Practical Malware Analysis for CCSF

Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Outline or highlight the flag in the image
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

Prepare a Windows VM

Recommended
    PMA 41: Windows 10 or 11 with Analysis Tools
20
Alternative Local System
    ED 32: Windows Virtual Machine
15 extra
Best Cloud System
    PMA 60: Windows 10 on Azure Cloud
15 extra
Alternate Cloud System
    PMA 30: Windows 2016 Server on Google Cloud
15 extra
Very Old, Not Recommended
    H 2: Windows 2016 Server Virtual Machine

15 extra

Malware Analysis

PMA 101: Basic Static Techniques20 + 30 extra
F 211: Memory Forensics of LastPass and Keeper25 extra
PMA 110: capa15 extra
PMA 221: Basic Dynamic Analysis30 + 30 extra
PMA 222: Making a Windows Keylogger10 extra

PE Files and DLLs

PMA 105: Process Explorer10
PMA 102: Unpacking25
PMA 121: Unpacking with OllyDbg and pestudio20 + 30 extra
PMA 122: PE Headers10 + 40 extra
PMA 123: Importing DLLs15 + 30 extra
PMA 124: DLL Hijacking15
PMA 125: Installing Visual Studio 2019
     Not needed for Win 10 w Tools VM
10 extra
PMA 126: DLL Proxying20
PMA 403: API Monitor15

Debugging

PMA 301: x86 Assembler with Jasmin10 + 10 extra
PMA 340: Windows ARM Executable15 extra
PMA 401. Simple EXE Hacking with Ollydbg30 + 90 extra
PMA 402: Hacking Minesweeper with Ollydbg15 + 30 extra
PMA 404: Adding Code to an EXE in a New Section20 extra

Kernel Debugging

PMA 410: Kernel Debugging with LiveKD15
PMA 430: The New WinDbg15
PMA 431: WinDbg: Source-Level Debugging10
PMA 432: WinDbg Preview: Kernel Debugging35 extra
PMA 433: Kernel Debugging with Breakpoints30 extra
PMA 434: Debugging a Driver30 extra

Bootkits

PMA 420: Bootkit Analysis with Bochs15 extra
PMA 421: Understanding the MBR70 extra
TPM 1: Trusted Platform Modules on Windows15 extra

DOT NET

PMA 132: Reversing a .NET Executable40 extra
ED 330: Using C# DOT NET20 extra
ED 331: Dot Net Reflector45 extra

PowerShell

U-Cen and U-Cyb: PowerShell75 extra

Rust

R 10: Rust Basics, Overflows, & Injection35 extra
R 20: Dangling Pointers & Memory Leaks in Rust35 extra

Disassembly

PMA 303: IDA Pro20 + 20 extra
PMA 304: C Constructs in Assembly15
PMA 510: Starting with Ghidra10 extra
PMA 511: Ghidra Data Displays40 extra

Windows Memory Protections

ED 301: Windows Stack Protection I: Assembly Code15 extra
ED 302: Windows Stack Protection II: Exploit Without ASLR15 extra
ED 303: Windows Stack Protection III: Limitations of ASLR15 extra
ED 310: Windows Mitigations10 extra

Assembly Language

Don't submit these projects in Canvas; use the scoring system below

Enter Flags · Scoreboard

Prepare a Linux VM

ED 30: Linux Virtual Machine  15 extra
H 201: Google Cloud Linux Server  10 extra
ASM 100: Basics  69 extra
ASM 104: Bases & Printing  40 extra
ASM 105: ASCII  20 extra
ASM 110: Gdb  30 extra
ASM 120: Files  55 extra
ASM 200: Caesar Cipher  35 extra
ASM 210: XOR  20 extra
Scores archived 10-5-2021
Scores archived 10-11-2022
Scores archived 1-26-24

Virtual Machine Resources

Download Textbook Labs Here

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

   

Enter Flags · Scoreboard

PMA 432 and 132 changed to extra credit 4-2-24
"Preview" removed from PMA 430 amd 431 4-22-24