FOR710: SANS Tokyo Winter 2024

Provided by

Enquire about this course

What You Will Learn

As defenders hone their analysis skills and automated malware detection capabilities improve, malware authors have worked harder to achieve execution within the enterprise. The result is malware that is more modular with multiple layers of obfuscated code that executes in-memory to reduce the likelihood of detection and hinder analysis. Malware analysts must be prepared to tackle these advanced capabilities and use automation whenever possible to handle the volume, variety and complexity of the steady stream of malware targeting the enterprise.

FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course leaves off, helping students who have already attained intermediate-level malware analysis capabilities take their reversing skills to the next level. Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe.

Developing deep reverse-engineering skills requires consistent practice. This course not only includes the necessary background and instructor-led walk throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.

“As malware gets more complicated, malware analysis has as well. In recent years, malware authors have accelerated their production of dangerous, undetected code using creative evasion techniques, robust algorithms, and iterative development to improve upon weaknesses. Proficient reverse engineers must perform in-depth code analysis and employ automation to peel back the layers of code, characterize high-risk functionality and extract obfuscated indicators.” – Anuj Soni

FOR710 Advanced Code Analysis Will Prepare You To:
  • Tackle code obfuscation techniques that hinder static code analysis, including the use of steganography.
  • Identify the key components of program execution to analyze multi-stage malware in memory.
  • Locate and extract deobfuscated shellcode during program execution.
  • Develop comfort with non-executable file formats during malware analysis.
  • Probe the structures and fields associated with a PE header.
  • Use WinDBG Preview for debugging and assessing key process data structures in memory.
  • Identify encryption algorithms in ransomware used for file encryption and key protection.
  • Recognize Windows APIs that facilitate encryption and articulate their purpose.
  • Investigate data obfuscation in malware, pinpoint algorithm implementations, and decode underlying content.
  • Create Python scripts to automate data extraction and decryption.
  • Build rules to identify functionality in malware.
  • Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse engineering workflows.
  • Write Python scripts within Ghidra to expedite code analysis.
  • Use Binary Emulation frameworks to simulate code execution.
Course Topics:
  • Code deobfuscation
  • Program execution
  • Shellcode analysis
  • Steganography
  • Multi-stage malware
  • WinDbg Preview
  • Encryption algorithms
  • Data obfuscation
  • Python scripting for malware analysis
  • Dynamic Binary Instrumentation (DBI) Frameworks
  • Binary emulation frameworks
  • Payload and config extraction
  • Scripting with Ghidra
  • YARA rules
  • Yara-python
  • SMDA disassebler
What You Will Receive With This Course:
  • Windows 10 VM with pre-installed malware analysis and reversing tools.
  • Real-world malware samples to examine during and after class.
  • Coursebooks and workbook with detailed step-by-step exercise instruction.
Listen to course author Anuj Soni as he provides a course preview in this livestream


Start date Location / delivery
01 Dec 2024 Tokyo Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...