Add malware patterns cheat sheet and book index

04-malware-patterns.md: API→technique mapping, packer recognition,
anti-analysis assembly patterns, shellcode indicators, document
malware indicators, quick-reference lookup tables.

05-book-index.md: A-Z index of every tool, concept, API, technique,
and malware sample in the FOR610 course with book line numbers and
workbook lab references for quick lookup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

data/exam-cheatsheets/05-book-index.md

@@ -0,0 +1,347 @@
+# FOR610 Course Book & Workbook Index
+
+> Line numbers refer to book_clean.md. "L" prefix = Lab number in workbook.
+
+## Section Map
+
+| Section | Topic | Book Lines | Labs |
+|---------|-------|-----------|------|
+| **S1** | Malware Analysis Fundamentals | 43–2400 | L1.1–L1.8 |
+| **S2** | Reversing Malicious Code | 2452–5100 | L2.1–L2.8 |
+| **S3** | Beyond Traditional Executables | 5192–7800 | L3.1–L3.12 |
+| **S4** | In-Depth Malware Analysis | 7866–10100 | L4.1–L4.9 |
+| **S5** | Examining Self-Defending Malware | 10453–13300 | L5.1–L5.10 |
+
+---
+
+## A
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| accept-all-ips (httpd) | 1269 | L1.3 |
+| AMSI monitoring | 6704 | L3.6 |
+| AMSIScriptContentRetrieval | 6704 | L3.6 |
+| Android analysis | — | — |
+| Anti-debugging | 10485–10674 | L5.1, L5.6 |
+| Anti-sandbox | 11657 | L5.5 |
+| Anti-VM detection | 10740 | L5.6 |
+| Any.run (sandbox) | 239 | — |
+| API hashing | 6286 | — |
+| API Monitor | 1844–1860 | — |
+| ASLR / DynamicBase | 8151–8190 | L4.2 |
+| Assembly.Load (.NET) | 9677, 10047 | L4.8 |
+| AutoOpen (VBA trigger) | 5771 | L3.3 |
+
+## B
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| base64dump.py | 5988–6035 | L3.4, L4.5 |
+| Beaconing | 304, 1298–1313 | L1.3, L1.6 |
+| bbcrack | 10813–10815 | L5.2 |
+| Behavioral analysis | 72, 896–1380 | L1.2, L1.6 |
+| Binary Ninja | 1429 | — |
+| BlockInput API | 11842–11878 | L5.6 |
+| box-js | 6687 | — |
+| brbbot.exe (sample) | 39, 662–1823 | L1.1–L1.6, L4.1–L4.4 |
+| brxor.py | 10799–10801 | L5.2 |
+
+## C
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| C2 communication | 304, 3233–3353 | L1.3, L1.5, L1.6 |
+| Calling conventions | 3477–3725 | L2.3, L2.4 |
+| capa | 1558–1589 | L1.4, L5.4 |
+| cdecl convention | 3671–3714 | L2.3 |
+| CFF Explorer | 8174–8190 | — |
+| chatroom.exe (sample) | 9597–9797 | L4.8 |
+| checkbox.doc (sample) | 5883–6135 | L3.4 |
+| CheckRemoteDebuggerPresent | 10669 | — |
+| CMP instruction | 3153 | L2.5, L2.6 |
+| Cobalt Strike beacon | 6060–6077 | L3.4 |
+| Code analysis | 1390, 2452+ | L2.1–L2.8 |
+| Code injection | 10074–10387 | L4.9, L5.4 |
+| Compound expressions | 4474–4620 | L2.6 |
+| Conditional jumps (Jcc) | 3153–3167 | L2.1, L2.5 |
+| Control flow | 3137–3204 | L2.5, L2.6 |
+| CreateFileA/W | 1521–1527 | L1.5 |
+| CreateProcess | 3891–4028 | L2.7, L5.4 |
+| CreateRemoteThread | 10098–10105 | L4.9 |
+| CreateToolhelp32Snapshot | 10116–10123 | L4.9, L5.6 |
+| CryptDecrypt | 1776–1860 | L1.5 |
+| CSharpCodeProvider | 7462, 7625 | L3.12 |
+| Cutter | 1428 | — |
+| CyberChef | 1897, 7407–7625 | L1.5, L3.8, L3.12 |
+
+## D
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| de4dot | 10002–10004 | L4.8 |
+| Decompilation | 73, 2643 | L2.1 |
+| Detect It Easy (diec) | 860–865 | L4.1 |
+| Disassembly | 73, 2643 | L2.1 |
+| DLL injection | 7105–7172 | L3.10 |
+| DLL side-loading | 7105–7172 | L3.10 |
+| dnSpyEx | 9612–9797 | L4.8 |
+| Document_Open (VBA) | 5771 | L3.3 |
+| Dropper pattern | 4765–4835 | L2.7 |
+| drtg.exe (sample) | 11161–11227 | L5.3 |
+
+## E
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Emulation | 1450–1589 | L1.4 |
+| Entropy | 8035–8050 | L4.1 |
+| EBP register | 3874, 3990 | L2.3 |
+| EIP register | 6270–6275 | — |
+| ESP register | 3714, 3740 | L2.3 |
+| ExeInfo PE | 863 | L3.12 |
+
+## F
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| fakedns | 1186–1195 | L1.3, L1.7, L1.8 |
+| fastcall convention | 3692–3699 | — |
+| fgg.js (sample) | 6668 | L3.7 |
+| Fiddler | 2239–2245, 7042 | L3.2, L3.8–L3.12 |
+| FindResource | 4766–4791 | L2.7 |
+| FindWindow API | 11730 | L5.6 |
+| FLOSS | 10914–10919 | L5.2, L5.3 |
+| FS:[0] (SEH chain) | 12240–12307 | L5.7 |
+| FS:[30h] (PEB) | 10556 | L5.1, L5.9 |
+| Function epilogue | 3874, 3990 | L2.3 |
+| Function prologue | 3839–3860 | L2.3 |
+
+## G
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| GetEIP technique | 6270–6275 | — |
+| getdown.exe (sample) | 2322, 10501–10674 | L1.8, L5.1, L5.2 |
+| GetModuleHandle | 11730, 11946 | L5.6 |
+| GetProcAddress | 6286–6306 | L5.4, L5.6 |
+| GetTickCount | 10708–10715 | — |
+| Ghidra | 73, 1418, 2643–2705 | L2.1–L2.8, L4.9, L5.2, L5.4, L5.5 |
+| ghyte.exe (sample) | 1174–2210 | L1.7 |
+| great.exe (sample) | 10134–10387 | L4.9 |
+
+## H
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Hook injection (SetWindowsHookEx) | 11671–11730 | L5.5 |
+| httpd (web server) | 1269–1279 | L1.3, L1.6, L1.8 |
+| HTTP C2 pattern | 3233–3353 | L1.3, L2.2 |
+| HttpSendRequest | 3338–3353 | L2.2 |
+| Hybrid Analysis | 239 | — |
+| hubert.dll (sample) | 10799 | L5.2 |
+
+## I
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| IAT (Import Address Table) | 836, 7937–7942, 8221 | L4.2, L4.3 |
+| IDA | 1426 | — |
+| ILSpy / ilspycmd | 7475–7480, 9677 | L3.12, L4.8 |
+| INetSim | 2158–2172 | L1.7 |
+| InternetOpen / InternetConnect | 3247–3296 | L2.2 |
+| InternetReadFile | 1589, 3250, 6051 | L1.4, L2.2 |
+| iptables | 2322–2359 | L1.8 |
+| IsDebuggerPresent | 10556–10674 | L5.1, L5.9 |
+| iviewers.dll (sample) | 7007–7172 | L3.10 |
+
+## J–K
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| JavaScript deobfuscation | 6407–6700 | L3.6, L3.7 |
+| JE/JZ, JNE/JNZ (jumps) | 3153–3167 | L2.1, L2.5 |
+| jq (JSON processing) | 1562 | L1.4 |
+
+## L
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| lansrv.exe (sample) | 11260 | L5.9 |
+| LEA instruction | 4910 | L2.8 |
+| LoadLibrary | 6286–6288, 7153 | L3.10, L5.10 |
+| Local variables | 3613–3643 | L2.3 |
+| Loops (assembly) | 4309–4488 | L2.5 |
+| loveyou.js (sample) | 6496–6533 | L3.6 |
+
+## M
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Multi-stage malware | 6076–6080, 7042 | L3.8–L3.12 |
+| mydoc.docm (sample) | 5755–5771 | L3.3 |
+
+## N
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| .NET analysis | 7475–7793, 9597–9797 | L3.12, L4.8 |
+| .NET reflective loading | 9677, 10047 | L4.8 |
+| NOP sled | 6220 | L3.5 |
+| NtGlobalFlag check | 10656 | — |
+| NtQueryInformationProcess | 11163–11227 | L5.3 |
+| NtUnmapViewOfSection | 11411–11558 | L5.4 |
+| numbers-to-string.py | 5788 | L3.3 |
+
+## O
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| objects.js (SpiderMonkey) | 6496 | L3.6, L3.7 |
+| OEP (Original Entry Point) | 8226 | L4.3, L5.8, L5.10 |
+| oledump.py | 5755–5771 | L3.3, L3.4, L4.5 |
+| OllyDumpEx | 8277 | L4.3, L5.4, L5.8 |
+| OpenProcess | 10220–10241 | L4.9 |
+| OutputDebugString | 10673 | — |
+
+## P
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Package.exe (sample) | 7007–7172 | L3.10 |
+| Packed binaries | 7937–8050 | L4.1 |
+| Parameters (function) | 3671–3725 | L2.3, L2.4 |
+| PDF analysis | 5280–5500 | L3.1 |
+| pdf-parser.py | 5310–5500 | L3.1 |
+| pdfid.py | 5310–5336 | L3.1 |
+| PDFXCview.exe (sample) | 7866–8044 | L4.5–L4.7 |
+| PE file format | 861, 7939 | L1.1, L4.1 |
+| pe_unmapper | 13440–13444 | L5.10 |
+| PEB (Process Environment Block) | 10556, FS:[30h] | L5.1, L5.9 |
+| peframe | 846–850 | L1.1, L4.8 |
+| Persistence | 800, 1065, 2720, 5047 | L1.2, L2.8 |
+| PeStudio | 816–837 | L1.1, L4.1, many others |
+| pestr | 779–788 | L1.1, L4.8 |
+| PowerShell encoded commands | 5988, 6997 | L3.4, L3.9, L3.11 |
+| PowerShell ISE | 6997–7033 | L3.9, L3.11, L4.5 |
+| Process hollowing | 11398–11558 | L5.4 |
+| Process Monitor | 911, 954–1084 | L1.2, L4.5 |
+| Process32First/Next | 10346–10386 | L4.9, L5.6 |
+| ProcDOT | 911, 1110–1150 | L1.2, L4.5 |
+| PUSHAD / POPAD | 8140 | L4.3 |
+
+## Q
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| qa.doc (sample) | 6148–6371 | L3.5 |
+| QueryPerformanceCounter | 10715 | — |
+
+## R
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| raas.exe (sample) | 10676 | L5.6 |
+| radare2 | 1428 | — |
+| RDTSC timing check | 10710–10716 | — |
+| ReadFile | 1521–1787 | L1.5 |
+| Reflective loading (.NET) | 9677, 10047 | L4.8 |
+| Registers (32-bit) | 2837–2845 | L2.1 |
+| Registers (64-bit) | 4900–4936 | L2.8 |
+| Registry Run keys | 786, 1065, 2720 | L1.2, L2.1 |
+| RegOpenKeyEx | 2750–2768 | L2.1 |
+| Regshot | 912, 969–1068 | L1.2 |
+| REP MOVSB | — | — |
+| Resource extraction | 4766–4791 | L2.7 |
+| Return values (EAX/RAX) | 2838, 3860 | L2.3 |
+| roomsvisitor.saz (sample) | 7042 | L3.8 |
+| rtfdump.py | 6148–6222 | L3.5 |
+| runsc / runsc32 | 6306–6337 | L3.5, L4.6 |
+| rwvg1.exe (sample) | 7407–7793 | L3.12 |
+
+## S
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Scylla | 8243–8277 | L4.2, L4.3, L5.8, L5.10 |
+| ScyllaHide | 10727–10736 | L5.3, L5.6 |
+| scdbgc / scdbg | 6046–6052 | L3.4, L3.5, L4.6 |
+| SEH (Structured Exception Handling) | 12240–12307 | L5.7, L5.8 |
+| setdllcharacteristics | 8177–8190 | L4.2 |
+| SetWindowsHookExA | 11671–11730 | L5.5 |
+| Shellcode | 6046–6371 | L3.4, L3.5, L4.6, L4.7 |
+| ShellExecute | 5014, 6533 | L2.8 |
+| Sleep API | — | — |
+| SpiderMonkey | 6488–6668 | L3.6, L3.7, L4.5 |
+| speakeasy | 1469–1527 | L1.4 |
+| Stack frame | 3613–3643 | L2.3 |
+| Stack strings | 10898, 16342 | L5.2 |
+| Static analysis | 165, 616–880 | L1.1 |
+| stdcall convention | 3675–3682 | L2.3 |
+| steel1.pdf (sample) | 5310–5500 | L3.1 |
+| strdeob.pl | 10898–10900 | L5.2 |
+| strings (tool) | 782–787 | L1.1, L3.4, L5.2 |
+| String obfuscation | 10485, 10799 | L5.2 |
+| svchost.exe (sample) | 2750–2783 | L2.1–L2.8 |
+| System Informer | 911, 1025 | L1.2, L1.6–L1.8, L4.2, L5.1 |
+
+## T
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| TEST instruction | 1780 | L2.1, L5.1 |
+| thiscall convention | 3695–3700 | — |
+| TLS callbacks | 11260 | L5.9 |
+| Tool detection (malware) | 10727, 11946 | L5.6 |
+| translate.py | 6035 | L3.4 |
+| trid | — | L3.3, L3.4 |
+
+## U
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| Unpacking | 8090–8312, 7937 | L4.1–L4.4, L5.3, L5.8, L5.10 |
+| UPX | 7962–8140 | L4.1, L4.2 |
+
+## V
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| vbprop.exe (sample) | 11657 | L5.5 |
+| VirtualAlloc | 6015–6018 | L4.7 |
+| VirtualAllocEx | 10303–10311 | L4.9, L5.4 |
+| VirtualProtect | 13264 | L5.10 |
+| VirusTotal | 236–264 | — |
+
+## W
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| want.exe (sample) | 12191–12247 | L5.7, L5.8 |
+| WH_MOUSE_LL (hook) | 11671 | L5.5 |
+| WinDbg | 1427 | — |
+| WinHost32.exe (sample) | 11270–11557 | L5.4 |
+| Wireshark | 910, 987–1030 | L1.2, L1.3, L1.6–L1.8, L5.1 |
+| WriteFile | 1521, 4791 | L1.5, L2.7 |
+| WriteProcessMemory | 11398 | L5.4 |
+
+## X
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| x64 calling convention | 4900–5103 | L2.8 |
+| x64dbg / x32dbg | 1613–1706 | L1.5, L4.3–L4.4, L5.1–L5.10 |
+| XOR encoding / loop | 6035, 10799 | L3.4, L5.2, L5.9 |
+| XORSearch | 6252–6260 | L3.5, L5.2 |
+
+## Y
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| YARA / yara-rules | 6060–6063 | L3.4 |
+| yep.exe (sample) | 13264 | L5.10 |
+
+## Z
+
+| Topic | Book | Lab |
+|-------|------|-----|
+| ZwUnmapViewOfSection | 11427, 11554 | L5.4 |