CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub

Introduction to Malware Analysis and Reverse Engineering

CS6038/CS5138 Malware Analysis Department of Electrical Engineering and Computing Systems
College of Engineering and Applied Science
University of Cincinnati
Meets every Tue/Thu in 3210 RECCENTER @ 4:00PM-5:20PM

Want to participate?: Apply to Graduate School Here

This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques. The target audience is focused on computer science graduate students or undergraduate seniors without prior cyber security or malware experience. It is intended to introduce the students to types of malware, common attack recipes, some tools, and a wide array of malware analysis techniques.

In general, if you’ve taken the following courses, you should have a good foundation for the class:
CS4029/6029 - Operating Systems
CS2029 - Data Structures

As virtualization is a key ingredient to any malware analysis, students are expected to have access to a laptop which can run multiple virtual machines at a time, with adequate CPU, RAM, and available disk storage. The minimum configuration expected to work well is a system with 4 cores (4 or 8 threads), 16GB of RAM and at least 150GB of free space on disk. Lesser configurations may work, but will likely increase the amount of wait time, minimized multitasking, and generally add to frustration.

Ghidra API Documentation

As the https://ghidra.re site appears to be down, I have hosted an up to date copy of the Ghidra API documentation here:

Feel free to Open an Issue in Github if you ever find it is out of date, and I will update it.

Explore By Topic

Here are a list of topics that I have done lectures on, feel free to explore the content if you’re looking for information on specific areas of malware analysis or reversing.

acrobat android apk asm autoruns cfg c clamav debugger decompilation disassembly dynamic editing exiftool ffdec gdb ghidra immunity-debugger inetsim java metasploit mft2csv mobile mongodb msoffice objdump ole patching plaso pdf pdfparser pupy python rtf run-time-analysis strings sysmon virtualbox virustotal volatility vm vscan winpmem x86-64 x86 yara

Course syllabus

Lectures/notes/videos (from 2021 class)

2021-04-11 - Java & Mobile Malware Analysis (lecture)
2021-04-11 - Dynamic Analysis, Run-Time Debugging, and Yara (lecture)
2021-04-06 - Host Exploitation and Forensic Analysis (lecture)
2021-03-21 - Ghidra Scripting for Analysis and Machine Learning Applications (lecture)
2021-03-08 - Ghidra Scripting Introduction (lecture)
2021-03-05 - More Ghidra Code Analysis (lecture)
2021-02-28 - Ghidra Code Analysis (lecture)
2021-02-08 - Assembly Language Crash Course (Pt. 2), A Deeper Dive (lecture)
2021-02-08 - Assembly Language Crash Course (Pt. 1) (lecture)
2021-02-08 - Ghidra Intro (lecture)
2021-02-01 - Basic Static Analysis of Malware (lecture)
2021-01-24 - Malware Research Online (lecture)
2021-01-13 - Malware Taxonomy Discussion (lecture)
2021-01-13 - Introduction to Course and VirtualBox (lecture)

Lectures/notes/videos (from prior classes)

Previous Lectures Archived Here (Look here if you’d like complete sets of lectures)


LAB04: Ghidra Scripting (Due: Tuesday, 2021-04-13 11:59PM)
LAB03: Ghidra 101 & OSINT Research (Due: Thursday, 2021-03-25 11:59PM)
LAB02: PDF Payload Analysis 101 (Due: Friday, 2020-02-19 11:59PM)
LAB01: VM Setup and Test (Due: Wednesday, 2020-02-03 11:59PM)

Assignments (old)

LAB02: Building a Custom Attack (Due: Tuesday, 2020-01-23 11:59PM)
LAB01: VM Setup and Test (Due: Tuesday, 2020-01-16 11:59PM)
Final: Malware Analysis Report (Due: Saturday, 2018-04-28 11:55PM)
HW04: Dynamic Malware Monitoring (Due: Sunday, 2017-04-22 11:55PM)
HW03: Yara Binary Code Analysis (Due: Sunday, 2017-03-25 11:55PM)
HW02: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2018-03-18 11:55PM)
HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2018-02-15 11:55PM)
Final: Malware Analysis Report (Due: Friday, 2017-04-28 11:55PM)
HW05: Yara Binary Code Analysis (Due: Sunday, 2017-04-23 11:55PM)
HW04: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2017-04-23 11:55PM)
HW03: Static Analysis Utility (Due: Thursday, 2017-03-02 11:55PM)
HW02: Kali Metasploit Experiment (Due: Tuesday, 2017-02-21 11:55PM)
HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2017-02-16 11:55PM)

Other videos on malware I’ve done