This is a meta-class utilizing existing classes that will lead you step by step toward a deep technical understanding of how stealth malware works, with a particular focus on kernel level malware. A series of free video recordings of paid multi-day training classes will cover: how intel assembly works, OS internals that can be manipulated by malware, how the Windows PE binary format works, and finally the techniques used by stealth malware to hide and persist on an infected machine. But the class will teach you how you can still detect them if you have the right knowledge and the right tools. To complete all the material in this class will take approximately 50 hours, not including time spent on labs.
- no lectures added
The student must have a basic understanding of the C programming language, because the Introduction to Intel x86 class shows how snippets of C code correspond to x86 assembly instructions.
Students should watch videos and complete labs for classes in the following order (more details about each class can be found on the respective page):
Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
(Necessary to know how inline hooking works.)
Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
(Necessary to know how the Interrupt Descriptor Table (IDT) hooking works, and how paging works for ShadowWalker style memory hiding.)
The Life of Binaries
(Necessary to know how Import Address Table (IAT)/Export Address Table(EAT) hooking works.)
Rootkits: What they are, and how to find them
(Describes techniques based on previous class knowledge, and new techniques not covered in other classes.)
Some of the sub-classes, like Intro x86, are reused as prerequisites for other knowledge paths such as future reverse engineering or trusted computing class paths which will be advertised here. So taking the classes now will save you time later in pursuing other specialty areas.
Individual class forum subreddits have been set up, so that students taking the classes for different knowledge paths can see the questions other students have asked.
Please post individual class questions here:
Xeno Kovah has a Masters in Information Security from Carnegie Mellon University, is a Lead Security Engineer at The MITRE Corporation (which runs CVE), and has spent the last 5 years focusing on security areas related to malware.