis Class
APT #TargetedAttacks within Twitter
How to use MANDIANT Memoryze
contagio: Collection of Pcap files from malware analysis
Malware analysis lab tools
6.25 DNS DDOS Attack In Korea -- Good example of simple dynamic analysis
Mandiant Redline is Free
Windows 8 Server 2012 Memory Forensics
Structured Exception Handler EXPLOITATION
Malware and DLLs
Trojaning antivirus uninstallers with DLL injection
When Malware Meets Rootkits (from 2005)
Process Hiding
Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering Approach -- MORE PROJECTS HERE
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- RECOMMENDED BOOK
SANS Work Study -- Get SANS classes for cheap!
Finding Evil: Automating Autoruns Analysis
Attackers' Toolbox Makes Malware Detection More Difficult
Large botnet cause of recent Tor network overload
Pushdo Botnet detects "FakeNet" analysis tool and spams practicalmalwareanalysis.com (Sept, 2013)
Reverse Engineering a D-Link Backdoor with IDA Pro
Anatomy of an exploit -- inside the CVE-2013-3893 Internet Explorer zero-day -- Part 1
binwalk - Firmware Analysis Tool
Reverse Engineering Videos
How to solve Windows system crashes in minutes --Debugging crash dumps
Kernel Pool Exploitation on Windows 7 (from 2011)
Analysis of a Malware ROP Chain
New Tool: XORStrings
Strings from CSRSS show command-line history on Windows
Reconstructing Master File Table (MFT) Entries with MFTParser.py
The OpenIOC Framework -- for sharing threat intelligence
security-onion - recommended for Snort GUIs
Malware Research -- samples
Barracuda Launches Web-Based Malware Analysis Tool Threatglass
Malware Analysis with pedump
Practical Malware Analysis - Free Download eBook - pdf (works as of 2014-07-16)
What is a mutex? - EPIC EXPLANATION
OfficeMalScanner -- detects malware in Office files
Hopper -- Mac OS X Disassembler, highly recommended by @iamevltwin
fseventer for Mac -- observe filesystem changes
logkext - Freeware keylogger for OS X
contagio: OSX malware and exploit collection (~100 files)
Shellter -- inject Metasploit payloads into PE files to bypass AV
Exeinfo PE Download
How to setup plugins for ollydbg 2.x.x?
Download OllyScript to Automate Packing
Download OllyScript PE Compact Script
QuickUnpack Tool -- Download
Ether: Malware Analysis via Hardware Virtualization Exsensions -- Free online unpacker
MacMemoryForensics - volatility - Instructions on how access and use the Mac OS X support
PEStudio performs the static investigation of Windows executables
Valgrind Tutorial
PEStudio: static malware analysis tool ty @lennyzeltser #S4con
Process Hacker can dump strings from running processes ty @lennyzeltser #S4con
Google mutant names to help identify malware ty @lennyzeltser #S4con
Malware Analysis Database -- search for mutex values & more ty @lennyzeltser #S4con
ProcDOT - Visual Malware Analysis ty @lennyzeltser #S4con
urlvoid.com Website Reputation Checker Tool ty @lennyzeltser #S4con
Exeinfo PE -- Identifies packers ty @lennyzeltser #S4con
Hacker Disassembly Uncovered (free download)
Reversing & Malware Analysis - FREE TRAINING SLIDES
The evolution of OS X malware (Oct. 2014)
Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011)
Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0
Cuckoo Sandbox VM Escape Vulnerability (2014)
Rootkits by Csaba Barta (from 2009)
Malwr - Malware Analysis by Cuckoo Sandbox
Malware Investigator -- from the FBI
Reversing a malvertisment: javascript, regex, and cookie
POWELIKS Levels Up With New Autostart Mechanism
Malicious Flash Files Gain the Upper Hand With New Obfuscation Techniques Security Intelligence Blog
Inside a Kippo honeypot: how the billgates botnet spreads -- PROJECT IDEA
Hook Analyser
Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS
Retrieve the apk signature at runtime for Android
2015-10-07: IOS Application Security Testing Cheat Sheet - OWASP
theZoo · Malware Samples to Analyze ty @the_fire_dog
Malware Researcher\'s Handbook (Demystifying PE File) - InfoSec Resources
RPISEC/Malware: Course materials for Malware Analysis
Malware Analysis by Abstruse Goose
A Crash Course In DLL Hijacking -- EXCELLENT EXPLANATION
x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO
REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALYSIS
Microsoft security technology EMET used to disable itself (Feb. 2016)
The Ultimate Disassembly Framework -- Capstone
Malwarebytes 2.2.0.1024 DLL Hijacking (works on Win 2008 Server but not Win 10) -- SHOW TO CLASS
Win32 Assembly Cheat Sheet
Local Kernel-Mode Debugging - Windows 10 hardware dev
WinDbg tools and tutorials
pestudio: Malware Initial Assessment Tool
Identifying malware with PEStudio
A fundamental introduction to x86 assembly programming
Practical Malware Analysis Starter Kit
Introductory Intel x86: Architecture, Assembly, Applications - YouTube
Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
GitHub - RPISEC/Malware: Course materials for Malware Analysis by RPISEC
Manalyzer: free online static analysis
WARNING: Tweet to download live Locky malware (BE CAREFUL)
Kwetza: infecting android applications -- MAKE INTO PROJECT
pwning bin2json | psych0tik
Microsoft/binskim: A binary static analysis tool that provides security and correctness results for Windows portable executables.
GitHub - GoSecure/malboxes: Builds malware analysis Windows VMs so that you don't have to.
pev - the PE file analysis toolkit -- MAY BE USEFUL FOR PROJECTS
pev Video Demo
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax. -- TRY FOR PROJECTS
CS7038-Malware-Analysis by ckane
Reverse Engineering Malware 101 -- free online course

New Unsorted Links

My first SSDT hook driver
SSDT Hooking mini-library/example - RaGEZONE - MMO development community
Shadow SSDT Hooking with Windbg
Download Windows Driver Kit Version 7.1.0 from Official Microsoft Download Center
InstDrv plug-in - NSIS
Installing the AWS Command Line Interface
HowTo Export a VM in OVA format in VMware Fusion for OS X with ovftool
FLARE VM: The Windows Malware Analysis Distribution You've Always Needed!
pestudio -- USEFUL FOR MALWARE ANALYSIS
Dropper Analysis -- TEST FOR PROJECT
GUnpacker 0.5 | Generic Unpacker for RE of Malware
wsunpacker -- unpacks many formats
Ether: Online Malware Unpacker
Portable Executable File Corruption Preventing Malware From Running -- USE FOR PROJECTS
fireeye/flare-floss: FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Practical Malware Analysis Chapter 1 Lab Attempt - YouTube
Kernel Forensics and Rootkits
pestudio: Malware Initial Assessment Tool
Malware Analysis Tutorials: a Reverse Engineering Approach
Reversing Basics - A Practical Approach Using IDA Pro
Ch 8f: LiveKd for Virtual Machine Debugging -- Mark's Blog
ScyllaHide: conceals debuggers from malware
Process Doppelganging Malware Evasion Technique (from 2017) ty @lennyzeltser #IRespondCon
Processhacker: Monitor system resources, debug software and detect malware --ty @lennyzeltser #IRespondCon
Invoke-DOSfuscation: Cmd.exe Command Obfuscation Tool -- ty @lennyzeltser #IRespondCon
olevba -- Extracts VBA Macros from Microsoft Office files -- ty @lennyzeltser #IRespondCon
Malware-Traffic-Analysis.net A source for pcap files and malware samples ty Andrea Kaiser #IRespondCon
MalShare: A free Malware repository providing researchers access to samples, malicous feeds, and Yara results
VirusShare.com - Because Sharing is Caring
Detect It Easy -- Unpacker for Windows malware
CFF Explorer -- Malware Analysis Tool
pestudio -- malware analysis tool
Game Hacking: WinXP Minesweeper - Reverse Engineering
Automated Malware Analysis - Joe Sandbox
Ch 10n: About Dynamic-Link Libraries | Microsoft Docs
Ch 10n: Callback Objects | Microsoft Docs
Ch 10o: Using a Driver-Defined Callback Object | Microsoft Docs
Exeinfo PE by A.S.L - packer - compression detector and data detector
GitHub - horsicq/Detect-It-Easy: Detect it Easy
The Mac Malware of 2018--WITH SAMPLES
OALabs Malware Analysis Virtual Machine
Intro to Cutter for Malware Analysis
Three Heads are Better Than One: Mastering Ghidra
Top 10 Free Keyloggers for Windows
EgeBalci/Keylogger: Simple C Keylogger...
Understanding and Analyzing Carrier Files Workshop
Modern Windows Exploit Development.pdf
Rootkit analysis Use case on HideDRV
TDSS part 1: The x64 Dollar Question
Bochs Hacking Guide
CFF Explorer -- use for malware analysis
Vergilius: Take a look into the depths of Windows kernels--USE FOR PROJECTS
2020-10-15: Recommended Mandiant and FireEye Blogs
Malware_Reverse_Engineering_Handbook.pdf
Malware Samples for Students
Windows System Processes: An Overview For Blue Teams
Persistence AppInit DLLs Penetration Testing Lab
The Art Of Mac Malware
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Labs | CyberDefenders ® | Blue Team CTF Challenges
A detailed analysis of ELMER Backdoor used by APT16 CYBER GEEKS
Analyzing APT19 malware using a step-by-step method CYBER GEEKS
Dissecting APT21 samples using a step-by-step approach CYBER GEEKS
Detecting Mimikatz with Sysmon
Packing and Process Injection to Evade Windows Defender
GitHub - danzajork/evasion: Windows packer
Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor - Wiki - VulWiki
Rootkits in Windows 10 - Windows security | Microsoft Docs
2022-02-11: Malware Analysis Series
Malware Analysis Tutorials: a Reverse Engineering Approach
Malware analysis CTF created by myself and @HBRH_314
Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code
How to Use the Slmgr activate and Slmgr rearm up to 8 times
DLL Hijack Libs
PMA 600: FLARE-ON 9 (2022) (requires password)
NASM Assembly Language Tutorials - asmtutor.com
How to Bypass Windows 11's TPM, CPU and RAM Requirements--THIS WORKS
How to bypass internet connection to install Windows 11--THIS WORKS
Winbindex - The Windows Binaries Index
MVS Collection: Windows ISOs
WindowsProtocolTestSuites
Binary Refinery tutorial
Meterpreter vs Modern EDR(s)--USE FOR PROJECT
Can't inject meterpreter shellcode in c code - Information Security Stack Exchange
Ring Zero Labs: Godbolt: Your Gateway to Learning Reverse Engineering
Decompiler Explorer
Symbolic Execution for the Win: Pwning CTFs with angr
Any.Run Analysis--USE FOR PROJECTS
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24

          

Last Updated: 12-8-20 6:42 pm