{"id":13794293,"url":"https://github.com/rpisec/malware","last_synced_at":"2025-05-12T21:30:45.534Z","repository":{"id":37251695,"uuid":"49282041","full_name":"RPISEC/Malware","owner":"RPISEC","description":"Course materials for Malware Analysis by RPISEC","archived":false,"fork":false,"pushed_at":"2022-08-26T22:56:18.000Z","size":11819,"stargazers_count":3574,"open_issues_count":0,"forks_count":798,"subscribers_count":332,"default_branch":"master","last_synced_at":"2024-02-14T06:36:05.390Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RPISEC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-08T16:10:44.000Z","updated_at":"2024-02-13T02:41:15.000Z","dependencies_parsed_at":"2022-07-09T13:00:31.026Z","dependency_job_id":null,"html_url":"https://github.com/RPISEC/Malware","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMalware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMalware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMalware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMalware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RPISEC","download_url":"https://codeload.github.com/RPISEC/Malware/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225152707,"owners_count":17429179,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T23:00:38.278Z","updated_at":"2024-11-18T08:31:33.224Z","avatar_url":"https://github.com/RPISEC.png","language":null,"readme":"# Malware Analysis - CSCI 4976\nThis repository contains the materials as developed and used by [RPISEC](http://rpis.ec) to\nteach Malware Analysis at [Rensselaer Polytechnic Institute](http://rpi.edu) in\nFall 2015. This was a university course developed and run soley by students, primarily using the\n[Practical Malware Analysis](http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901)\nbook by Michael Sikorski and Andrew Honig, to teach skills in reverse engineering, malicious behaviour, malware,\nand anti-analysis techniques.\n\n\u003cp align=\"center\"\u003e\n\u003cimg width=\"700px\" src=\"/resources/images/class.png\" alt=\"Malware\"/\u003e\n\u003c/p\u003e\n\n## About the Course\n\nThe Practical Malware Analysis (PMA) book is where many RPISEC members and alumn started. The book reads very well,\nis full of information, and the lab walkthroughs in the back are invaluable. We didn't want to re-invent the wheel so\nwe structured most of the class around the book. Students were expected to have read the relevant PMA book chapters\nbefore class, allowing us to spend much more class time demonstrating skills and techniques and walking through\nhands-on examples with the students.\n\n**Syllabus:** http://security.cs.rpi.edu/courses/malware-fall2015/Syllabus.pdf\n\n**Note: Most of the samples used in this course are malicious in nature, treat them carefully!**\n\nTo help protect people from accidentaly running samples on an important machine, and to prevent anti-malware suites from\nblocking the course material, **all of the samples are compressed and encrypted with a password of 'infected'.**\n\n### Course Abstract\n\n\u003e_With the increased use of the Internet and prevalence of computing systems in critical infrastructure, technology is undoubtedly a vital part of modern daily life. Unfortunately, the increasingly networked nature of the modern world has also enabled the spread of malicious software, or “malware”, ranging from annoying adware to advanced nation-state sponsored cyber-weaponry. As a result, the ability to detect, analyze, understand, control, and eradicate malware is an increasingly important issue of economic and national security._\n\n\u003e_This course will introduce students to modern malware analysis techniques through readings and hands-on interactive analysis of real-world samples. After taking this course students will be equipped with the skills to analyze advanced contemporary malware using both static and dynamic analysis._\n\n### Prerequisite Knowledge\nThis course carried a prereq of\n[Computer Organization - CSCI 2500](http://catalog.rpi.edu/preview_course_nopop.php?catoid=10\u0026coid=16571)\nat RPI. Computer Organization is RPI's basic computer architecture course that teaches\nthings like C, MIPS assembly, x86 assembly, Datapaths, CPU Pipelining, CPU Caching,\nMemory Mapping, etc.\n\nOur expected demographic for Malware Analysis was students with zero reverse\nengineering experience. That said, to be able to take this course\nyou will probably need at least the following skills.\n* Working knowledge of C/C++\n* Any assembly level experience\n\n### Lecture Breakdown\nLecture | Title | Topics\n------- | ----- | ------\n01 | Introduction | Syllabus, Basic Static Analysis, Basic Dynamic Analysis\n02 | Advanced Static Analysis | x86, IDA, Code Constructs\n03 | Analyzing Windows Programs | WinAPI, Handles, Windows Internals, Networking, COM\n04 | Advanced Dynamic Analysis | Debugging Concepts and Tools\n05 | Malware Behavior | Malicious Activities and Techniques\n06 | Data Encoding and Malware Countermeasures | Hiding Data, Malware Countermeasures\n07 | Covert Malware Launching | Covert Launching and Execution\n08 | Anti-Analysis | Anti-Disassembly, Anti-VM, Anti-Debugging, Anti-AV\n09 | Packing and Unpacking | Packers, Packing, and Unpacking\n10 | Intro to Windows Kernel | Kernel Basics, Windows Kernel API, Windows Drivers, Kernel Debugging\n11 | Rootkit Techniques | Hooking, Patching, Direct Kernel Object Manipulation\n12 | Rootkit Anti-Forensics and Covert Channels | Anti-forensics, Covert Channels\n\n### Lab Breakdown\nLab | Topic\n--- | -----\n[01](/Labs/Lab_01) | Basic Analysis\n[02](/Labs/Lab_02) | Advanced Static Analysis\n[03](/Labs/Lab_03) | Analyzing Windows Programs\n[04](/Labs/Lab_04) | Advanced Dynamic Analysis\n[05](/Labs/Lab_05) | Malware Behavior\n[06](/Labs/Lab_06) | Data Encoding and Malware Countermeasures\n[07](/Labs/Lab_07) | Covert Malware Launching\n[08](/Labs/Lab_08) | Anti Analysis\n[09](/Labs/Lab_09) | Packing and Unpacking\n[10](/Labs/Lab_10) | Windows Kernel\n\n### Project Breakdown\nProject | Topic\n------- | -----\n[01](/Projects/Project_1) | Malware Behavior\n[02](/Projects/Project_2) | Runtime Process Manipulation\n[03](/Projects/Project_3) | Unpacking and Automation\n[04](/Projects/Project_4) | APT Sample Analysis\n\nLinks for additional exercises:\n* [Practical Malware Analysis Labs](http://practicalmalwareanalysis.com/labs/)\n* [Practical Reverse Engineering Labs](https://grsecurity.net/malware_research/)\n\n## Analysis Environment\n\nSetting up a \"safe\" and usable analysis environment can range from easy to impossible,\ndepending on how far you want to go. The PMA book devotes an\nentire chapter (Chapter 2) to this problem. For the purposes of this class, we\ndecided to set up a Windows 7 32-bit virtual machine. Unfortunately, while all the software\nwe used for the class is free, Windows is not, thus we cannot distribute this VM like we\ndistributed the Warzone for MBE. We have, however, included a comprehensive list, and a\ncollection of installers, of all the tools we used throughout the course. There are a few \n\"essentials\" that we haven't listed but are still included in the installer package \n(python, cygwin, etc).\n\nVisit the [releases](https://github.com/RPISEC/Malware/releases) page for the latest package.\n\n### Tools\n* [Dependency Walker](http://www.dependencywalker.com/)\n* [Fakenet](http://practicalmalwareanalysis.com/fakenet/)\n* [FileAlyzer 2.0](https://www.safer-networking.org/products/filealyzer/)\n* [HxD](http://mh-nexus.de/en/hxd/)\n* [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml)\n* [ImpREC](https://tuts4you.com/download.php?view.415)\n* [LordPE](http://www.woodmann.com/collaborative/tools/index.php/LordPE)\n* [Malcode Analyst Pack](http://sandsprite.com/iDef/MAP/)\n* [OllyDbg](http://www.ollydbg.de/)\n* [PEiD](https://www.aldeid.com/wiki/PEiD)\n* [PEview](http://wjradburn.com/software/)\n* [Regshot](http://sourceforge.net/projects/regshot/)\n* [Resource Hacker](http://www.angusj.com/resourcehacker/)\n* [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx)\n* [UPX](http://upx.sourceforge.net/)\n* [Visual Studio](https://www.visualstudio.com/en-us/visual-studio-homepage-vs.aspx)\n* [Windbg](https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx)\n* [Wireshark](https://www.wireshark.org/)\n\n## Frequently Asked Questions\n\nIf you are ever stuck on a problem or have any questions, you're more than welcome to\nask on [IRC](#contact).\n\n#### What is the password to the zip files?\n'infected', no quotes.\n\n#### Are these files malicious/dangerous?\nYes. Not all of them are malicious in nature, but most are. Always keep them inside a\nproper analysis environment.\n\n#### Why are the lecture slides for XYZ so sparse?\nMuch of lecture time was spent in hands on examples, with the expectation that students\nhad read the material in the PMA book ahead of time. Thus the slide content referring\nto material from the PMA book is meant as more of an outline. Read the chapters and then\ngo through the lab walkthroughs in the back of the PMA book, they are a great resource.\n\n#### Do you have videos of the lectures?\nSadly we did not record any of the lectures, maybe next time.\n\n#### Where can I learn more?\nPlay more wargames:\n* [IO Wargame](https://io.netgarage.org/)\n* [Pwnable KR](http://pwnable.kr/)\n* [Pwnable TW](https://pwnable.tw/)\n* [OverTheWire](http://overthewire.org/wargames/)\n* [Reversing KR](http://reversing.kr/)\n* [W3Challs](http://w3challs.com/)\n* [crackmes.de](http://crackmes.de/)\n\nReverse more samples:\n* [Contagio](http://contagiodump.blogspot.com/)\n* [Kernelmode.info](http://www.kernelmode.info/forum/)\n* [Malware.lu](https://malware.lu/)\n* [malwr](https://malwr.com/)\n* [Hybrid Analysis](https://www.hybrid-analysis.com/recent-submissions?filter=file)\n\nThe following books are excellent resources for expanding your knowledge of malware analysis and reverse engineering. We recommend working through them in the following order:\n\n* Practical Malware Analysis\n* Practical Reverse Engineering\n* Rootkits: Subverting the Windows Kernel\n* The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System\n* Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats\n\nThese three books are also excellent:\n\n* The Antivirus Hacker's Handbook\n* The Art of Memory Forensics\n* Windows Internals\n\nAnd when they're happening, play [CTFs](https://ctftime.org/)!\n\n#### \u003ca name=\"contact\"\u003e\u003c/a\u003eI have a question, how can I get in touch with you?\nOur club keeps a pretty active [IRC](http://rpis.ec/irc) presence. Someone there can probably\nanswer your question.\n\n**Server:** `irc.rpis.ec`\n**Port:** `6667`, or `6697` (SSL)\n\nIf you would like a more formal means of communication, you can reach us at `contact [at] rpis.ec`\n\n# Licensing\nThis course was explicitly designed for academic \u0026 educational use only. Please keep this\nin mind when sharing and distributing our course material. The specific licenses involved\ncan be found below.\n\n**Lecture Slides**\n\nThe lectures are covered by the Creative Commons Attribution-NonCommercial 4.0\nInternational license [CC BY-NC 4.0](https://creativecommons.org/licenses/by-nc/4.0/legalcode).\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://creativecommons.org/licenses/by-nc/4.0/\"\u003e\u003cimg src=\"/resources/images/cc-by-nc.png\" alt=\"CC BY-NC 4.0\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Acknowledgements\nHundreds of hours and countless all nighters went into the production and execution of\nthis course. This section serves to recognize those who made all of this possible.\n\n## Original Authors\n  * Branden Clark\n  * Austin Ralls\n  * Aaron Sedlacek\n\n## Special Thanks\n  * The [RPI CS Department](http://www.cs.rpi.edu/) for giving us this opportunity and letting us run with it\n  * Professor Bülent Yener for sponsoring such a course\n  * Our students who put up with us all semester\n","funding_links":[],"categories":["\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpisec%2Fmalware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frpisec%2Fmalware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpisec%2Fmalware/lists"}