Module Details
| Module Code: |
COMP9048 |
| Title: |
Malware Reverse Engineering
|
|
Long Title:
|
Malware Reverse Engineering
|
| NFQ Level: |
Expert |
| Valid From: |
Semester 2 - 2021/22 ( January 2022 ) |
| Field of Study: |
4811 - Computer Science
|
| Module Description: |
This module teaches students the skills required for indepth investigations of modern malware, and the tools used to analyze, defend and recover from malware attacks. Particular emphasis will be put on more advanced topics like Reverse Engineering, and Debugging – as well as low level descriptions of the Windows OS and file formats used by malware. These approaches are key to move from the knowledge of what a malware is doing to the system (from blackboxing), to a deeper level of understanding of the purpose of the code itself.
|
| Learning Outcomes |
| On successful completion of this module the learner will be able to: |
| # |
Learning Outcome Description |
| LO1 |
Evaluate techniques at the forefront of the discipline used in detection strategies and the defence of systems against malicious attacks. |
| LO2 |
Assess complex evidence and communicate subject knowledge clearly to specialist and non-specialist audiences. |
| LO3 |
Examine a commercial Operating System as an attack platform for malicious code. |
| LO4 |
Analyze common non-operating system executable malware, such as PDF or Android |
| LO5 |
Appraise malware through reverse engineering and debugging. |
| Dependencies |
Module Recommendations
This is prior learning (or a practical skill) that is strongly recommended before enrolment in this module. You may enrol in this module if you have not acquired the recommended learning but you will have considerable difficulty in passing (i.e. achieving the learning outcomes of) the module. While the prior learning is expressed as named MTU module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
|
| 12391 |
COMP9047 |
Malware Investigations |
Incompatible Modules
These are modules which have learning outcomes that are too similar to the learning outcomes of this module. You may not earn additional credit for the same learning and therefore you may not enrol in this module if you have successfully completed any modules in the incompatible list.
|
| No incompatible modules listed |
Co-requisite Modules
|
| No Co-requisite modules listed |
Requirements
This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.
|
| No requirements listed |
| Indicative Content |
|
Windows as an attack surface
System Load Points, Windows Registry, Windows Kernel, Code Injection, System call hooking, Layered Service Providers, Windows Services, Browser Helper Objects, Malware removal from infected systems, Malware defenses, Rootkits
|
|
Reverse Engineering & Debugging
Microsoft Windows PE File format, x86 assembly language, Disassembly and debugging with IDA, Packer analysis, Malware anti-debugging techniques, Windows API
|
|
Non-Windows Executable Malware
PDF File Format, Analysing PDF files, Android Malware, Document Malware
|
|
Core Tools and Techniques
Interactive Dissassembler for Reverse Engineering of malware samples. Ollydby to debug and live analyse running malware code. Dependancy Walker, PE Builder and PeiD to examine in-depth files that make use of the Windows PE file format (used by exe, scr, dll and sys files among others). Different techniques for File Infector malware, and how to disinfect files affected by it. Analysis of packed malware through the use of unpacker tools, but also via dumping memory contents and patching the resulting binaries using Volatilty and other tools. Analysing Android malware with tools such as Dex2Jar. Analysis of PDF files using the Didier Stevens suite of tools. Analysis of Malicious DOC Files.
|
|
Module Content & Assessment
|
| Assessment Breakdown | % |
|---|
| Coursework | 100.00% |
Assessments
| No End of Module Formal Examination |
| Reassessment Requirement |
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.
|
The University reserves the right to alter the nature and timings of assessment
Module Workload
| Workload: Full Time |
| Workload Type |
Contact Type |
Workload Description |
Frequency |
Average Weekly Learner Workload |
Hours |
| Lecture |
Contact |
Lecture |
Every Week |
2.00 |
2 |
| Directed Learning |
Non Contact |
Implementation of Malware Analysis Tools |
Every Week |
2.00 |
2 |
| Independent & Directed Learning (Non-contact) |
Non Contact |
Independent & Directed Learning |
Every Week |
3.00 |
3 |
| Total Hours |
7.00 |
| Total Weekly Learner Workload |
7.00 |
| Total Weekly Contact Hours |
2.00 |
| Workload: Part Time |
| Workload Type |
Contact Type |
Workload Description |
Frequency |
Average Weekly Learner Workload |
Hours |
| Lecture |
Contact |
Lecture |
Every Week |
2.00 |
2 |
| Lab |
Contact |
Implementation of Malware Analysis Tools |
Every Week |
2.00 |
2 |
| Independent & Directed Learning (Non-contact) |
Non Contact |
Independent & Directed Learning |
Every Week |
3.00 |
3 |
| Total Hours |
7.00 |
| Total Weekly Learner Workload |
7.00 |
| Total Weekly Contact Hours |
4.00 |
|
Module Resources
|
| Recommended Book Resources |
|---|
-
Eldam Eilam. (2005), Reversing : Secrets of Reverse Engineering, 1. Wiley Publishing inc., [ISBN: 9780764574818].
-
Richard C Detmer. (2009), Introduction to 80x86 Assembly Language and Computer Architecture, Jones & Bartlett Publishers, [ISBN: 9780763772239].
-
Kris Kaspersky. (2007), Hacker Disassembling Uncovered, 2. [ISBN: 9781931769648].
| | Recommended Article/Paper Resources |
|---|
-
Microsoft 2006, Microsoft Portable
Executable and Common Object File Format
Specification,
-
Matt Pietrek, Microsoft 2002. An In-Depth Look into the Win32 Portable
Executable File Format,
-
Matt Pietrek, Microsoft 2002. An In-Depth Look into the Win32 Portable
Executable, Part 2,
| | This module does not have any other resources |
|---|
|
