Malware Analysis: Black Hat Edition


Register Now

USA 2011 Weekend Training Session //July 30-31

USA 2011 Weekday Training Session //August 1-2


Almost every computer incident involves some trojan, backdoor, virus, or rootkit. Incident responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems. Students will learn to infer the functionality of a program by analyzing disassembly and by watching how it changes a system as it runs in a debugger. They will learn how to extract investigative leads from host and network-based indicators associated with a malicious program and how to identify specific coding constructs in disassembly. They will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in class demonstrations, exercises where the students follow along with the instructor, and labs with real malware where the students practice what they have learned on their own.

What You Will Learn:

  • Hands-on real malware dissection
  • How to create a safe malware analysis environment
  • Malware analysis shortcuts
  • Static Analysis Methodology
  • How to perform dynamic analysis using system monitoring utilities to capture the system, registry and network activity generated during malware analysis
  • Differences between static and dynamic analysis
  • A crash course in assembly language programming
  • Windows Internals and APIs
  • Debuggers
  • IDA Pro

Who Should Attend the Class:

Information technology staff, information security staff, incident responders, computer security researchers, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

What to bring:

Students must bring their own laptop with VMware Workstation, Server or Fusion installed. Laptops should have 10GB of free space.

Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at to see if a laptop can be provided for you.

What You Will Get:

  • Student Manual
  • Class handouts
  • MANDIANT gear


  • Excellent knowledge of computer and operating system fundamentals is required. Computer programming and Windows Internals experience is highly recommended.


Steve Davis is a Senior Consultant in MANDIANT’s Alexandria, Virginia office. He specializes in reverse engineering and penetration testing. Mr. Davis has developed both offensive and defensive software while at Mandiant and previous employers. He has also spoken at Defcon, Black Hat and a variety of other security conferences.

Michael Sikorski is a Principal Consultant at Mandiant. He provides specialized research and development security solutions to the company's federal client base, reverse engineers malicious software discovered by incident responders, and has helped create a series of courses in malware analysis (from beginner to advanced). He has taught these courses to a variety of audiences including the FBI, the National Security Agency (NSA), and BlackHat. Mr. Sikorski has over a decade of professional experience in computer security. A former employee of MIT's Lincoln Laboratory and the NSA, he holds degrees from Columbia University and Johns Hopkins University. He currently holds a Top Secret security clearance.

Ends April 30
Ends Jun 15
Ends Jul 29