eLearnSecurity

MAP v1

Malware Analysis Professional

Curious about this course?

Enroll now and get access to all of our material and labs!

Plans and Pricing

INDIVIDUALS

View enrollment fees for individual students.

CORPORATE

Purchase eLearnSecurity courses for your company.

Be Prepared for Malware

Malware Analysis Professional (MAP) is an online, self-paced training course that teaches students the knowledge and skills necessary to dissect malicious software in order to understand its mechanics and purpose.</br>MAP provides a holistic approach to dissecting malware. You will also learn more about Reverse Engineering and add an additional skill to your arsenal, allowing you to dissect a product to understand its blueprint or how it was made.

Discover Contents

Learn by Doing

MAP is a self-paced course that comes with 36 labs so you can develop your knowledge and test your skills through hands-on dissection and analysis of malicious software. In the Reverse Engineering portion of MAP, there are 10 downloadable, offline labs (executables) that provide practical reverse engineering experience. Additionally, this content comes with videos that provide step-by-step guidelines, providing an in-depth explanation of every technique.

Discover Labs

Get Certified

Take the eCMAP certification and prove your practical skills with the only 100% practical certification on malware analysis.

Discover Contents

Course at a glance

  • Realistic malware samples created to prepare you for real-world samples
  • Analyze real-world samples: ransomware, botnets, rats, etc.
  • Learn about IA-32 CPU Architecture
  • Entire module dedicated to x64 bit assembly
  • Practical display and dive into the TLS method
  • Understand how malware uses Windows APIs to achieve their malicious activity
  • Understand and bypass Anti-Reversing techniques
  • Perform full manual unpacking on packed executables
  • Debug samples using different debuggers
  • Learn different methods to locate the important algorithms

Course material

  • Over 8 hours of HQ video training material
  • ~1800+ Interactive slides across 21 modules
  • 36 hands-on Malware Analysis and reverse engineering challenges labs, with over 800+ pages of lab manuals.

Course delivery

  • Self-paced / HTML5, PDF, MP4
  • Off-line access available
  • Access from PC, Tablet and Smartphone

Test drive this course for free

I agree to receive emails from Caendra Inc.

Syllabus

Section: MALWARE ANALYSIS

  • Module 1 : Introduction to Malware Analysis

    Module 01 serves as a basic introduction to Malware, the different types of Malware, what they are and how to analyze them. This module also covers malware analysis techniques that are used in order to analyze malware and why we need different methods and techniques. Finally, the module also covers many of the tools that could be used to acquire evidence, including malware.

  • Module 2 : Static Analysis Techniques

    This module introduces the basic static methods used to identify malware and run an initial assessment. The module covers the different file types, generating different types of hashes and how they can be helpful, how to extract strings and use them as starting points in your analysis, and when and why you might consider using an online scanner or a sandbox. The module also goes in-depth on the Portable Executable (PE) file format and how to analyze its structure and understand all the main values in it. Finally, this module explains how to use all of this information to build an indicator of compromise (IOC) and use it to find malware samples on other systems using YARA.

  • Module 3 : Assembly Crash Course

    Since most systems used today are 64-bit, this module is considered a crash course to x64 assembly language. How x64 is different from x86, why malware analysts should be skilled at analyzing 64-bit code and even how to write some x64 assembly code, will all be covered in this module.

  • Module 4 : Behavior Analysis

    Module 04 begins by explaining Windows processes, threads and the different objects available to a process. This is where malware is run to understand its behavior and how it affects a victim’s system. The module goes through the different injection methods used by malware and how they achieve persistence on systems, so they can come back or have a foothold on the victim’s system or network. The module also covers the different tools to use and how to use them effectively to analyze malware, whether they were EXEs or DLLs. Finally, the module also explains how to use a sandbox to automate your dynamic analysis and get faster results that could aid your further investigations.

  • Module 5 : Debugging and Disassembly Techniques

    This module covers two of the most advanced malware analysis methods: debugging and disassembling. Why are these methods needed and when to use them, their pros and cons, and what tools are available, are all core concepts covered in this module. The different debugging methods, breakpoints and controls will be covered and how use them to run and analyze a malware sample. Finally, this module covers disassembly and reverse engineering in greater detail with the focus on recognizing common malware characteristics at the Windows API level.

  • Module 6 : Obfuscation Techniques

    One of the goals malware developers try to achieve is to hinder analyzing their malware code. Therefore, to achieve that, they would use many different methods and techniques. This module covers the most common obfuscation techniques used by malware developers ranging from decoding (Base64, XOR, etc), using anti-debugging and anti-reverse engineering techniques. This module goes over what packing is in detail and how to apply different unpacking techniques to unpack different malware samples. Finally, the module covers shellcode (mainly 64-bit shellcode) and how to locate, extract and analyze it.

Section: REVERSE ENGINEERING

  • Module 1 : The Necessary Theory - Part 1

    The first three modules aim to cover all the necessary theory as well as the concepts on which the practical part of this course is based. We will start with a short description about what Reverse Engineering is and the reasons why someone might need it, and then proceed with more technical concepts. During the first three chapters we will discuss the basics behind the Intel IA-32 CPU architecture (x86), the stack, the heaps, as well as exceptions, Windows APIs with some Windows Internals, and the most common types of reversing tools used these days.

  • Module 2 : The Necessary Theory - Part 2

    So here we are in the second module, which is also dedicated to the theoretical knowledge necessary for this course. One thing to keep in mind is that ‘theoretical’ doesn’t actually mean that you might need it…or not. In fact, the theory discussed during these first three modules covers all the fundamental knowledge and the concepts that you will need, not just for this course and its technical assignments, but for the rest of your time as a reverser.

  • Module 3 : The Necessary Theory - Part 3

    The third module of this course aims to offer some extra theoretical knowledge necessary for the rest of the course. During this module we will briefly touch on the concept of heaps, we will discuss handles, exceptions, some basic Windows Ring3 Internal structures, and Windows APIs. Finally, we’ll go through the most common types of reversing tools used today for software reverse engineering.

  • Module 4 : VA/RVA/OFFSET and PE File Format

    In this module we will discuss virtual addresses, relative virtual addresses, offsets, as well as some basic information regarding the Portable Executable File Format which describes the basic structure of all Windows executable files.

  • Module 5 : String References and Basic Patching

    This module is dedicated to ‘String References’ as well as Basic Memory and File Patching. We demonstrate the use of data strings in order to locate the algorithm we are interested in and then we reverse its logic. Finally, we explain how we can manually calculate the offset of a byte inside the physical file by knowing its virtual address in memory.

  • Module 6 : Exploring the Stack

    • This module focuses on exploring the data that we can retrieve from the stack in order to trace back an algorithm. A very important technique when we have to deal with on-the-fly encryption and decryption of data.

  • Module 7 : Algorithm Reversing

    • During this module, we dig deep into Reverse Engineering by analyzing in detail all the important algorithms of the executable which include the data encryption/decryption algorithm as well as the input data validation algorithm.

  • Module 8 : Windows Registry Manipulation

    This module is dedicated to Windows Registry. We start with an overview of this important Windows component and then we proceed with the detailed analysis of an executable that attempts to read data from the registry and validate it according to a custom algorithm which we finally Reverse Engineer. During this module we also make use of Hardware Breakpoints and we demonstrate their importance.

  • Module 9 : File Manipulation

    During this module we Reverse Engineer an executable that attempts to locate a specific file in the system and read data from it. In addition, we once more analyze in detail the custom algorithm used to validate that data in order to extend our skills in Reverse Engineering custom algorithms.

  • Module 9 : File Manipulation

    During this module we Reverse Engineer an executable that attempts to locate a specific file in the system and read data from it. In addition, we once more analyze in detail the custom algorithm used to validate that data in order to extend our skills in Reverse Engineering custom algorithms.

  • Module 10 : Anti-Reversing Tricks - Part 1

    This is the first module dedicated to Anti-Reversing tricks which includes some basic direct and indirect ways to detect a Ring3 debugger.

  • Module 11 : Anti-Reversing Tricks - Part 2

    In this module we continue talking about Anti-Reversing tricks regarding debuggers and reversing tools detection methods.

  • Module 12 : Anti-Reversing Tricks - Part 3

    This module is again focused on Anti-Reversing tricks. In this case we discuss differences between SW and HW breakpoints and how they can be detected. We also talk about more advanced tricks that involve the use of exceptions, and finally we talk about some well-known methods for detecting a few popular VM environments.

  • Module 13 : Code Obfuscation

    In this module we discuss different types of native code obfuscation methods. We explain how these are implemented, the obstacles that can be created and how we can analyze and cleanup obfuscated code.

  • Module 14 : Analyzing Packers and Manual Unpacking

    This module focuses on executables packers and more specifically on different generic methods that we can use in order to successfully find the Original Entry Point of applications packed with common packers. We give practical examples and we unpack them together for fun and knowledge.

  • Module 15 : Debugging Multi-Thread Applications

    In this module we discuss debugging and the analysis of multi-thread applications, or applications that are able to execute various blocks of code via different threads. Reverse Engineering multi-thread applications can sometimes be quite frustrating, especially for beginners.

Download PDF Syllabus

Pre-requisites

  • Networking and Network Protocols: TCP, UDP, ARP, ICMP, etc
  • Operating Systems and Computer Architecture Concepts
  • Programming Languages: x86 Assembly, C, C++, and Python
  • Information Security: Cyber Attacks, Malicious Content, Exploitation, Shellcodes and Digital Forensic Investigations

This training course is for...

  • Incident Responders
  • Digital Forensic Examiners
  • Malware Analysts
  • Penetration Testers who want to adapt Malware methods for their PT
  • Reverse Engineers with 0 - 2 yrs of experience
  • Cybersecurity Researchers and Students

Labs

The MAP course is a practice-based curriculum. Being integrated with Hera Lab, the most sophisticated virtual lab in IT Security, it offers an unmatched practical learning experience.

Hera is the only virtual lab that provides fully isolated per-student access to each of the real-world scenarios available on the platform.

Students can access Hera Lab from anywhere through VPN.

Modules will be accompanied by 26 hands-on malware analysis labs, with an additional 10 Win32 applications to reverse engineer.

Lab IDDescriptionCategory
Lab 1 Evidence Acquisition using KAPE - Evidence Acquisition using KAPE Malware Analysis
Lab 2 File Identification - File Identification Malware Analysis
Lab 3 Analyzing PE File Structures - Analyzing PE File Structures Malware Analysis
Lab 4 Packed Malware Identification And Basic Analysis - Packed Malware Identification And Basic Analysis Malware Analysis
Lab 5 From IOCs to YARA Rules - From IOCs to YARA Rules Malware Analysis
Lab 6 Writing and Debugging Assembly x64 Code - Writing and Debugging Assembly x64 Code Malware Analysis
Lab 7 Working with Windows Processes - Working with Windows Processes Malware Analysis
Lab 8 Analyzing a Custom Downloader - Analyzing a Custom Downloader Malware Analysis
Lab 9 Working with DLLs and DLL Injection - Working with DLLs and DLL Injection Malware Analysis
Lab 10 Dynamically Analyzing a Custom Backdoor - Dynamically Analyzing a Custom Backdoor Malware Analysis
Lab 11 Dynamically Analyzing a KeyLogger - Dynamically Analyzing a KeyLogger Malware Analysis
Lab 12 Reverse Engineering a 64-bit Downloader using IDA Pro - Reverse Engineering a 64-bit Downloader using IDA Pro Malware Analysis
Lab 13 Debugging a 64-bit Downloader using x64dbg - Debugging a 64-bit Downloader using x64dbg Malware Analysis
Lab 14 Debugging a 64-bit Dropper - Debugging a 64-bit Dropper Malware Analysis
Lab 15 Reverse Engineering a Keylogger using IDA Pro - Reverse Engineering a Keylogger using IDA Pro Malware Analysis
Lab 16 Reverse Engineering a Bot using IDA Pro - Reverse Engineering a Bot using IDA Pro Malware Analysis
Lab 17 Analyzing the WannaCry Ransomware - Analyzing the WannaCry Ransomware Malware Analysis
Lab 18 Reverse Engineering a Custom Backdoor using IDA Pro (64-bit) - Reverse Engineering a Custom Backdoor using IDA Pro (64-bit) Malware Analysis
Lab 19 Manually Unpacking a Malware using x64dbg - Manually Unpacking a Malware using x64dbg Malware Analysis
Lab 20 Manually Unpacking UPX using x64dbg - Manually Unpacking UPX using x64dbg Malware Analysis
Lab 21 Manually Unpacking Real-Life Sample (Redaman) - Manually Unpacking Real-Life Sample (Redaman) Malware Analysis
Lab 22 Manual Unpacking Real-Life Sample (Locky) - Manual Unpacking Real-Life Sample (Locky) Malware Analysis
Lab 23 Binary Patching KillemAll Malware - Binary Patching KillemAll Malware Malware Analysis
Lab 24 Debugging Obfuscated Downloader - Debugging Obfuscated Downloader Malware Analysis
Lab 25 Debugging Process Hollowing (RunPE) - Debugging Process Hollowing (RunPE) Malware Analysis
Lab 26 Debugging Process Hollowing with TLS Callbacks - Debugging Process Hollowing with TLS Callbacks Malware Analysis
Lab 27 String References & Basic Patching - String References & Basic Patching Reverse Engineering
Lab 28 Exploring the Stack- Exploring the Stack Reverse Engineering
Lab 29 Algorithm Reversing - Algorithm Reversing Reverse Engineering
Lab 30 Windows Registry Manipulation- Windows Registry Manipulation Reverse Engineering
Lab 31 File Manipulation- File Manipulation Reverse Engineering
Lab 32 Anti Reversing Tricks I- Anti Reversing Tricks I Reverse Engineering
Lab 33 Anti Reversing Tricks II- Anti Reversing Tricks II Reverse Engineering
Lab 34 Anti Reversing Tricks III- Anti Reversing Tricks III Reverse Engineering
Lab 35 Code Obfuscation- Code Obfuscation Reverse Engineering
Lab 36 Analyzing Packers & Manual Unpacking- Analyzing Packers & Manual Unpacking Reverse Engineering

Certification

Get the eCMAP Certification

eLearnSecurity's eCMAP (Certified Malware Analysis Professional) certification is the most practical and professionally oriented certification you can obtain in malware analysis. Instead of putting you through a series of multiple-choice questions, you are expected to perform a full analysis on a given malware sample, show proof of what the malware does, and finally write a signature that could be used to detect the malware sample on other systems or networks. This will be done by applying all or part of the skills acquired from the course and research.

Learn more

Instructor

  • Ali Hadi
    Ali Hadi

    Ali Hadi is a Senior Cybersecurity Specialist with 15+ years of industrial experience in Information Technology (IT), currently working as a full time professor and researcher for both the Computer & Digital Forensics and Cybersecurity Departments at Champlain College, USA. He provides consulting in several areas of Cybersecurity including digital forensics and incident response, malware analysis, cyber threat hunting, and penetration testing. He is also an author, speaker, and freelance instructor. His research interests include digital forensics, incident response, cyber threat hunting, and malware analysis.

Enroll now and get access to all of our material and labs!

Reviews

I found the material to be challenging and informative, but the best part is content delivery.

Ken Richmond
System Analyst

The student course is very comprehensive and covers more than the required aspects of the modules. The interface is easy to use and the videos included are very helpful in giving you a step by step guide for the more complex tasks.

Theodore Judice
Osaze Systems IT Consulting

Go to top of page