Malware Analysis · Lecture Notes

Malware Analysis Lecture Notes v0.1 · Insert Week

This template is prepared for classes on C↔ASM mapping, Windows (PE) & Linux (ELF) basics, and static/dynamic analysis workflow. Replace placeholder text with your real lesson plan and resources.

Tip. Use the copy buttons to quickly share blocks in announcements.

Learning Objectives

  • Explain how a single line of C translates to assembly.
  • Compare x64 calling conventions (Windows vs SysV) using examples.
  • Identify sections and entry points of simple PE/ELF binaries.
  • Trace register/stack changes using x64dbg or gdb.

Sample Schedule

WeekTopicAssignments
W1Tools: VS Code/FLARE-VM, REMnux/Kali, x64dbg, GhidraComplete setup checklist
W2C→ASM mapping, optimization effectsHandout #1
W3Calling conventions practiceMini report
W4PE/ELF structure & dynamic loadingHandout #2

Add or remove rows based on your actual plan.

Required Reading

  1. Handout: x64 Calling Conventions (Windows vs SysV)
  2. Slides: PE file structure basics
  3. Notes: ELF PLT/GOT basics
  4. Debugging essentials: breakpoints, stack, registers

Tool Setup Checklist

  • Windows VM + VS Code / FLARE-VM
  • Linux VM (optional): REMnux or Kali
  • Static analysis: Ghidra or IDA Free
  • Dynamic analysis: x64dbg (Windows), gdb (Linux)
  • Extras: radare2, objdump
VS Code C/C++ Launch Configuration Example 
{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Launch x64 (Windows)",
      "type": "cppvsdbg",
      "request": "launch",
      "program": "${workspaceFolder}\\build\\app.exe",
      "args": [],
      "cwd": "${workspaceFolder}",
      "stopAtEntry": false,
      "console": "integratedTerminal"
    }
  ]
}

Lab Assignments

  1. C→ASM: Compare -O0 vs -O2 or /Od vs /O2 assembly outputs.
  2. Calling Convention: Write functions with 1–6 parameters; observe register/stack usage.
  3. File Format: Capture section list & entry point of a PE/ELF.
  4. Dynamic Analysis: Trace function prologue/epilogue using x64dbg or gdb.
Warning. Run labs only inside an isolated VM. Do not copy suspicious files to your host OS.

FAQ

Which platform should I start with?

If your focus is Windows malware, start with Windows (PE, WinAPI, MS x64). The toolchain is mature and beginner-friendly.

How should I submit assignments?

Either submit a single PDF with screenshots or a Git repo with a README summarizing results.

References / Further Reading

  • Practical Malware Analysis (book)
  • Malware Unicorn blog
  • Windows Internals / ELF specs
  • Official docs for all tools (see Quick Links)