Here is the complete reference guide to all sessions of our Reverse Engineering & Malware Analysis Training program.

Session 1 - Lab Setup Guide

  1.  Virtualization:
    1. VmWare – http://www.vmware.com/
    2. VirtualBox – https://www.virtualbox.org/
  2.  Tools Development:
    1. Compilers/IDE:
      1. Dev C++ – http://www.bloodshed.net/devcpp.html
      2. Microsoft Visual C++ – http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-cpp-express
    2.  Assemblers:
      1. MASM – http://www.masm32.com/
      2. NASM – http://www.nasm.us/
      3. WinAsm (IDE) – http://www.winasm.net/
    3. Langugages:
      1. Python – http://python.org/
  3. Tools Reverse Engineering:
    1. Disassembler:
      1. IDA (5.0) – http://www.hex-rays.com/products/ida/support/download.shtml
      2. IDAPython – http://code.google.com/p/idapython/
    2. Debuggers:
      1. OllyDbg – http://www.ollydbg.de/
      2. Immunity Debugger –
      3. Windbg – http://msdn.microsoft.com/en-us/windows/hardware/gg463009
      4. Pydbg – http://code.google.com/p/paimei/
    3. PE file Format:
      1. PEView – http://wjradburn.com/software/
      2. PEBrowse – http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
      3. LordPE – http://www.woodmann.com/collaborative/tools/index.php/LordPE
      4. ImpRec – http://www.woodmann.com/collaborative/tools/index.php/ImpREC
      5. PEid – http://www.peid.info/
    4. Process:
      1. ProcMon – http://technet.microsoft.com/en-us/sysinternals/bb896645
      2. Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653
    5. Network:
      1. WireShark – http://www.wireshark.org/
      2. TcpView – http://technet.microsoft.com/en-us/sysinternals/bb897437
    6. File and Registry:
      1. Regshot: http://sourceforge.net/projects/regshot/
      2. Capturebat – http://www.honeynet.org/node/315
      3. InstallWatchPro. – http://www.brothersoft.com/downloads/installwatch-pro-2.5c.html
      4. FileMon – http://technet.microsoft.com/en-us/sysinternals/bb896642
    7. Misc:
      1. CFFexplorer – http://www.ntcore.com/exsuite.php
      2. Notepad++ – http://notepad-plus-plus.org/
      3. Dependency walker – http://www.dependencywalker.com/
      4. Sysinternal Tools – http://technet.microsoft.com/en-us/sysinternals/bb842062

Session 2 - Introduction to Windows Internals

  1. Book: Windows Internals 5th Edition – Chapter 1, 2, 3, 5, 9
  2. Windows Architecture – http://technet.microsoft.com/en-us/library/cc768129.aspx
  3. Book: RootKit Arsenal – Part 1 – Windows System Architecture
  4. System Service Dispatching – http://www.codeproject.com/KB/system/hide-driver/NtCallScheme_small.png

Session 3 - Windows PE File Format Basics

  1. Portable Executable File Format – A Reverse Engineer View – Goppit –http://ivanlef0u.fr/repo/windoz/pe/CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View.pdf
  2. An In-Depth Look into the Win32 Portable Executable File Format by Matt Pietrekhttp://msdn.microsoft.com/en-us/magazine/cc301805.aspx
  3. Lena 151 tutorials – http://tuts4you.com/download.php?list.17
  4. Icezelion’s PE tutorials – http://win32assembly.programminghorizon.com/tutorials.html

Session 4 - Assembly Programming Basics

  1. Assembly Programming: A Beginners Guide –
  2. Icezelion’s Win32 Assembly Programming Tutorials  –http://win32assembly.programminghorizon.com/tutorials.html
  3. Function Calling Convention Demystified –http://www.codeproject.com/KB/cpp/calling_conventions_demystified.aspx
  4. Intel Manual – Volume 2 (Instruction set), Volume 3 (system programming 3A) –
    http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf

Session 5 - Reverse Engineering Tools Basics

  1. Video – Intro to OllyDbg and its Settings – http://www.youtube.com/watch?v=UqnQCVvYk3A
  2. Video – Intro to IDA Pro Disassembler – http://www.youtube.com/watch?v=zvWc-XsBKrA
  3. Automation of Reversing Through Scripting –

Session 6 - Practical Reversing (I)

  1. Video Demonstration – Reversing Sample Crackme using IDA Pro http://www.youtube.com/watch?v=6r5Q7YYnUSc
  2. Creating KEYGEN for Crackme Code
  3. Lena 151 tutorials – Part1 to Part 10 –http://tuts4you.com/download.php?list.17
  4. Book: ‘The IDA Pro Book’ – Unofficial Guide to IDA Pro http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898
  5. Book: Practical Malware Analysis – chapter 1-7 http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901
  6. Book: Reversing – Secrets of Reverse Engineering – chapter 1,2,3,4,5,8 http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817

Session 7 - Practical Reversing II: Unpacking UPX

  1. Video Demonstration – Unpacking UPX using OllyDbg & ImpREC http://http://vimeo.com/42197903
  2. Manual Unpacking of UPX using OllyDbg
  3. UPX: Ultimate Packer for Executables http://upx.sourceforge.net/
  4. ImpREC: Import Table Reconstruction Tool
  5. Best Unpacking Tutorials by ARTeam http://www.accessroot.com/

Session 8 - Practical Reversing III: Malware Memory Forensics

  1. Demo Video – http://www.youtube.com/watch?v=YcVusDjnBxw
  2. Malware Memory Forensics Article
  3. Volatility – An advanced memory forensics framework http://code.google.com/p/volatility/
  4. Volatility – Volatile memory analysis research http://volatility.tumblr.com/
  5. MoonSols Windows Memory Toolkit http://www.moonsols.com/windows-memory-toolkit/

Session 9 - Practical Reversing IV: Advanced Malware Analysis

  1. Demo Video 1 – http://youtu.be/592uIELKUX8
  2. Demo Video 2 – http://youtu.be/3bxzvrGf5w8
  3. Volatility – An advanced memory forensics framework http://code.google.com/p/volatility/
  4. Volatility – Volatile memory analysis research http://volatility.tumblr.com/
  5. The Honeynet Project – http://www.honeynet.org/node/315
  6. Malware Analysis Tools & Training – http://zeltser.com/reverse-malware/

Session 10 - Practical Reversing V: Exploit Development Basics

  1. Demo Video 1 [EIP Overwrite]- http://www.youtube.com/watch?v=erl_Aee8oDg
  2. Demo Video 2 [SEH Exploitation]- http://www.youtube.com/watch?v=njQ47H7jO4s
  3. Remote Buffer Overflow Exploits –
  4. Exploit writing tutorials https://www.corelan.be/index.php/articles/

Session 11 - Practical Reversing VI: Exploit Development Advanced

  1. Demo Video 1 [DEP Bypass] – http://vimeo.com/49069964
  2. Demo Video 2 [HeapSpray] – http://vimeo.com/49070337
  3. Past, present and future of Windows Exploits: http://bit.ly/vr1IEw
  4. Exploit writing tutorials: https://www.corelan.be/index.php/articles/
  5. Preventing the exploitation of SEH overwrite: http://bit.ly/OM6olZ
  6. Stack Protections Bypass:

Session 12 - Case Study: Rootkit Analysis

  1. DemoVideo 1: Mader – SSDT Hooking – http://youtu.be/5cLd2HukfbU
  2. DemoVideo 2: Prolaco – Process Hiding using DKOM – http://youtu.be/J7odu8OkBYs
  3. DemoVideo 3: Darkmegi/waltrodock – Installs Device Driver – http://youtu.be/ZAWfu-tRzrc
  4. DemoVideo 4: Carberp – Syscall Patch and Inline Hooks – http://youtu.be/ui_qLL3_w7A
  5. Book – The Rootkit Arsenal http://amzn.to/RXHvbN
  6. Volatility – An advanced memory forensics framework http://volatility-labs.blogspot.in