EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.

Sign inCreate account
REMA units

Unit 2 of REMA

Fundamentals of Malware Analysis

The analysis environment, PE file structure, static property examination, process memory layout, behavioural analysis, and exploit mitigations.

Topics

2.1

Assembling the Analysis Toolkit

Building a safe malware analysis environment — VM configuration, network isolation, pre-built distributions (FlareVM, REMnux), and the complete tool stack organised by category.

25 min
2.2

File Identification and Hashing

Cryptographic hashing as the first step of malware triage — MD5 vs SHA-256, fuzzy hashing with ssdeep, import hash (imphash), VirusTotal querying, and interpreting detection ratios.

20 min
2.3

The Portable Executable (PE) File Format

The internal structure of Windows executables — DOS header, PE signature, File Header, Optional Header, Data Directories, section table, RVAs, and the anomalies that indicate packed or malicious binaries.

30 min
2.4

Entropy Analysis

Shannon entropy as a packing and encryption detector — entropy ranges, per-section interpretation, the VirtualSize vs SizeOfRawData trick, and reading entropy output from PEStudio and DIE.

20 min
2.5

Import Address Table (IAT) Analysis

Reading the IAT to infer malware behaviour before execution — suspicious API patterns, what a stripped IAT indicates, API hashing, and capability mapping with Capa.

25 min
2.6

String Analysis

Extracting intelligence from embedded strings — the strings command limitations, FLOSS for stack strings and XOR-decoded content, and a systematic search workflow for network, file, registry, and attribution indicators.

20 min
2.7

Process Memory Layout

How Windows arranges a process in virtual memory — stack growth direction, heap allocation, PE section mapping, and how to interpret register values and EIP location in a debugger.

25 min
2.8

OS-Level Exploit Mitigations

ASLR, DEP, and stack canaries — the mechanism behind each mitigation, entropy levels by architecture, bypass techniques (ROP chains, info leaks), and why analysts need to recognise these patterns.

25 min
2.9

Behavioural Analysis of Windows Executables

The seven-step dynamic analysis workflow, three monitoring dimensions with tools, Procmon filter configuration, persistence mechanism identification, network simulation with FakeNet-NG, and building a structured behavioural report.

35 min
2.10

Unit 2 Knowledge Check

Test your understanding of all Unit 2 topics — the analysis toolkit, file hashing, PE format, entropy analysis, IAT analysis, string analysis, process memory layout, exploit mitigations, and behavioural analysis — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.

30 min