Practical Malware Analysis

Sam Bowne


DEF CON China 2018 #129538
DEF CON China 2018 #218526
RSA 201815538
BSidesLV 201718526
DEF CON 25 (2017)26074
CactusCon 201717039

Workshop Description

Learn how to analyze malware, including computer viruses,
Trojans, and rootkits, using disassemblers, debuggers,
static and dynamic analysis, using IDA Pro, OllyDbg and other tools.

Familiarity with programming in C and assembler is helpful but not necessary.

All the projects run on a single Windows Server 2008 machine.
You can run it locally on VMware or VirtualBox, or in the cloud with NETLAB.

Local Hosting


VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)


For VMware: Win2008Malware.7z
Size: 2,073,173,278 bytes
SHA-256: c2d59bb80d71cb73350fe436d2658eeb46c869edce66c950ce97268e2a2fa25a

For VirtualBox: Win2008MalwareVB.7z
Size: 3,754,472,442 bytes
SHA-256: 879584a72752a3a22843b21e02992e6aa78ad4b73aed5536a44c91613d813113

For Hyper-V: Svr8Vm12.7z
Size: 2.21 GB

Cloud Hosting

Login     Reserve "NDG 1 Server Pod (no lab)"

Hosted by  


I: Basic Static Analysis

1. Basic Static Techniques (10)
2. Unpacking (10)
3. Challenge: Name the Packer  (5)
4. Challenge: Datestamp (5)

II: Basic Dynamic Analysis

5. Basic Dynamic Analysis (10)
6. Keylogger (15)
7. Challenge: Beacons (10)

III: Advanced Static Analysis

8. Jasmin
9. Challenge: Secret Message (10)
10. IDA Pro
11. Challenges with IDA (50)

IV: Advanced Dynamic Analysis

12. Simple EXE Hacking with Ollydbg (20)
13: Adding Trojan Code with LordPE (20)
14: Patching EXEs with Ollydbg (100)
15. Kernel Debugging with LiveKd & WinDbg (15)
16. SSDT Hooking (15)

More Training

CTF-Style Workshops

Violent Python (Easiest)
Exploit Development for Beginners (Easy)
Crypto Hero (Intermediate)
Practical Malware Analysis (Hardest)

Whole Classes

CNIT 123: Ethical Hacking and Network Defense
CNIT 124: Advanced Ethical Hacking (Includes Violent Python)
CNIT 125: CISSP Prep
CNIT 126: Practical Malware Analysis
CNIT 127: Exploit Development
CNIT 128: Hacking Mobile Devices
CNIT 129S: Securing Web Applications
CNIT 141: Cryptography for Computer Networks

Student Assistants

Elizabeth Biddlecome

LinkedIn · Resume

I have over 15 years of experience as a consultant in devising innovative technical solutions for small to medium enterprise needs. As a consultant, I'm devoted to creatively and effectively solving problems while providing a satisfying user experience. Throughout my career as a full stack software engineer, my enthusiasm for architecture, security, and server-side programming has driven my ability to architect robust apps, while my strong design skills have allowed me to create attractive, engaging UI designs to spec. Craftsmanship is critical to my work- I perceive code as art.

Information Security is a deep passion of mine; I enjoy contributing as a core member of my team in local and national cybersecurity competitions as I transition fully into this space professionally.

As engineers, I believe that we have signed up for a life-long learning process, and will always be students in one regard or another. I am also a dedicated educator, teaching both working professionals and adolescent through young adult students. MissionBit is a non-profit working within the San Francisco Unified School District, working toward the goal of closing the tech divide via mentoring the next generation of engineers, software developers, project managers, and security professionals in their career pursuits, with a particular focus on underrepresented minority and economically disadvantaged students.

Elizabeth With Her "Software Engineer Pathways to Employment" Class at Microsoft

Dylan James Smith

Dylan James Smith has over 20 years experience in network, technology, and systems consulting. Smith has worked with artists, attorneys, and businesses to find, integrate, and train to their tailor fit solutions. Smith's interest in privacy and security have lead to his current pursuit to spread awareness and teach, as well as work, in the security industry. He is seeking opportunities for hands on day to day security work and companies interested in supporting awareness and training to underserved communities.

Posted: 4-17-18 6:38 am
Class and contest list added 4-18-18
More grading forms added 4-19-18
RSA scores added 4-19-18
Logo added for DEF CON China 4-21-18
Video from RSA 2018 added 4-21-18
Chinese pages added 5-2-18
More Chinese pages added 5-6-18
Assistants info added 5-8-18
Video removed 5-12-18