This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 3 of REMA
Reversing Malicious Code
Assembly logic structures, control flow analysis, Windows API patterns in malware, DLL analysis, code injection, API hooking, Living-off-the-Land, and x64 analysis.
Topics
Assembly Logic Structures in the Disassembler
How if/else, for/while loops, and switch statements compile to x86 assembly — pattern recognition in disassembly, jump tables, XOR decryption loop identification, and CFG obfuscation techniques.
Control Flow Analysis
Basic blocks, CFG construction, reading IDA Pro graph view edge colours, and four CFG obfuscation techniques — opaque predicates, overlapping instructions, indirect jumps, and SEH abuse — with bypass approaches.
Windows API Patterns in Malware
The four core Windows API sequences — registry persistence, hook and poll keylogging, HTTP C2 communication, and dropper/downloader behaviour — with assembly examples and MITRE ATT&CK mappings.
DLL Analysis
How malicious DLLs differ from executables, DllMain as the attack entry point, export analysis including ordinal-only exports, rundll32 analysis workflow, and DLL side-loading detection.
Code Injection Techniques
Classic DLL injection, reflective DLL injection, process hollowing, and APC injection — API sequences, detection indicators, Volatility plugins for each technique, and analyst countermeasures.
API Hooking
Inline trampoline hooking and IAT hooking — installation mechanics, trampolines, rootkit file hiding via NtQueryDirectoryFile, detection tools, and identifying hooks in x64dbg.
Living off the Land (LotL)
Nine LOLBins with command examples, the four abuse categories, suspicious parent-child process relationships, Sysmon detection rules, and the LOLBAS Project as a reference.
Extending to x64 Analysis
x64 vs x86 differences for reverse engineers — sixteen registers, Microsoft x64 ABI calling convention, shadow space, RIP-relative addressing, reading API arguments in x64dbg, and the Heaven Gate technique.
Unit 3 Knowledge Check
Test your understanding of all Unit 3 topics — assembly logic structures, control flow analysis, Windows API patterns, DLL analysis, code injection techniques, API hooking, Living-off-the-Land, and x64 analysis — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.