This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 2 of REMA
The analysis environment, PE file structure, static property examination, process memory layout, behavioural analysis, and exploit mitigations.
Building a safe malware analysis environment — VM configuration, network isolation, pre-built distributions (FlareVM, REMnux), and the complete tool stack organised by category.
Cryptographic hashing as the first step of malware triage — MD5 vs SHA-256, fuzzy hashing with ssdeep, import hash (imphash), VirusTotal querying, and interpreting detection ratios.
The internal structure of Windows executables — DOS header, PE signature, File Header, Optional Header, Data Directories, section table, RVAs, and the anomalies that indicate packed or malicious binaries.
Shannon entropy as a packing and encryption detector — entropy ranges, per-section interpretation, the VirtualSize vs SizeOfRawData trick, and reading entropy output from PEStudio and DIE.
Reading the IAT to infer malware behaviour before execution — suspicious API patterns, what a stripped IAT indicates, API hashing, and capability mapping with Capa.
Extracting intelligence from embedded strings — the strings command limitations, FLOSS for stack strings and XOR-decoded content, and a systematic search workflow for network, file, registry, and attribution indicators.
How Windows arranges a process in virtual memory — stack growth direction, heap allocation, PE section mapping, and how to interpret register values and EIP location in a debugger.
ASLR, DEP, and stack canaries — the mechanism behind each mitigation, entropy levels by architecture, bypass techniques (ROP chains, info leaks), and why analysts need to recognise these patterns.
The seven-step dynamic analysis workflow, three monitoring dimensions with tools, Procmon filter configuration, persistence mechanism identification, network simulation with FakeNet-NG, and building a structured behavioural report.
Test your understanding of all Unit 2 topics — the analysis toolkit, file hashing, PE format, entropy analysis, IAT analysis, string analysis, process memory layout, exploit mitigations, and behavioural analysis — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.