Course Syllabus
UNIVERSITY OF CENTRAL FLORIDA
DEPARTMENT OF COMPUTER SCIENCE
CAP 4145 Introduction to Malware Analysis
Spring 2020
Instructor: |
Jerry Hensel |
Office: |
HEC 328 |
Phone: |
407-459-0375 |
E-Mail: |
ghensel@eecs.ucf.edu |
Office Hours: |
By appointment only. |
Course Name: |
CAP 4145 Introduction to Malware Analysis |
Credits: |
3.00 |
Duration: |
Jan 7, 2020 - Apr 30, 2020 |
Time: |
TuTh 12:00PM - 1:15PM |
Location: |
HEC 0103 |
TA: |
N/A |
Email: |
N/A |
COURSE DESCRIPTION
Introduction to using reverse engineering techniques to find and analyze the behavior of programs in binary form; assembly language, reverse engineering tools, and virtual machines.
REQUIRED TEXTBOOK
Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig, February 2012, 800 pp., ISBN-13: 978-1-59327-290-6
COURSE PREREQUISITES
CIS 3360 Security in Computing - UCF CS
DESCRIPTION OF INSTRUCTIONAL METHODS
- The course web site is located within Webcourse, which will be available around the school starts. Please go to the website and find out how to get your passwords if necessary.
- Announcements, questions (and answers, etc. will be available through Webcourse.
- Lecturing is based on a textbook or/and learning materials provided.
- Programming may be practiced in the lab.
- Students will be expected to be prepared for class, and must complete the assignments by the due dates.
COURSE REQUIREMENTS
Class Attendance Policy
Students should attend the class in the classroom.
Cheating and Plagiarism Policy
All forms of academic dishonesty will result in an F for the course and notification of the Academic Dishonesty Committee. Academic dishonesty includes (but is not limited to) plagiarism, copying answers or work done by another student (either on an exam or assignment), allowing another student to copy from you, and using unauthorized materials during an exam.
Make-up Exams
- Make-up exams will only be given in case of serious need and only when the instructor is notified prior to the exam time. Otherwise, the grade is automatically zero for that exam/quiz.
- Written verification for the student s inability to take an exam will be required.
- The make-up exams will be different from those given to the class.
COURSE OBJECTIVES
- Basic malware analysis
- Advanced static analysis
- Advanced dynamic analysis
- Malware behavior
- Anti-reverse engineering
- Shell code analysis
EVALUATION PROCEDURES (tentative)
Components of Course Grade:
Assignments |
20% |
Midterm Exam |
30% |
Final Exam |
30% |
Term Project |
20% |
Grade Scale:
|
|
A |
90 ~ 100 |
B |
80 ~ 89 |
C |
70 ~ 79 |
D |
60 ~ 69 |
F |
below 60 |
Homework Assignments
- All assignments are to be turned in on or before the due date and time. If students try and cannot turn in an assignment electronically because the campus network is down, you will not be penalized.
- An assignment turned in up to 24-hours late will be reduced by 10% of the assignment s worth, more than 24 hours late will be reduced 100%.
- The due date and time for each assignment will be specified on assignment postings.
- All assignments are expected to be individually and independently completed. Should two or more students turn in substantially the same solution or program, in the judgment of the instructor, the assignment will be given a grade of zero. A second such incident will result in an F grade for the course.
Exams
- Exams are based on textbooks, supplementary materials, and assignments.
Projects
- There will be individual or group assignment/projects.
- Each member of this class is required to join a team of at most 2 students. A team must have a team leader coordinating the communication with members and the instructor.
- Each team must be formed within 2 weeks from the semester start and the team leader will report the list of members to the instructor once the team is formed.
- Team work is encouraged since all members of a team will receive the same score based on the entire team’s performance for team projects.
UNIVERSITY DEADLINES: Refer to Academic Calendar
EARLY ALERT STATEMENT
Academic Success Support
As your professor, I am personally committed to supporting YOUR academic success in this course. For that reason, if you demonstrate any academic performance or behavioral problems which may impede your success, I will personally discuss and attempt to resolve the issue with you. If the situation persists, I will forward my concern to the Student Development Office and your academic advisor to seek their support and assistance in the matter. My goal is to make your learning experience in this course as meaningful and successful as possible.
Americans with Disabilities Act (ADA) Statement
TENTATIVE CLASS SCHEDULE
The schedule may be adjusted based on the actual progress in the semester. The instructor reserves the right to change the topics.
Module |
Week |
Topics |
Description |
Module 1 |
|
Basic malware analysis |
|
Module 2 |
|
Advanced static analysis |
|
Module 3 |
|
Advanced dynamic analysis |
|
Module 4 |
|
Malware behavior |
|
Module 5 |
|
Anti-reverse engineering |
|
Module 6 |
|
Shell code analysis |
|
Tools
- Windows XP Mode
- VirtualBox
- Labs for Practical Malware Analysis
- LPE-DLX_1.4, LordPE
- PEiD-0.95-20081103 (or PEiD)
- PEview
- Stud_PE
- Regshot
- Resource Hacker (or ResHackerPortable)
- Strings (1) (or Strings (2))
- Dependency Walker 2.2 (1) (or depends22_x86 (2))
- 94 (or upx309w)
- md5deep
- WinMD5Free
- procmon
- Process Explorer
- Regshot
- XVI32
- 7-Zip
- ApateDNS, needs .Net Framework 3.5 (Note: .Net Framework 3.5 setup needs Internet)
- Netcat
- INetSim (Linux)
- Fakenet
- Microsoft® Visual Studio® 2005 Express Editions (Note: setup needs Internet). (or Microsoft Visual Studio 2005 is desired if available)
- Windows SDK and emulator archive, including Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1 (works with Windows XP SP3 and VC++ 2005) (Note: setup needs Internet)
- MASM32 SDK 11
- FileAlyzer0
- HxD
- IDA Free (Disassembler, now 7.0 cannot run on Windows XP)
- OllyDbg
- Sysinternals Suite
- Windbg
- Wireshark-win32-1.10.14.exe (Windows XP)
- Wireshark all Win32 versions
- ImpREC
- radare2 (Disassembler)
- Malcode Analyst Pack ( Note: installer may need Internet)
- Hybrid Analysis
- VirusTotal
- pikker.ee
Course Summary:
Date | Details | Due |
---|---|---|