(Required)

CNIT 126: Practical Malware Analysis

Spring 2026 Sam Bowne

35291 501 Thu 6:10 - 9 PM Science 37

Schedule · Lecture Notes · Projects · Links · Home Page

Canvas Outage

CNIT 126 students should have received
an email from sam.bowne@agentmail.to
showing how to take the final exam
without using Canvas.

Since Canvas is down and I cannot access quiz
scores, your grade will be based on projects
and the final exan only, assuming you got
20 on all the quizzes.

Here is the new grading system:

A: 408
B: 340
C: 205
D: 138
F: 137 or less

I am working on gathering all the extra
credit I sent to Canvas and adding it to
my new scoring system.

If you submitted projects in Canvas, or
have any other issues to discuss, please
email sbowne@ccsf.edu or come to one of my
Twitch sessions shown at the top of samsclass.info

Use Twitch

To attend class:
https://twitch.tv/sambowne

(Optional)

Free Textbook Access

Go here
In the "Select your Institution" drop-down list box, select "City College of San Francisco"
Enter your CCSF email address
Enter the book's title the "Find a Solution..." field

Catalog Description

Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Advisory: CS 110A or equivalent familiarity with programming

Upon successful completion of this course, the student will be able to:

Describe types of malware, including rootkits, Trojans, and viruses.
Perform basic static analysis with antivirus scanning and strings
Perform basic dynamic analysis with a sandbox
Perform advanced static analysis with IDA Pro
Perform advanced dynamic analysis with a debugger
Operate a kernel debugger
Explain malware behavior, including launching, encoding, and network signatures
Understand anti-reverse-engineering techniques that impede the use of disassemblers, debuggers, and virtual machines
Recognize comTue packers and how to unpack them

Textbook

"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901 Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.
Don't use CCSF's Canvas system for this class. Instead, all students should use this Canvas server:
Enroll Here · View Course · Reset password

Discussion Board

Each CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due.
For the topics and requirements, see the Discussion board in Canvas.
Non-CCSF students don't have a Discussion Board in Canvas, but are encouraged to join Twitter and engage in the public discussions there.

Schedule (may be revised)
		Note: Chapter Numbers are one too high in the E-Book Chapter 0 is mislabelled as Chapter 1, etc.
Date		Quiz	Topic

Thu 1-15			0: Malware Analysis Primer & 1: Basic Static Techniques Demo: PMA 41

Thu 1-22		Quiz: Ch 0-1 Quiz: Ch 2-3 Proj PMA 41 & 101	2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis Demos: PMA 101, 105

Thu 1-29		Quiz: Ch 4 Proj PMA 105 Discussion 1	4: A Crash Course in x86 Disassembly Demo: PMA 221

*Fri 1-30*		*Last Day to Add Classes*

Thu 2-5		Quiz: Ch 8 Proj PMA 221 Discussion 2	8: Debugging Demos: PMA 102 & 121 & 122

Thu 2-12		Quiz: Ch 9 Proj PMA PMA 102 & 121 & 122 Discussion 3	9: OllyDbg Demos: PMA 123 & 401

Thu 2-19		Quiz: Ch 5 Proj PMA 123 & 401 Discussion 4	5: IDA Pro Demos: PMA 124 & 126

Thu 2-26		Quiz: Ch 6 Proj PMA 124 & 126 Discussion 5	6: Recognizing C Code Constructs in Assembly Demos: PMA 301 (Jasmin) and 303 (IDA Pro)

Thu 3-5		Quiz: Ch 7 Proj PMA 301 Discussion 6	7: Analyzing Malicious Windows Programs Demo: PMA 304 (C constructs)

Thu 3-12		No Quiz No Proj due	OllyDbg Demos: PMA 402 & 404

Thu 3-19		No Quiz	DOT NET Demos: PMA 132, ED 330, ED 331

Thu 3-26		No Quiz Proj PMA 303 & 304	Demos: R 10, R 20, ED 301

*Thu 4-2*	*Holiday--No Class*

Thu 4-9		No Quiz Proj PMA 402 Discussion 7	10: Kernel Debugging with WinDbg WinDbg Demo: PMA 430

Thu 4-16		Quiz: Ch 10 Discussion 8	Debugging Demos: PMA 431, PMA 432 and Bootkit Demo: PMA 420

Thu 4-23		Quiz: Ch 11 Proj PMA 430 & 431 Discussion 9	11: Malware Behavior Demo: H 540

Thu 4-30		No Quiz Proj PMA 432 due	12: Covert Malware Launching Demo: PMA PMA 406

Thu 5-7		No Quiz All Extra Credit Due	Last Class: No New Material

Wed 5-13 through Wed 5-20		Final Exam available online throughout the week. You can only take it once.

All quizzes due 30 min. before class

Lecture Notes

Policy (pdf)
Syllabus (pdf)

Basic Analysis
0: Malware Analysis Primer & 1: Basic Static Techniques · KEY · PDF
2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis · KEY · PDF
Advanced Static Analysis
4: A Crash Course in x86 Disassembly · KEY · PDF
5: IDA Pro · KEY · PDF
6: Recognizing C Code Constructs in Assembly · KEY · PDF
7: Analyzing Malicious Windows Programs · KEY · PDF

Advanced Dynamic Analysis
8: Debugging · KEY · PDF
9: OllyDbg · KEY · PDF
10: Kernel Debugging with WinDbg (Updated for 2019) · KEY · PDF

Malware Functionality
11: Malware Behavior     KEY    PDF
12: Covert Malware Launching     KEY    PDF
13: Data Encoding     KEY    PDF
14: Malware-Focused Network Signatures     KEY

Anti-Reverse-Engineering
15: Anti-Disassembly     KEY
16: Anti-Debugging
17: Anti-Virtual Machine Techniques
18: Packers and Unpacking

Special Topics
19: Shellcode Analysis
20: C++ Analysis
21: 64-Bit Malware

Review Questions

Click a lecture name to see it on SlideShare.
If you want to use other formats, you may find this useful:
Cloud Convert.

Links
Lab Files Download Textbook Labs Here Chapter Links Ch 1a: Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades (Aug. 2012) Ch 1b: Fake FBI warning tricks man into surrendering himself for possession of child porn Ch 2a: VirusTotal - Free Online Virus, Malware and URL Scanner Ch 2b: UPX NotCompressibleException Ch 2c: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format Ch 2d: Dependency Walker (depends.exe) Home Page Ch 2e: PEview Download Ch 2f: Resource Hacker Ch 2g: Download PEiD 0.95 Ch 2h: UPX: the Ultimate Packer for eXecutables - Download Ch 2i: BinText 3.03 McAfee Free Tools Ch 3a: Process Monitor Download Ch 3b: Process Explorer Download Ch 3c: RegShot download Ch 3d: Regshot user guide Ch 3e: ApateDNS Download Ch 3f: 3 Free Tools to Fake DNS Responses for Malware Analysis Ch 5a: OpenRCE -- Free IDA Scripts Ch 6a: Entry points for Windows programs Ch 7b: Autoruns for Windows Ch 7c: Anatomy of a Program in Memory Ch 7d: assembly - The point of test eax eax Ch 7e: CurrentControlSetServices Subkey Entries Ch 7f: Globally unique identifier - Wikipedia Ch 7g: SEH in x86 Environments Ch 7h: assembly - What is the 'FS''GS' register intended for? Ch 7i: winapi - FS register in Win32 Ch 7j: Ring (computer security) - Wikipedia Ch 8a: Exploit Development for Mere Mortals Joe McCray - YouTube Ch 8b: x86 Protected Mode Exceptions Ch 8c: Enabling Postmortem Debugging - Windows 10 hardware dev Ch 8d: Using Windows Event Viewer to debug crashes Ch 8e: LiveKd for Virtual Machine Debugging Ch 9a: Download OllyDbg 1.10 Ch 9b: OllyDbg v. 2.01 is EVIL; just misses functions found in v. 1.10 Ch 9c: OLLYDBG TUTORIALS! The Legend Of Random Ch 9d: OpenRCE OllyDbg Plugins (down on 10-14-13) Ch 9e: shell-storm Shellcodes Database Ch 10a: Download Windows Symbol Packages Ch 10b: ntoskrnl.exe - Wikipedia, the free encyclopedia Ch 10c: Choosing the 32-Bit or 64-Bit Debugging Tools (Windows Debuggers) Ch 10d: How To: Debug the WRK on Mac OS X Using VMware Fusion Ch 10e: Assembly Code Debugging in WinDbg (Windows Debuggers) Ch 10f: Microsoft Windows library files - HAL runs in kernel mode Ch 10g: Windbg Tutorials Ch 10h: A word for WinDbg Ch 10i: Kernel Patch Protection - Wikipedia Ch 10j: On Windows Syscall Mechanism and Syscall Numbers Extraction Methods Ch 10k: The Sysenter Instruction and 0x2e Interrupt Ch 10l: Hooking the System Service Dispatch Table (SSDT) Ch 10m: Common WinDbg Commands (Thematically Grouped) Ch 11a: Portable Executable - Wikipedia Ch 11b: Resource Hacker Ch 11c: Capturing Windows 7 Credentials at Logon Using a Custom Credential Provider (Replaces MSGINA.DLL) Ch 11d: Detecting DLL Hijacking on Windows \| SANS Institute (2015) Ch 11e: Windows 10 Hooking Nirvana explained (2016) Ch 13a: Tools for Examining XOR Obfuscation for Malware Analysis Ch 13b: Base64 Decode and Encode - Online Ch 13c:: Download FindCrypt2 (IDA Pro Plug-In) Ch 13d: Kanal Free Download Ch 13e: Entropy (information theory) - Wikipedia Ch 13f: IDA Entropy Plugin Ch 13g: IDA Entropy Plugin 0.1 -- working download link Ch 13h: Ent -- entropy visualizer that works on Windows Ch 15a: The Bastard Linux Disassembler (Linear) Ch 15b: JUMP and CALL - Stack Overflow Training Materials Introductory: Chapter 0 Introduction to Malware Analysis Slides by Lenny Zeltser Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser Analysis of Malware Samples -- EXCELLENT TIPS FOR PROCESS MONITOR Sam's Honeynet "Reverse Engineering Malware" Class Notes (Mar. 2012) Assembly Language: Chapter 4 Windows Assembly Language Megaprimer -- VIDEO Introductory Intel x86: Architecture, Assembly --Free class materials! PE Structure--Excellent Diagram Download jasmin x86 Assembler Interpreter Jasmin tutorial - Java Assembler Interpreter Windows Internals: Chapter 7 Windows 0wn3d By Default Mark Baggett -- VIDEO Debugging: Chapter 8 Exploit Development for Mere Mortals Joe McCray -- VIDEO OllyDbg Tricks for Exploit Development OllyDbg: Chapter 9 Exploit Dev Night School Day 2 - YouTube -- HIGHLY RECOMMENDED, MORE DEBUGGER DEMOS Reverse Engineering 101 on Vimeo Other Links Catalog of key Windows kernel data structures Malware Analysis Resources Pwning a Spammer's Keylogger - SpiderLabs Anterior SANS Memory Forensics Cheat Sheet (PDF) An interesting case of Mac OSX malware Picking Apart Malware In The Cloud - The business need for malware analysis FakeNet -- Dynamic malware analysis tool Static Analysis Talk Worm 2.0, or LilyJade in action Pwning the Herpes bothet and it's creator A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability - Microsoft Malware Protection Center - Site Home - TechNet Blogs Virtual USB Analyzer - Tutorial PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion FileInsight McAfee Free Tools McAfee FileInsight -- recommended malware analysis tool CSI:Internet - PDF timebomb Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1 Deconstructing an ELF File Malware Analysis Course Lecture Slides Defeating Flame String Obfuscation with IDAPython System Forensics: MBR Malware Analysis Malware Hunting with the Sysinternals Tools Honeypot Alert PHP-CGI Vuln Targeted For Database Dumping Th3-0uTl4wS Database -- bot source code Fuzzy Hashing presentation by Jesse Kornblum Malware Unpacking Level: Pintool WireShnork and other Forensics plugins for Wireshark IntroductionToReverseEngineering Tweaking Metasploit Modules To Bypass EMET -- Part 1 corkami - reverse engineering experiments and documentations Modifying VirtualBox settings for malware analysis What was that Wiper thing? - EXCELLENT MALWARE ANALYSIS Malware Must Die!: Racing with time to get the latest payload of Blackhole Exploit Kit Extracting EXE file (in HTTP stream) from captured packets file with Wireshark Analyzing Unknown Malware: #2 Disclosure of an interesting Botnet - The Executable (Part 1) Malware Analysis as a Hobby slides --Cuckoo looks great! Shamoom The Wiper: further details (Part II) - Securelist Backdoors are Forever: Hacking Team and the Targeting of Dissent The Case of the Unexplained FTP Connections Analysis of malware that infects virtual machines Deobfuscating "PluginDetect" To Russia With Targeted Attack Windows DLL Injection Basics Reverse engineering challenge intended for women India APT Attack -- Several useful tools demonstrated MFT vs Super Timeline: Part 1 Stack Smashing On A Modern Linux System -- Good gdb examples Nothink.org -- EXCELLENT HONEYPOT DATA Oh, you found a remote OpenSSH 0-day on Pastebin? Don't trust it. KernelMode.info -- Site to get real malware samples MalwareURL -- Site to get real malware samples Malc0de Database -- Site to get real malware samples PEiD 0.95 Free - Detects packers, cryptors and compilers QUnpack -- recommended unpacker ThreatExpert - Automated Threat Analysis TCPView for Windows -- traffic monitoring Total Uninstall Analyze, monitor and uninstall programs -- useful for malware analysis Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- recommended book Volatility Cheat Sheet Good analysis of the malware at speedtest.net Free Online Malware Analysis Class APT #TargetedAttacks within Twitter How to use MANDIANT Memoryze contagio: Collection of Pcap files from malware analysis Malware analysis lab tools 6.25 DNS DDOS Attack In Korea -- Good example of simple dynamic analysis Mandiant Redline is Free Windows 8 Server 2012 Memory Forensics Structured Exception Handler EXPLOITATION Malware and DLLs Trojaning antivirus uninstallers with DLL injection When Malware Meets Rootkits (from 2005) Process Hiding Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering Approach -- MORE PROJECTS HERE Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- RECOMMENDED BOOK SANS Work Study -- Get SANS classes for cheap! Finding Evil: Automating Autoruns Analysis Attackers' Toolbox Makes Malware Detection More Difficult Large botnet cause of recent Tor network overload Pushdo Botnet detects "FakeNet" analysis tool and spams practicalmalwareanalysis.com (Sept, 2013) Reverse Engineering a D-Link Backdoor with IDA Pro Anatomy of an exploit -- inside the CVE-2013-3893 Internet Explorer zero-day -- Part 1 binwalk - Firmware Analysis Tool Reverse Engineering Videos How to solve Windows system crashes in minutes --Debugging crash dumps Kernel Pool Exploitation on Windows 7 (from 2011) Analysis of a Malware ROP Chain New Tool: XORStrings Strings from CSRSS show command-line history on Windows Reconstructing Master File Table (MFT) Entries with MFTParser.py The OpenIOC Framework -- for sharing threat intelligence security-onion - recommended for Snort GUIs Malware Research -- samples Barracuda Launches Web-Based Malware Analysis Tool Threatglass Malware Analysis with pedump Practical Malware Analysis - Free Download eBook - pdf (works as of 2014-07-16) What is a mutex? - EPIC EXPLANATION OfficeMalScanner -- detects malware in Office files Hopper -- Mac OS X Disassembler, highly recommended by @iamevltwin fseventer for Mac -- observe filesystem changes logkext - Freeware keylogger for OS X contagio: OSX malware and exploit collection (~100 files) Shellter -- inject Metasploit payloads into PE files to bypass AV Exeinfo PE Download How to setup plugins for ollydbg 2.x.x? Download OllyScript to Automate Packing Download OllyScript PE Compact Script QuickUnpack Tool -- Download Ether: Malware Analysis via Hardware Virtualization Exsensions -- Free online unpacker MacMemoryForensics - volatility - Instructions on how access and use the Mac OS X support PEStudio performs the static investigation of Windows executables Valgrind Tutorial PEStudio: static malware analysis tool ty @lennyzeltser #S4con Process Hacker can dump strings from running processes ty @lennyzeltser #S4con Google mutant names to help identify malware ty @lennyzeltser #S4con Malware Analysis Database -- search for mutex values & more ty @lennyzeltser #S4con ProcDOT - Visual Malware Analysis ty @lennyzeltser #S4con urlvoid.com Website Reputation Checker Tool ty @lennyzeltser #S4con Exeinfo PE -- Identifies packers ty @lennyzeltser #S4con Hacker Disassembly Uncovered (free download) Reversing & Malware Analysis - FREE TRAINING SLIDES The evolution of OS X malware (Oct. 2014) Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011) Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0 Cuckoo Sandbox VM Escape Vulnerability (2014) Rootkits by Csaba Barta (from 2009) Malwr - Malware Analysis by Cuckoo Sandbox Malware Investigator -- from the FBI Reversing a malvertisment: javascript, regex, and cookie POWELIKS Levels Up With New Autostart Mechanism Malicious Flash Files Gain the Upper Hand With New Obfuscation Techniques Security Intelligence Blog Inside a Kippo honeypot: how the billgates botnet spreads -- PROJECT IDEA Hook Analyser Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS Retrieve the apk signature at runtime for Android 2015-10-07: IOS Application Security Testing Cheat Sheet - OWASP theZoo · Malware Samples to Analyze ty @the_fire_dog Malware Researcher\'s Handbook (Demystifying PE File) - InfoSec Resources RPISEC/Malware: Course materials for Malware Analysis Malware Analysis by Abstruse Goose A Crash Course In DLL Hijacking -- EXCELLENT EXPLANATION x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALYSIS Microsoft security technology EMET used to disable itself (Feb. 2016) The Ultimate Disassembly Framework -- Capstone Malwarebytes 2.2.0.1024 DLL Hijacking (works on Win 2008 Server but not Win 10) -- SHOW TO CLASS Win32 Assembly Cheat Sheet Local Kernel-Mode Debugging - Windows 10 hardware dev WinDbg tools and tutorials pestudio: Malware Initial Assessment Tool Identifying malware with PEStudio A fundamental introduction to x86 assembly programming Practical Malware Analysis Starter Kit Introductory Intel x86: Architecture, Assembly, Applications - YouTube Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS) GitHub - RPISEC/Malware: Course materials for Malware Analysis by RPISEC Manalyzer: free online static analysis WARNING: Tweet to download live Locky malware (BE CAREFUL) Kwetza: infecting android applications -- MAKE INTO PROJECT pwning bin2json \| psych0tik Microsoft/binskim: A binary static analysis tool that provides security and correctness results for Windows portable executables. GitHub - GoSecure/malboxes: Builds malware analysis Windows VMs so that you don't have to. pev - the PE file analysis toolkit -- MAY BE USEFUL FOR PROJECTS pev Video Demo Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax. -- TRY FOR PROJECTS CS7038-Malware-Analysis by ckane Reverse Engineering Malware 101 -- free online course New Unsorted Links My first SSDT hook driver SSDT Hooking mini-library/example - RaGEZONE - MMO development community Shadow SSDT Hooking with Windbg Download Windows Driver Kit Version 7.1.0 from Official Microsoft Download Center InstDrv plug-in - NSIS Installing the AWS Command Line Interface HowTo Export a VM in OVA format in VMware Fusion for OS X with ovftool FLARE VM: The Windows Malware Analysis Distribution You've Always Needed! pestudio -- USEFUL FOR MALWARE ANALYSIS Dropper Analysis -- TEST FOR PROJECT GUnpacker 0.5 \| Generic Unpacker for RE of Malware wsunpacker -- unpacks many formats Ether: Online Malware Unpacker Portable Executable File Corruption Preventing Malware From Running -- USE FOR PROJECTS fireeye/flare-floss: FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. Practical Malware Analysis Chapter 1 Lab Attempt - YouTube Kernel Forensics and Rootkits pestudio: Malware Initial Assessment Tool Malware Analysis Tutorials: a Reverse Engineering Approach Reversing Basics - A Practical Approach Using IDA Pro Ch 8f: LiveKd for Virtual Machine Debugging -- Mark's Blog ScyllaHide: conceals debuggers from malware Process Doppelganging Malware Evasion Technique (from 2017) ty @lennyzeltser #IRespondCon Processhacker: Monitor system resources, debug software and detect malware --ty @lennyzeltser #IRespondCon Invoke-DOSfuscation: Cmd.exe Command Obfuscation Tool -- ty @lennyzeltser #IRespondCon olevba -- Extracts VBA Macros from Microsoft Office files -- ty @lennyzeltser #IRespondCon Malware-Traffic-Analysis.net A source for pcap files and malware samples ty Andrea Kaiser #IRespondCon MalShare: A free Malware repository providing researchers access to samples, malicous feeds, and Yara results VirusShare.com - Because Sharing is Caring Detect It Easy -- Unpacker for Windows malware CFF Explorer -- Malware Analysis Tool pestudio -- malware analysis tool Game Hacking: WinXP Minesweeper - Reverse Engineering Automated Malware Analysis - Joe Sandbox Ch 10n: About Dynamic-Link Libraries \| Microsoft Docs Ch 10n: Callback Objects \| Microsoft Docs Ch 10o: Using a Driver-Defined Callback Object \| Microsoft Docs Exeinfo PE by A.S.L - packer - compression detector and data detector GitHub - horsicq/Detect-It-Easy: Detect it Easy The Mac Malware of 2018--WITH SAMPLES OALabs Malware Analysis Virtual Machine Intro to Cutter for Malware Analysis Three Heads are Better Than One: Mastering Ghidra Top 10 Free Keyloggers for Windows EgeBalci/Keylogger: Simple C Keylogger... Understanding and Analyzing Carrier Files Workshop Modern Windows Exploit Development.pdf Rootkit analysis Use case on HideDRV TDSS part 1: The x64 Dollar Question Bochs Hacking Guide CFF Explorer -- use for malware analysis Vergilius: Take a look into the depths of Windows kernels--USE FOR PROJECTS 2020-10-15: Recommended Mandiant and FireEye Blogs Malware_Reverse_Engineering_Handbook.pdf Malware Samples for Students Windows System Processes: An Overview For Blue Teams Persistence AppInit DLLs Penetration Testing Lab The Art Of Mac Malware ELF Malware Analysis 101: Linux Threats No Longer an Afterthought Labs \| CyberDefenders Â® \| Blue Team CTF Challenges A detailed analysis of ELMER Backdoor used by APT16 CYBER GEEKS Analyzing APT19 malware using a step-by-step method CYBER GEEKS Dissecting APT21 samples using a step-by-step approach CYBER GEEKS Detecting Mimikatz with Sysmon Packing and Process Injection to Evade Windows Defender GitHub - danzajork/evasion: Windows packer Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor - Wiki - VulWiki Rootkits in Windows 10 - Windows security \| Microsoft Docs 2022-02-11: Malware Analysis Series Malware Analysis Tutorials: a Reverse Engineering Approach Malware analysis CTF created by myself and @HBRH_314 Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code How to Use the Slmgr activate and Slmgr rearm up to 8 times DLL Hijack Libs PMA 600: FLARE-ON 9 (2022) (requires password) NASM Assembly Language Tutorials - asmtutor.com How to Bypass Windows 11's TPM, CPU and RAM Requirements--THIS WORKS How to bypass internet connection to install Windows 11--THIS WORKS Winbindex - The Windows Binaries Index MVS Collection: Windows ISOs WindowsProtocolTestSuites Binary Refinery tutorial Meterpreter vs Modern EDR(s)--USE FOR PROJECT Can't inject meterpreter shellcode in c code - Information Security Stack Exchange Ring Zero Labs: Godbolt: Your Gateway to Learning Reverse Engineering Decompiler Explorer Symbolic Execution for the Win: Pwning CTFs with angr Any.Run Analysis--USE FOR PROJECTS Unveiling LummaC2 stealerâ€™s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24 2025-06-19: GitHub - TheWover/donut: Generates x86, x64, or AMD64 x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

Links

Lab Files
Download Textbook Labs Here

Chapter Links
Ch 1a: Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades (Aug. 2012)
Ch 1b: Fake FBI warning tricks man into surrendering himself for possession of child porn
Ch 2a: VirusTotal - Free Online Virus, Malware and URL Scanner
Ch 2b: UPX NotCompressibleException
Ch 2c: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
Ch 2d: Dependency Walker (depends.exe) Home Page
Ch 2e: PEview Download
Ch 2f: Resource Hacker
Ch 2g: Download PEiD 0.95
Ch 2h: UPX: the Ultimate Packer for eXecutables - Download Ch 2i: BinText 3.03 McAfee Free Tools

Ch 3a: Process Monitor Download
Ch 3b: Process Explorer Download
Ch 3c: RegShot download
Ch 3d: Regshot user guide
Ch 3e: ApateDNS Download
Ch 3f: 3 Free Tools to Fake DNS Responses for Malware Analysis

Ch 5a: OpenRCE -- Free IDA Scripts

Ch 6a: Entry points for Windows programs

Ch 7b: Autoruns for Windows
Ch 7c: Anatomy of a Program in Memory
Ch 7d: assembly - The point of test eax eax
Ch 7e: CurrentControlSetServices Subkey Entries
Ch 7f: Globally unique identifier - Wikipedia
Ch 7g: SEH in x86 Environments
Ch 7h: assembly - What is the 'FS''GS' register intended for?
Ch 7i: winapi - FS register in Win32
Ch 7j: Ring (computer security) - Wikipedia

Ch 8a: Exploit Development for Mere Mortals Joe McCray - YouTube
Ch 8b: x86 Protected Mode Exceptions
Ch 8c: Enabling Postmortem Debugging - Windows 10 hardware dev
Ch 8d: Using Windows Event Viewer to debug crashes
Ch 8e: LiveKd for Virtual Machine Debugging

Ch 9a: Download OllyDbg 1.10
Ch 9b: OllyDbg v. 2.01 is EVIL; just misses functions found in v. 1.10
Ch 9c: OLLYDBG TUTORIALS! The Legend Of Random
Ch 9d: OpenRCE OllyDbg Plugins (down on 10-14-13)
Ch 9e: shell-storm Shellcodes Database

Ch 10a: Download Windows Symbol Packages
Ch 10b: ntoskrnl.exe - Wikipedia, the free encyclopedia
Ch 10c: Choosing the 32-Bit or 64-Bit Debugging Tools (Windows Debuggers)
Ch 10d: How To: Debug the WRK on Mac OS X Using VMware Fusion
Ch 10e: Assembly Code Debugging in WinDbg (Windows Debuggers)
Ch 10f: Microsoft Windows library files - HAL runs in kernel mode
Ch 10g: Windbg Tutorials
Ch 10h: A word for WinDbg
Ch 10i: Kernel Patch Protection - Wikipedia
Ch 10j: On Windows Syscall Mechanism and Syscall Numbers Extraction Methods
Ch 10k: The Sysenter Instruction and 0x2e Interrupt
Ch 10l: Hooking the System Service Dispatch Table (SSDT)
Ch 10m: Common WinDbg Commands (Thematically Grouped)

Ch 11a: Portable Executable - Wikipedia
Ch 11b: Resource Hacker
Ch 11c: Capturing Windows 7 Credentials at Logon Using a Custom Credential Provider (Replaces MSGINA.DLL)
Ch 11d: Detecting DLL Hijacking on Windows | SANS Institute (2015)
Ch 11e: Windows 10 Hooking Nirvana explained (2016)

Ch 13a: Tools for Examining XOR Obfuscation for Malware Analysis
Ch 13b: Base64 Decode and Encode - Online
Ch 13c:: Download FindCrypt2 (IDA Pro Plug-In)
Ch 13d: Kanal Free Download
Ch 13e: Entropy (information theory) - Wikipedia
Ch 13f: IDA Entropy Plugin
Ch 13g: IDA Entropy Plugin 0.1 -- working download link
Ch 13h: Ent -- entropy visualizer that works on Windows

Ch 15a: The Bastard Linux Disassembler (Linear)
Ch 15b: JUMP and CALL - Stack Overflow

Training Materials

Introductory: Chapter 0
Introduction to Malware Analysis Slides by Lenny Zeltser
Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser
Analysis of Malware Samples -- EXCELLENT TIPS FOR PROCESS MONITOR
Sam's Honeynet "Reverse Engineering Malware" Class Notes (Mar. 2012)

Assembly Language: Chapter 4
Windows Assembly Language Megaprimer -- VIDEO
Introductory Intel x86: Architecture, Assembly --Free class materials!
PE Structure--Excellent Diagram
Download jasmin x86 Assembler Interpreter
Jasmin tutorial - Java Assembler Interpreter

Windows Internals: Chapter 7
Windows 0wn3d By Default Mark Baggett -- VIDEO

Debugging: Chapter 8
Exploit Development for Mere Mortals Joe McCray -- VIDEO OllyDbg Tricks for Exploit Development

OllyDbg: Chapter 9
Exploit Dev Night School Day 2 - YouTube -- HIGHLY RECOMMENDED, MORE DEBUGGER DEMOS
Reverse Engineering 101 on Vimeo

Other Links
Catalog of key Windows kernel data structures
Malware Analysis Resources
Pwning a Spammer's Keylogger - SpiderLabs Anterior
SANS Memory Forensics Cheat Sheet (PDF)
An interesting case of Mac OSX malware
Picking Apart Malware In The Cloud - The business need for malware analysis
FakeNet -- Dynamic malware analysis tool
Static Analysis Talk
Worm 2.0, or LilyJade in action
Pwning the Herpes bothet and it's creator
A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability - Microsoft Malware Protection Center - Site Home - TechNet Blogs
Virtual USB Analyzer - Tutorial
PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion
FileInsight McAfee Free Tools
McAfee FileInsight -- recommended malware analysis tool
CSI:Internet - PDF timebomb
Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1
Deconstructing an ELF File
Malware Analysis Course Lecture Slides
Defeating Flame String Obfuscation with IDAPython
System Forensics: MBR Malware Analysis
Malware Hunting with the Sysinternals Tools
Honeypot Alert PHP-CGI Vuln Targeted For Database Dumping
Th3-0uTl4wS Database -- bot source code
Fuzzy Hashing presentation by Jesse Kornblum
Malware Unpacking Level: Pintool
WireShnork and other Forensics plugins for Wireshark
IntroductionToReverseEngineering
Tweaking Metasploit Modules To Bypass EMET -- Part 1
corkami - reverse engineering experiments and documentations
Modifying VirtualBox settings for malware analysis
What was that Wiper thing? - EXCELLENT MALWARE ANALYSIS
Malware Must Die!: Racing with time to get the latest payload of Blackhole Exploit Kit
Extracting EXE file (in HTTP stream) from captured packets file with Wireshark
Analyzing Unknown Malware: #2 Disclosure of an interesting Botnet - The Executable (Part 1)
Malware Analysis as a Hobby slides --Cuckoo looks great!
Shamoom The Wiper: further details (Part II) - Securelist
Backdoors are Forever: Hacking Team and the Targeting of Dissent
The Case of the Unexplained FTP Connections
Analysis of malware that infects virtual machines
Deobfuscating "PluginDetect"
To Russia With Targeted Attack
Windows DLL Injection Basics
Reverse engineering challenge intended for women
India APT Attack -- Several useful tools demonstrated
MFT vs Super Timeline: Part 1
Stack Smashing On A Modern Linux System -- Good gdb examples
Nothink.org -- EXCELLENT HONEYPOT DATA
Oh, you found a remote OpenSSH 0-day on Pastebin? Don't trust it.
KernelMode.info -- Site to get real malware samples
MalwareURL -- Site to get real malware samples
Malc0de Database -- Site to get real malware samples
PEiD 0.95 Free - Detects packers, cryptors and compilers
QUnpack -- recommended unpacker
ThreatExpert - Automated Threat Analysis
TCPView for Windows -- traffic monitoring
Total Uninstall Analyze, monitor and uninstall programs -- useful for malware analysis
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- recommended book
Volatility Cheat Sheet
Good analysis of the malware at speedtest.net
Free Online Malware Analysis Class
APT #TargetedAttacks within Twitter
How to use MANDIANT Memoryze
contagio: Collection of Pcap files from malware analysis
Malware analysis lab tools
6.25 DNS DDOS Attack In Korea -- Good example of simple dynamic analysis
Mandiant Redline is Free
Windows 8 Server 2012 Memory Forensics
Structured Exception Handler EXPLOITATION
Malware and DLLs
Trojaning antivirus uninstallers with DLL injection
When Malware Meets Rootkits (from 2005)
Process Hiding
Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering Approach -- MORE PROJECTS HERE
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code -- RECOMMENDED BOOK
SANS Work Study -- Get SANS classes for cheap!
Finding Evil: Automating Autoruns Analysis
Attackers' Toolbox Makes Malware Detection More Difficult
Large botnet cause of recent Tor network overload
Pushdo Botnet detects "FakeNet" analysis tool and spams practicalmalwareanalysis.com (Sept, 2013)
Reverse Engineering a D-Link Backdoor with IDA Pro
Anatomy of an exploit -- inside the CVE-2013-3893 Internet Explorer zero-day -- Part 1
binwalk - Firmware Analysis Tool
Reverse Engineering Videos
How to solve Windows system crashes in minutes --Debugging crash dumps
Kernel Pool Exploitation on Windows 7 (from 2011)
Analysis of a Malware ROP Chain
New Tool: XORStrings
Strings from CSRSS show command-line history on Windows
Reconstructing Master File Table (MFT) Entries with MFTParser.py
The OpenIOC Framework -- for sharing threat intelligence
security-onion - recommended for Snort GUIs
Malware Research -- samples
Barracuda Launches Web-Based Malware Analysis Tool Threatglass
Malware Analysis with pedump
Practical Malware Analysis - Free Download eBook - pdf (works as of 2014-07-16)
What is a mutex? - EPIC EXPLANATION
OfficeMalScanner -- detects malware in Office files
Hopper -- Mac OS X Disassembler, highly recommended by @iamevltwin
fseventer for Mac -- observe filesystem changes
logkext - Freeware keylogger for OS X
contagio: OSX malware and exploit collection (~100 files)
Shellter -- inject Metasploit payloads into PE files to bypass AV
Exeinfo PE Download
How to setup plugins for ollydbg 2.x.x?
Download OllyScript to Automate Packing
Download OllyScript PE Compact Script
QuickUnpack Tool -- Download
Ether: Malware Analysis via Hardware Virtualization Exsensions -- Free online unpacker
MacMemoryForensics - volatility - Instructions on how access and use the Mac OS X support
PEStudio performs the static investigation of Windows executables
Valgrind Tutorial
PEStudio: static malware analysis tool ty @lennyzeltser #S4con
Process Hacker can dump strings from running processes ty @lennyzeltser #S4con
Google mutant names to help identify malware ty @lennyzeltser #S4con
Malware Analysis Database -- search for mutex values & more ty @lennyzeltser #S4con
ProcDOT - Visual Malware Analysis ty @lennyzeltser #S4con
urlvoid.com Website Reputation Checker Tool ty @lennyzeltser #S4con
Exeinfo PE -- Identifies packers ty @lennyzeltser #S4con
Hacker Disassembly Uncovered (free download)
Reversing & Malware Analysis - FREE TRAINING SLIDES
The evolution of OS X malware (Oct. 2014)
Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011)
Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0
Cuckoo Sandbox VM Escape Vulnerability (2014)
Rootkits by Csaba Barta (from 2009)
Malwr - Malware Analysis by Cuckoo Sandbox
Malware Investigator -- from the FBI
Reversing a malvertisment: javascript, regex, and cookie
POWELIKS Levels Up With New Autostart Mechanism
Malicious Flash Files Gain the Upper Hand With New Obfuscation Techniques Security Intelligence Blog
Inside a Kippo honeypot: how the billgates botnet spreads -- PROJECT IDEA
Hook Analyser
Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS
Retrieve the apk signature at runtime for Android
2015-10-07: IOS Application Security Testing Cheat Sheet - OWASP
theZoo · Malware Samples to Analyze ty @the_fire_dog
Malware Researcher\'s Handbook (Demystifying PE File) - InfoSec Resources
RPISEC/Malware: Course materials for Malware Analysis
Malware Analysis by Abstruse Goose
A Crash Course In DLL Hijacking -- EXCELLENT EXPLANATION
x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO
REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALYSIS
Microsoft security technology EMET used to disable itself (Feb. 2016)
The Ultimate Disassembly Framework -- Capstone
Malwarebytes 2.2.0.1024 DLL Hijacking (works on Win 2008 Server but not Win 10) -- SHOW TO CLASS
Win32 Assembly Cheat Sheet
Local Kernel-Mode Debugging - Windows 10 hardware dev
WinDbg tools and tutorials
pestudio: Malware Initial Assessment Tool
Identifying malware with PEStudio
A fundamental introduction to x86 assembly programming
Practical Malware Analysis Starter Kit
Introductory Intel x86: Architecture, Assembly, Applications - YouTube
Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
GitHub - RPISEC/Malware: Course materials for Malware Analysis by RPISEC
Manalyzer: free online static analysis
WARNING: Tweet to download live Locky malware (BE CAREFUL)
Kwetza: infecting android applications -- MAKE INTO PROJECT
pwning bin2json | psych0tik
Microsoft/binskim: A binary static analysis tool that provides security and correctness results for Windows portable executables.
GitHub - GoSecure/malboxes: Builds malware analysis Windows VMs so that you don't have to.
pev - the PE file analysis toolkit -- MAY BE USEFUL FOR PROJECTS
pev Video Demo
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax. -- TRY FOR PROJECTS
CS7038-Malware-Analysis by ckane
Reverse Engineering Malware 101 -- free online course

New Unsorted Links
My first SSDT hook driver
SSDT Hooking mini-library/example - RaGEZONE - MMO development community
Shadow SSDT Hooking with Windbg
Download Windows Driver Kit Version 7.1.0 from Official Microsoft Download Center
InstDrv plug-in - NSIS
Installing the AWS Command Line Interface
HowTo Export a VM in OVA format in VMware Fusion for OS X with ovftool
FLARE VM: The Windows Malware Analysis Distribution You've Always Needed!
pestudio -- USEFUL FOR MALWARE ANALYSIS
Dropper Analysis -- TEST FOR PROJECT
GUnpacker 0.5 | Generic Unpacker for RE of Malware
wsunpacker -- unpacks many formats
Ether: Online Malware Unpacker
Portable Executable File Corruption Preventing Malware From Running -- USE FOR PROJECTS
fireeye/flare-floss: FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Practical Malware Analysis Chapter 1 Lab Attempt - YouTube
Kernel Forensics and Rootkits
pestudio: Malware Initial Assessment Tool
Malware Analysis Tutorials: a Reverse Engineering Approach
Reversing Basics - A Practical Approach Using IDA Pro
Ch 8f: LiveKd for Virtual Machine Debugging -- Mark's Blog
ScyllaHide: conceals debuggers from malware
Process Doppelganging Malware Evasion Technique (from 2017) ty @lennyzeltser #IRespondCon
Processhacker: Monitor system resources, debug software and detect malware --ty @lennyzeltser #IRespondCon
Invoke-DOSfuscation: Cmd.exe Command Obfuscation Tool -- ty @lennyzeltser #IRespondCon
olevba -- Extracts VBA Macros from Microsoft Office files -- ty @lennyzeltser #IRespondCon
Malware-Traffic-Analysis.net A source for pcap files and malware samples ty Andrea Kaiser #IRespondCon
MalShare: A free Malware repository providing researchers access to samples, malicous feeds, and Yara results
VirusShare.com - Because Sharing is Caring
Detect It Easy -- Unpacker for Windows malware
CFF Explorer -- Malware Analysis Tool
pestudio -- malware analysis tool
Game Hacking: WinXP Minesweeper - Reverse Engineering
Automated Malware Analysis - Joe Sandbox
Ch 10n: About Dynamic-Link Libraries | Microsoft Docs
Ch 10n: Callback Objects | Microsoft Docs
Ch 10o: Using a Driver-Defined Callback Object | Microsoft Docs
Exeinfo PE by A.S.L - packer - compression detector and data detector
GitHub - horsicq/Detect-It-Easy: Detect it Easy
The Mac Malware of 2018--WITH SAMPLES
OALabs Malware Analysis Virtual Machine
Intro to Cutter for Malware Analysis
Three Heads are Better Than One: Mastering Ghidra
Top 10 Free Keyloggers for Windows
EgeBalci/Keylogger: Simple C Keylogger...
Understanding and Analyzing Carrier Files Workshop
Modern Windows Exploit Development.pdf
Rootkit analysis Use case on HideDRV
TDSS part 1: The x64 Dollar Question
Bochs Hacking Guide
CFF Explorer -- use for malware analysis
Vergilius: Take a look into the depths of Windows kernels--USE FOR PROJECTS
2020-10-15: Recommended Mandiant and FireEye Blogs
Malware_Reverse_Engineering_Handbook.pdf
Malware Samples for Students
Windows System Processes: An Overview For Blue Teams
Persistence AppInit DLLs Penetration Testing Lab
The Art Of Mac Malware
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Labs | CyberDefenders Â® | Blue Team CTF Challenges
A detailed analysis of ELMER Backdoor used by APT16 CYBER GEEKS
Analyzing APT19 malware using a step-by-step method CYBER GEEKS
Dissecting APT21 samples using a step-by-step approach CYBER GEEKS
Detecting Mimikatz with Sysmon
Packing and Process Injection to Evade Windows Defender
GitHub - danzajork/evasion: Windows packer
Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor - Wiki - VulWiki
Rootkits in Windows 10 - Windows security | Microsoft Docs
2022-02-11: Malware Analysis Series
Malware Analysis Tutorials: a Reverse Engineering Approach
Malware analysis CTF created by myself and @HBRH_314
Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code
How to Use the Slmgr activate and Slmgr rearm up to 8 times
DLL Hijack Libs
PMA 600: FLARE-ON 9 (2022) (requires password)
NASM Assembly Language Tutorials - asmtutor.com
How to Bypass Windows 11's TPM, CPU and RAM Requirements--THIS WORKS
How to bypass internet connection to install Windows 11--THIS WORKS
Winbindex - The Windows Binaries Index
MVS Collection: Windows ISOs
WindowsProtocolTestSuites
Binary Refinery tutorial
Meterpreter vs Modern EDR(s)--USE FOR PROJECT
Can't inject meterpreter shellcode in c code - Information Security Stack Exchange
Ring Zero Labs: Godbolt: Your Gateway to Learning Reverse Engineering
Decompiler Explorer
Symbolic Execution for the Win: Pwning CTFs with angr
Any.Run Analysis--USE FOR PROJECTS
Unveiling LummaC2 stealerâ€™s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24
2025-06-19: GitHub - TheWover/donut: Generates x86, x64, or AMD64 x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

Last Updated: 5-12-26 11:17 am

CNIT 126: Practical Malware Analysis

Spring 2026 Sam Bowne

Schedule · Lecture Notes · Projects · Links · Home Page

Use Twitch

Free Textbook Access

Catalog Description

Textbook

Quizzes

Discussion Board

Schedule (may be revised)

Lecture Notes

Basic Analysis

Advanced Static Analysis

Advanced Dynamic Analysis

Malware Functionality

Anti-Reverse-Engineering

Special Topics

Links

Lab Files

Chapter Links

Training Materials

Introductory: Chapter 0

Assembly Language: Chapter 4

Windows Internals: Chapter 7

Debugging: Chapter 8

OllyDbg: Chapter 9

Other Links

New Unsorted Links