CS-6747 - Advanced Malware Analysis
Toggle to Select Spcific Semesters
Reviews
Lectures were okay, but the projects were pretty interesting!
I could describe this course with two words fun & engaging. After finishing the course I had the feeling I learned a ton of new things.
Projects:
- Lab1: ~2hrs -> 100. Leave comments in ghidra in “hello world” program.
- Lab2: ~60hrs -> 100. Do the same thing as Lab1 but in a real malware.
- Lab3: ~20hrs -> 100. Build a python/java script for static analysis using ghidra. Ghidra API has everything you need.
- Lab4: ~30hrs -> 95. Extend Lab3 to calculate data dependencies with static analysis. Knowledge in data structures are useful.
- Lab5: ~20hrs-> 100. Build a control flow graph using dynamic analysis with PIN. Again PIN API and online examples can lead you to victory.
- Lab6: CANCELLED
Reading Slides:
DO NOT LEAVE IT FOR THE LAST MINUTE. I spent 5 days in August reading 33 papers. I got 100.
Course Material:
Really nice content. Super helpful Office Hours. Very fast piazza responses by the TA
General Review.
Everyone interested in security should take this class. Also there are a lot of EXTRA CREDITS in case you feel you won’t make it. I think that anyone who give something to this course will get away with a good grade. I got an A.
This is the most well organized class I’ve ever taken, the professor and Chow were very responsive and they interacted with the class. The office hours were informative and fun, even if you didn’t need help. I was worried this class would push me to the edge with it being an advanced topic and a compressed semester, and I was right…but I don’t regret it since I learned so much. This is what a graduate class is supposed to be like!
There is a reading slide assignment and 6 labs, they dropped the sixth lab for our semester due to technical and scheduling problems. No tests or quizzes. I recommend doing one or two module PDFs per week to stay on top of them, I put them all off until the end of the semester and my brain was exhausted.
The first two labs require reading ASM and C++ to understand what the malware is doing, definitely read the provided PDF if you aren’t familiar with ASM since you’re going to work with it a lot in this course. The last 4 require coding skills in C++ (PIN) and Java/Python (Ghidra), I highly recommend getting a partner. If you aren’t technical, this may not be a good course for you as everything is pure application and addressing corner cases in code.
I was lucky enough to have a great partner who saved me for the coding project. I’m not a developer and do not have a CS background. Project 2 was commenting a lot of ASM. It wasn’t all that hard, but just took a very long time.
I think this was the first time the course was offered during the summer and there were some scheduling issues with projects. During the normal semester, there was no overlap. However we had times where a project was still outstanding when the next project was released. The final project 6, ended up being canceled due to issues with the lab not working and the students, TA & prof had to work together to get a working VM.
The TA & prof were very involved. The TA Chow would sometimes answer stuff in minutes. Both the TA & Prof office hours were very informative.
Depending on your background, and if you do or don’t have a partner (groups of 2 are allowed but not forced), this course could take significantly more time, but if you’re familiar with general assemly language constructs/logic flows/stack operations then this course is fairly straightforward. You get a really good dive into a windows malware and get to use Ghidra and PIN to analyze the same binary throughout the course in different ways and learn different methodologies for analyzing the binaries. No tests or quizzes makes this a 10/10 course. If you put in the effort and make sure you at least reasonably understand the material there’s no reason you won’t get an A. Professor is very engaging and clearly passionate about the work
I thought this class was difficult didn’t focus much on malware analysis. The only thing that makes it a malware class is that the software sample you are working on is malicious. You could do the exact same projects to any other executable and the content could be just about the same. This course should probably be named “advanced control flow toolkit development”. That being said, you can use these skills for malware analysis, but I just had a different expectation before registering.
You have the option to partner up for each of the assignments. I would HIGHLY recommend syncing up with someone early and work through the semester with that same partner. Projects 3&4, and 5&6 build off each other so it wouldn’t be useful or advised to change partners on those.
I’m intermediate with python and never used C++ before, and if it wasn’t for my partner, I would have dropped. I wouldn’t register for this class unless you are at least a strong programmer in python. Knowing how to read assembly before hand is also a must.
Grading: projects are worth 90% of the grade. The other 10% is piazza participation and creating a slide deck for the weekly readings. No textbook required and no quizzes or exams.
Project 1: Learn ghidra interface. Review a hello world program in ghidra and add comments as to what each asm instruction is doing.
Project 2: Add ghidra comments to a real malicious sample. The samples has around 30 functions, so there was a ton of assembly to review. This was super time consuming and I don’t know how you would work through this without a partner.
Project 3: Create a Def Use ghidra plugin. Write a ghidra tool in python or java to follow how each register is updated. Output results into a .dot graph.
Project 4: Create a data dependence ghidra plugin that tracks which assembly instructions are dependent on previous instructions. Output results into a .dot graph.
**Note about the projects 5 and 6. The professor recommended using Intel’s PINtool but writing another ghidra plugin was acceptable. For those not familiar with PIN, it is written in C++. If you aren’t familiar with C++, you can stick with python which is nice.
Project 5: Write a PIN/Ghidra Dynamic Control Flow tool. Track the execution path of an executable and output the flow to a .dot file.
Project 6: Create a PIN/Ghidra dynamic control dependence. Track the dependence of functions during execution.
Pros: The professor and TA’s is very engaged and obviously well versed on the subject. It made it easy to learn a lot from them. I feel very confident with assembly after working through this course.
Cons: I was hoping the class would involve more use of debuggers, dumping objects from memory, unpacking binaries etc. It ended up basically just being software development for Ghidra and PIN.
Summary: The class was very challenging and enjoyable. I probably invested at least 20 hours into each project but you have plenty of time to complete them. I would take it again.
Excellent course covering reverse engineering/binary analysis techniques.
Topics include understanding assembly, reversing tools such as Ghidra, and others approaches to extract structured info from a binary executable. This course focuses heavily on reverse engineering techniques (Control Flow Graph extraction, data tracking analysis, static vs dynamic analysis, etc.) and does NOT focus on pre-built/automated tools which abstract away the analysis details such as an automated sandbox like Cuckoo, nor does it focus much on OS specific attack points.
Lecture materials are well organized and things flow very nicely. Projects are aligned with the lecture materials. Lectures are interesting and present complex materials in a clear manner. Projects are very technical in nature, but clearly stated. Python/Java, and coding in C was required. I had just a tiny bit of experience with writing C, and did fine; YMMV.
Overall this has been my favorite class in the OCY program thus far :). If you believe you may be interested in binary analysis or reverse engineering, then I highly recommend this class. I rank this as hard because extracting data from assembly is a challenging task.