Introduction to Malware Analysis and Reverse Engineering

CS6038/CS5138 Malware Analysis Department of Electrical Engineering and Computing Systems

College of Engineering and Applied Science

University of Cincinnati

Meets every Tue/Thu in 3210 RECCENTER @ 4:00PM-5:20PM

Want to participate?: Apply to Graduate School Here

This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques. The target audience is focused on computer science graduate students or undergraduate seniors without prior cyber security or malware experience. It is intended to introduce the students to types of malware, common attack recipes, some tools, and a wide array of malware analysis techniques.

In general, if you’ve taken the following courses, you should have a good foundation for the class:

CS4029/6029 - Operating Systems

CS2029 - Data Structures

As virtualization is a key ingredient to any malware analysis, students are expected to have access to a laptop which can run multiple virtual machines at a time, with adequate CPU, RAM, and available disk storage. The minimum configuration expected to work well is a system with 4 cores (4 or 8 threads), 16GB of RAM and at least 150GB of free space on disk. Lesser configurations may work, but will likely increase the amount of wait time, minimized multitasking, and generally add to frustration.

Course syllabus

Lectures/notes (from 2020 class)

2020-04-22 - Android Static Analysis Part 2 (lecture)

2020-04-18 - Introduction to Android Apps and Tools (lecture)

2020-04-13 - Java Malware and Obfuscation (lecture)

2020-04-10 - Introduction to Java Code Analysis (lecture)

2020-04-05 - PDF Document Structure & Analysis (lecture)

2020-03-29 - Hunting on a System With Yara (lecture)

2020-03-10 - Continued Malware Identification with Yara (lecture)

2020-03-07 - Malware Identification with Yara (lecture)

2020-03-02 - Multi-Stage Document Attacks (lecture)

2020-02-16 - Simple Program Flow Editing with Immunity (lecture)

2020-02-16 - Immunity Debugger View and Description (lecture)

2020-02-11 - Immunity Debugger Intro, Capture & Reroute Malware Traffic (lecture)

2020-02-11 - Analysis of Assignment 4, advanced parts (lecture)

2020-02-09 - Configuration Analysis, Run Time Analysis & Editing (lecture)

2020-02-05 - Ghidra Intro (lecture)

2020-02-04 - EXE File Analysis Lecture 1 (lecture)

2020-02-02 - Assembly Language Crash Course (lecture)

2020-01-28 - Analysis Exercise (lecture)

2020-01-24 - Static Analysis of Compromised VM (lecture)

2020-01-21 - Building Malware - Metasploit & Pupy RAT (lecture)

2020-01-20 - Building an Attack (lecture)

2020-01-19 - Malware Taxonomy Discussion (lecture)

2020-01-14 - Introduction to Course and VirtualBox (lecture)

Lectures/notes (from prior classes)

2018-04-03 - Debugging and VM Detection (lecture)

2018-03-20 - Document Format Analysis (lecture)

2018-02-22 - Malware Research Online (lecture)

2018-02-20 - Code-based Yara String Matching (lecture)

2018-01-25 - Container Model for Streams/Files and Deconstructing the Attack (lecture)

2018-01-18 - VirtualBox Lab Example Attacks & Analysis (lecture)

2018-01-16 - VirtualBox Lab Setup and Crash Course II (lecture)

2017-03-07 - Analysis of PDF Documents (lecture)

2017-03-02 - Analysis of Complex Data Structures (lecture)

2017-02-28 - Numeric Data Encoding, Arrays, and Memory Analysis (lecture)

2017-02-23 - Demo of Static Code Analysis Using Objdump, IDA Free, and Yara (lecture)

2017-02-21 - Demo of Static Analysis Using Strings (lecture)

2017-02-14 - Assembly Language Crash Course (Pt. 2), A Deeper Dive (lecture)

2017-02-09 - Assembly Language Crash Course (Pt. 1) (lecture)

2017-02-07 - Static Analyzers (Yara, vscan, ClamAV) (lecture)

2017-02-02 - Applying Static Analysis (lecture)

2017-01-31 - Static Analysis Introduction (lecture)

2017-01-26 - Malware Research Online (lecture)

2017-01-24 - Malware Taxonomy and Terminology (lecture)

2017-01-19 - Analyzing the Attack With Basic Tools (lecture)

2017-01-17 - Attack Introduction (lecture)

2017-01-12 - VirtualBox Lab Setup and Crash Course (lecture)

2017-01-10 - Introduction to Course and VirtualBox (lecture)

Assignments

LAB02: Building a Custom Attack (Due: Tuesday, 2020-01-23 11:59PM)

LAB01: VM Setup and Test (Due: Tuesday, 2020-01-16 11:59PM)

Assignments (old)

Final: Malware Analysis Report (Due: Saturday, 2018-04-28 11:55PM)

HW04: Dynamic Malware Monitoring (Due: Sunday, 2017-04-22 11:55PM)

HW03: Yara Binary Code Analysis (Due: Sunday, 2017-03-25 11:55PM)

HW02: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2018-03-18 11:55PM)

HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2018-02-15 11:55PM)

Final: Malware Analysis Report (Due: Friday, 2017-04-28 11:55PM)

HW05: Yara Binary Code Analysis (Due: Sunday, 2017-04-23 11:55PM)

HW04: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2017-04-23 11:55PM)

HW03: Static Analysis Utility (Due: Thursday, 2017-03-02 11:55PM)

HW02: Kali Metasploit Experiment (Due: Tuesday, 2017-02-21 11:55PM)

HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2017-02-16 11:55PM)

Other videos on malware I’ve done

Malware Analysis on a Budget - Discussion of malware analysis tools and research projects out in the open-source community

MalwareDNA - Talk about an instruction-analysis technique I devised in 2013

Recommended Resources