Lab exercises and study notes for Practical Malware Analysis by Michael Sikorski and Andrew Honig, supplemented with the RPISEC Malware course materials. Covers static and dynamic analysis, unpacking, anti-analysis techniques, and reverse engineering of real-world malware samples.
| Directory | Description |
|---|---|
Lab1 |
PE file static analysis — imports, exports, strings, and section analysis |
Labs |
Dynamic analysis exercises — behavioral monitoring, API tracing, and network analysis |
- PE header analysis: MZ signature, section characteristics, import/export tables
- String extraction and entropy analysis for packed samples
- YARA rule development from static indicators
- IDA Pro / Ghidra disassembly workflow
- Identifying compiler artifacts and packer signatures
- Sandboxed execution with behavioral monitoring (Process Monitor, Process Hacker)
- API call tracing with tools: API Monitor, x64dbg, WinDbg
- Network traffic capture and protocol identification (Wireshark, INetSim)
- Registry and filesystem change monitoring
- Debugger detection bypass (patching IsDebuggerPresent, ScyllaHide)
- Packer identification and manual unpacking workflow
- Anti-VM evasion techniques and mitigation
- Code obfuscation: XOR decoding, stack string reconstruction
- Keyloggers and credential stealers
- Backdoors and remote access trojans (RATs)
- Downloader/dropper chains
- Rootkits: user-mode and kernel-mode persistence
| Tool | Purpose |
|---|---|
| IDA Pro / Ghidra | Static disassembly and decompilation |
| x64dbg / WinDbg | Dynamic debugging |
| Process Monitor | Filesystem, registry, and process activity |
| Wireshark / INetSim | Network traffic capture and simulation |
| FLARE VM | Pre-configured malware analysis environment |
| PEStudio | PE file static analysis |
- RPISEC Malware course: github.com/RPISEC/Malware
ASHDEX — Security Researcher & Architect | Malware Analysis · Reverse Engineering ashdex.com