Malware Analysis

Fundamentals Workshop
By Eng.Eslam Mohamed Abbas
0- Introduction
• 0-1 Who Am I ?
• 0-2 What We Will Study In This Workshop ?
• 0-3 How We Will Study And Practice Well ?
• 0-4 Tasks & Meetings System
• 0-5 Closing
 1- Some General Basics
• 1-1 Programming Basics Concept
• 1-2 C Basics
• 1-3 Python Basics
• 1-4 Encode , Encryption And Hashing Basics
• 1-5 CPU Arch Basics ( Intro To Assembly - Registers – Memory - Stack - Heap)
• 1-6 OS Basics ( Process – Threads – Mutex – Services – EXE & COM – Registry
– Handles – Windows APIs )
• 1-7 Network Basics ( OSI Layers - Intro To Wireshark )
2- Dive Into Malwares World
• 2-1 What Is The Malwares ?
• 2-2 Type Of The Malwares
• 2-3 Steps Of Analysis
3- Your Env And Your Weapons
• 3-1 What Is The Virtual Machine ?
• 3-2 Install Your Virtual Machine And Start Your Configurations
• 3-3 Some Important Tools And Settings
 4- Basic Static Analysis
• 4-1 What Is The Basic Static Analysis And Why We Will Use It ?
• 4-2 Some Techniques In BSA
• 4-3 Some Important Tools And Websites
• 4-4 What Is PE ?
• 4-5 Some Operations And Tools To Deal With PE
• 4-6 What Is The Meaning Of Packing & Obfuscation , And How To Use In PE ?
• 4-7 Analysis PE After Fully DE obfuscate & Unpack
• 4-8 Analysis PE After Partly DE obfuscate & Unpack
• 4-9 How To Deal With Unknown Obfuscated PE Files ?
 5- Basic Dynamic Analysis
• 5-1 What Is The Basic Dynamic Analysis And Why We Will Use It ?
• 5-2 What Is The Meaning Of Sandbox And What Is The Benefit From It ?
• 5-3 Some Practical Examples For Sandboxes
• 5-4 Run Real Malware On Sandbox
• 5-5 Start Notice Malware Behavior ( Process – WinAPI – File Systems –
Registry – Network Access )
 6- Get Into Assembly x86
• 6-1 What Is Assembly , And Why We Need To Understand It Well?
• 6-2 Data Moving Operations With Assembly
• 6-3 Arithmetic Operations With Assembly
• 6-4 Logical Operations With Assembly
• 6-5 Control Flow Operations With Assembly
• 6-6 String Operations With Assembly
• 6-7 Miscellaneous Instructions With Assembly
 7- Dive Into Assembly x86
• 7-1 Functions Shape And Stack Layout In Assembly Code
• 7-2 Function Call Conventions In Assembly Code
• 7-3 If & Nested If Shape In Assembly Code
• 7-4 Switch & Jump Table Shape In Assembly Code
• 7-5 For Loop Shapes In Assembly Code
• 7-6 While Loop Shape In Assembly Code
• 7-7 Array & Structs Shape In Assembly Code
8- Dive Into IDA & Disassemble
Algorithms ( Advanced Static Analysis )
• 8-1 What Is IDA And Why Need It And How To Install It ?
• 8-2 Working Flow With IDA
• 8-3 Navigation Bar In IDA
• 8-4 Some Operations With IDA
• 8-5 IDC & Python With IDA
• 8-6 Plugins In IDA And How To Install It
• 8-7 Practical Working With IDA
 9- Intro To Ghidra ( Advanced Static
Analysis )
• 9-1 What Is Ghidra And What Is The Difference Between It And IDA ?
• 9-2 Working Flow With Ghidra
• 9-3 Some Operations With Ghidra
• 9-4 Install Scripts In Ghidra
• 9-5 Practical Working With Ghidra
 10- Intro To Debuggers ( Advanced
Dynamic Analysis )
• 10-1 What Is Debuggers And Why We Need It ?
• 10-2 GUI Of The Debuggers And Its Controls And Windows
• 10-3 Working With Debuggers ( Step Into - Step Over – Step Out –
Undo , Run – Reload – RunToUser , Breakpoints )
• 10-4 Working With DLLs Files
• 10-5 Tracing & Patching
• 10-6 Some Important Plugins And Its Functionality
• 10-7 Practical Working With Debuggers
 11- Reporting
• 11-1 Malware Analysis Report Overview
• 11-2 Extract Identifications & IOCs Of Malware
• 11-3 Write A Report For Real Malware