Malware Reverse Engineering:

Beginner to Advanced
On-Demand Training
-By Abhijit Mohanta
Author of books
https://academy.intelliroot.com/
30,000 INR / 375 USD
excluding taxes
About Trainer : Abhijit Mohanta
CTO and Co-Founder, Intelliroot
17+ in malware industry as security researcher
2 books, 6 patents, multiple blogs, paper presentation in conferences
Development of Antivirus, Sandbox, EDR
Worked at Mcafee, Symantec, Juniper Labs
Worked Malware analysis and Detection, Reverse Engineering,
Vulnerability Research
provided training at NASSCOM, DIAT(Defense Institute of advanced
technology), AICTE
Spoke at various conferences DSCI, AVAR, SANS, x33Fcon, DMZCon
Testimonials from Students
Uniqueness
Beginner friendly
Quick recap of basic Malware Analysis
Detailed Assembly Instructions explanation with labs
Detailed Windows Internals explanation with labs
Concepts explained with animations and custom samples
Covers all kind of diversities in Windows Malwares
Malwares written in various programming languages VC++, VB, Golang
Reverse Engineering of Ransomwares, POS malwares, Rootkits
Learn to de-obfuscate and unpack malwares
Learn to analyze variety of techniques used in Malware Anti-techniques, API hooking,
Code Injection, Rootkits
Learn to multiple RE tools
Ghidra, Ollydbg, x64Dg, IDA pro, Process Hacker
Close to 100 labs exercise covering
Approximate 40 hours for video
Student Material
1(One) year access of the course online videos of “Malware Reverse
Engineering: Beginner to Advanced (On-Demand)” hosted on
https://academy.intelliroot.com/
Malware Samples provided
No pdf’s would be provided
Doubt clearance sessions
Career Guidance in Malware Analysis
Table Of Contents
Module 1. Introduction (1 hour)
The module covers the following : Malware Analysis in roles require
malware analysis.

The module covers the following topics:

Introduction
Lab setup
 Module 2. PE file format (1.5 hours)
A portable executable has many fields which are
required to understand not only for basic analysis but
also to understand complex concepts like Hooking.
The module covers the following concepts:
PE file creation
PE file static attributes
PE file execution and it's mapping into virtual memory
Important concepts in the PE file like VA, RVA, Entry
point, imports, exports
Different types of PE files

Difficulty level: beginner

Module 3. Windows Internals (45 minutes)
The module gives a superficial idea on Windows Operating system
which is required for malware analysis.

The module covers the following concepts :

Windows File System
Basic Process internals like process virtual memory, handles, thread Thread
Context
Windows Registry

Difficulty level: beginner

Module 4. Basic Malware Analysis (45 mins)
This module serves as a quick revision review of both static and dynamic analysis
methodologies, encompassing critical topics such as virtual memory analysis and
API logging often overlooked by analysts. The module is also helpful for those who
are completely new to malware analysis.

The module covers the following:

 Malware Analysis steps
 Static analysis
 File format identification
Use of procmon
Virtual Memory analysis and string extraction
 API logging

Difficulty level: beginner

Module 5. Tools manual (2 hours)
Reverse Engineering necessitates proficiency with a set of tools such as
Ghidra, IDA, and x64Dbg. The module teaches about configuration and
basic usage of all the tools

The module covers the configuration and basic usage of following tools:
Ghidra
Ollydbg
x64Dbg
IDA
API loggers
Others
Difficulty level: beginner
Module 6. Assembly instruction (4 hours)
Assembly language is always a hurdle for those who aspire to learn Reverse Engineer.
The module has been specially designed for beginners so that they can learn assembly
easily. Learning process has been smoothened with help of animations and custom
tailored samples.

The module covers the following topics:

 Computer architecture - code execution, instructions, registers ,memory
 Data movement instruction
 String instructions
 Arithmetic instruction
 Control flow instructions
 Functions calls, parameters, stack
 Memory layout of arrays, stacks, local variables
Calling Conventions
Understanding Instructions, Opcodes

Difficulty level: beginner and intermediate

 Module 7. Disassembly reading (1 hour)
The module focuses on reading disassembly and deriving meaning from
them.
The module covers the following concepts:
Read code listing in disassembler, debugger
Identify local variables, global variables
Identify functions, parameters
Identify array and structures
Identify complex data structures like array of structures and linked lists

Difficulty level: beginner, intermediate and Advanced

Module 8 - Windows Internals part 1 - Windows API Internals
(30 minutes)
Windows malwares implements various malicious techniques with the help of
API’s. As such one needs to understand how to analyze the API’s. Also
understanding of API internals can be helpful to understand how detection
techniques are developed and even helpful to understand how malwares evade
detection.

The module covers the following concepts:

Referencing to API documentation
How to read API parameters
Analyze parameters passed as structures
API variations - NT versions, Ascii, Unicode
Understanding API call flow from user to kernel, Syscall - concept useful in analyzing
malwares, EDR bypass techniques, API hooking
Identifying API sequences in malware code to identify techniques employed by malwares

Difficulty level: beginner, intermediate and Advanced

Module 9 - windows Internals - part 2 - Common
API sequences in Malwares (1 hour)
Covers commonly seen API sequences across all kinds of malware. The
knowledge of commonly seen API's helps in accelerating Reverse
Engineering as they are common across most malwares hence one does
not need to re-analyse them.
The module covers the following concepts:
Process iteration
File iteration
API resolution
Resource extraction
Registry manipulation
Thread API’s

Difficulty level: beginner, intermediate and Advanced

 Module 10 - windows Internals - part 3 - Debug
DLL, COM Objects, Services, PEB (1 hour)
Learn techniques to debug programs which cannot be debugged straight
forward like and exe files.

The module covers the following concepts:

Debugging DLL
Debugging COM Objects
Debugging Windows Services
Difficulty level: beginner, intermediate and Advanced
Module 11 - Cryptography in Malwares
( 1 hour 15 mins)
Cryptography is used in malwares to hide it’s own data and more
popularly in Ransomware. Understanding of the topic would help you to
debug ransomwares which is covered in the payload Analysis Module.

The module covers the following concepts:

Understand and Debug Windows Cryptographic API
Identify Crypto Algorithms in malwares

Difficulty level: beginner, intermediate and Advanced

Module 12 - Compilers used by Malwares
( 30 minutes)
Compilers play a critical role in generating both legitimate and
malicious binaries. Compilers insert it’s own code in compiled binaries
which can be common in both malwares and clean files. Hence analysts
might end up analyzing the compiler code instead of actual malicious
code.
The module covers the following topics:
Identify compiler used to write malware
Identify compiler stub
Identify main in VC++ binaries

Difficulty level: beginner, intermediate and Advanced

Module 13 - Networking in Malwares
(1 hour 45 mins)
All kinds of malwares use the network to communicate with the CnC,
exfiltrate data to the attacker.

The module covers the following concepts:

Basic concepts like network endians and related API's like htons
Understand socket API's, HTTP API's
Locating DGA algorithms
Identify Lateral movement code in malwares

Difficulty level: beginner, intermediate and Advanced

 Module 14- Packers and Unpacking(3 hours)
Malwares use packers to protect executables from static file detection
used in Antivirus. The packer hides the actual functionality of the malware.
In order to understand the actual functionality of the packer, one needs to
unpack it and extract the actual payload by unpacking.

The module covers the following concepts:

Understand packers and process of packing binaries
steps and code involved in packed binary execution
unconventional and undocumented ways to unpack malwares
systematic way to Reverse packed binaries rather than just putting breakpoint on
some API's

Difficulty level: beginner, intermediate and Advanced

 Module 15 - Code Injection ( 2 hours)
Malware use code injection to conceal their actual functionality by
injecting code into clean processes. Code injection is further used in
concepts like API hooking which in turn is used by rootkits as well.

The module covers the following concepts:

Conventional code injection techniques like shellcode injection and DLL injection
Advanced techniques like Thread hijacking, section and views, process hollowing
Learn tricks to debug both the injector as well as injected code

Difficulty level: beginner, intermediate and Advanced

Module 16 -API Hooking - ( 2.5 hours)
API hooking is a method to modify functionality of a process by
manipulating the API in memory. The concept is used by anti-malware
softwares as well as malwares. API hooking is used by banking trojans
and rootkits. In the module, one would understand the working of hooks
and recognize them in disassembly.
The module covers the following concepts:
API hooking basics
Type of API hooks - inline hooking, IAT hooking etc
Identifying and Debugging hooks
Banking Trojans Web injects and debugging of Web Inject malware

Difficulty level: beginner, intermediate and Advanced

Module 17 - Rootkits - part 1 - User Mode Rootkit
( 1 hour)
Malwares use rootkits to hide artifacts like file, processes. Rootkits can
be user mode or kernel mode. The module covers working of user mode
rootkits and their analysis.

The module covers the following concepts:

Use of API hooks in rootkits
Disassembly analysis of user mode rootkit

Difficulty level: Intermediate and Advanced

Module 18 - Rootkit - part 2 - Kernel Driver-basics
(15 mins)
Kernel mode rootkits are implemented using kernel drivers. The module
explains the working of kernel drivers and teaches how to debug them.
Only basics are covered which are enough to kickstart analysis of kernel
drivers.
Following concepts are covered in the module
Basic concepts of windows driver - driver objects
irp’s
ioctl’s
Driver Installation

Difficulty level: Basic and Intermediate

Module 18 - Rootkit - part 3 – Kernel Debugging
( 1 hour)
The module talks about debugging a kernel rootkit starting with
configuration of Windbg for remote Debugging till debugging the driver
code.
The module covers the following topics:
Configuring Windbg for remote kernel debugging
Breaking at entry point of kernel drivers
SSDT rootkit concept
DKOM rootkit concept
Debug a DKOM rootkit

Difficulty level: Intermediate and Advanced

 Module 19 - .net Reverse Engineering( 1.5 hours)
A lot of malwares today are known to use .net. In this module one would
learn various approaches to reverse engineer .net malwares.

The module covers the following concepts:

Basic working and analysis of .net executables
Debugging .net binaries
Unpacking de-obfuscating .net binaries
Use of tools like DNSpy, De4Dot

Difficulty level: Beginner, Intermediate and Advanced

 Module 20 - VB Malware ( 30 mins)
Malware analysts might often encounter malwares written in Visual
basic. In this module one would learn to analyse visual basic binaries.

The module covers the following concepts:

Basics of visual basic binaries
Reverse Engineering visual basic binaries

Difficulty level: Beginner, Intermediate

Module 21 - Golang Malware RE ( 30 mins)
There is a growth in malwares written in golang. In this module one
would learn to analyse golang compiled binaries.

The module covers the following concepts:

Basic of golang binaries
Reverse Engineering golang binaries

Difficulty level: Beginner, Intermediate

Module 22 - Anti-Analysis / Evasion techniques in
malware( 1 hour)
Malwares use anti-techniques to evade analysis and evade security
software like EDR's, Antivirus, Sandboxes. In this module one is going to
learn about anti-techniques and how to locate and bypass them.

The module covers the following concepts:

Anti-VM
API hashing
UAC bypass
Anti-Debug
Sandbox evasion
EDR and endpoint evasion
Difficulty level: Beginner, Intermediate and Advanced
 Module 23 – Payload Analysis (2.5 hours)
There are a variety of malwares today which includes ransomware stealers,
wipers, POS Malwares, ATM malware, RAT's etc. The module helps you to
understand these malwares and the techniques used by them which can be used
to enhance detection features in anti-malware products.

The module covers the following topics:

dentification of and Ransomware techniques
dentification and analysis of keylogging code
dentification and analysis of stealer code targeting browsers
dentification of Code related to taking screenshots, controlling webcam etc
dentification of POS stealing code
Reverse Engineer real Ransomware, POS malware, RAT’s

Difficulty level: Beginner, Intermediate and Advanced

 Module 24 – Reverse Engineering Malicious Scripts
and Documents (1 hour)
The module covers analysis of malicious documents. Covers obfuscations
techniques and de-obfuscating word macros
The module covers the following:
Obfuscation techniques
File formats of word documents
VBA macros
De-obfuscating macros with MSOffice VBA debugger

Difficulty level: Beginner, Intermediate and Advanced

 Module 26 – Malware Development : Basic Level
(25 minutes)
The module talk about writing malware using VC++. The module teaches
how to write a basic malware using VC++ and VB Macros.

The module covers the following:

Coding a Word Macro Downloader
VC++ Compiler Settings for malware Development
A VC++ downloader
Add Anti-Debugging using inline assembly and Win32 API
Packing the binary
C2 Framework network communication
A basic shellcode injector

Difficulty level: Beginner

Module 27 – Reverse Engineering Best
Practices
The module summaries the whole course

The module covers the following

Affectively using Virtual Machine
Choosing tools
Combining Features of Tools
Accelerating Reverse Engineering