# FOR610 Course Book & Workbook Index

> Line numbers refer to book_clean.md. "L" prefix = Lab number in workbook.

## Section Map

| Section | Topic | Book Lines | Labs |
|---------|-------|-----------|------|
| **S1** | Malware Analysis Fundamentals | 43–2400 | L1.1–L1.8 |
| **S2** | Reversing Malicious Code | 2452–5100 | L2.1–L2.8 |
| **S3** | Beyond Traditional Executables | 5192–7800 | L3.1–L3.12 |
| **S4** | In-Depth Malware Analysis | 7866–10100 | L4.1–L4.9 |
| **S5** | Examining Self-Defending Malware | 10453–13300 | L5.1–L5.10 |

---

## A

| Topic | Book | Lab |
|-------|------|-----|
| accept-all-ips (httpd) | 1269 | L1.3 |
| AMSI monitoring | 6704 | L3.6 |
| AMSIScriptContentRetrieval | 6704 | L3.6 |
| Android analysis | — | — |
| Anti-debugging | 10485–10674 | L5.1, L5.6 |
| Anti-sandbox | 11657 | L5.5 |
| Anti-VM detection | 10740 | L5.6 |
| Any.run (sandbox) | 239 | — |
| API hashing | 6286 | — |
| API Monitor | 1844–1860 | — |
| ASLR / DynamicBase | 8151–8190 | L4.2 |
| Assembly.Load (.NET) | 9677, 10047 | L4.8 |
| AutoOpen (VBA trigger) | 5771 | L3.3 |

## B

| Topic | Book | Lab |
|-------|------|-----|
| base64dump.py | 5988–6035 | L3.4, L4.5 |
| Beaconing | 304, 1298–1313 | L1.3, L1.6 |
| bbcrack | 10813–10815 | L5.2 |
| Behavioral analysis | 72, 896–1380 | L1.2, L1.6 |
| Binary Ninja | 1429 | — |
| BlockInput API | 11842–11878 | L5.6 |
| box-js | 6687 | — |
| brbbot.exe (sample) | 39, 662–1823 | L1.1–L1.6, L4.1–L4.4 |
| brxor.py | 10799–10801 | L5.2 |

## C

| Topic | Book | Lab |
|-------|------|-----|
| C2 communication | 304, 3233–3353 | L1.3, L1.5, L1.6 |
| Calling conventions | 3477–3725 | L2.3, L2.4 |
| capa | 1558–1589 | L1.4, L5.4 |
| cdecl convention | 3671–3714 | L2.3 |
| CFF Explorer | 8174–8190 | — |
| chatroom.exe (sample) | 9597–9797 | L4.8 |
| checkbox.doc (sample) | 5883–6135 | L3.4 |
| CheckRemoteDebuggerPresent | 10669 | — |
| CMP instruction | 3153 | L2.5, L2.6 |
| Cobalt Strike beacon | 6060–6077 | L3.4 |
| Code analysis | 1390, 2452+ | L2.1–L2.8 |
| Code injection | 10074–10387 | L4.9, L5.4 |
| Compound expressions | 4474–4620 | L2.6 |
| Conditional jumps (Jcc) | 3153–3167 | L2.1, L2.5 |
| Control flow | 3137–3204 | L2.5, L2.6 |
| CreateFileA/W | 1521–1527 | L1.5 |
| CreateProcess | 3891–4028 | L2.7, L5.4 |
| CreateRemoteThread | 10098–10105 | L4.9 |
| CreateToolhelp32Snapshot | 10116–10123 | L4.9, L5.6 |
| CryptDecrypt | 1776–1860 | L1.5 |
| CSharpCodeProvider | 7462, 7625 | L3.12 |
| Cutter | 1428 | — |
| CyberChef | 1897, 7407–7625 | L1.5, L3.8, L3.12 |

## D

| Topic | Book | Lab |
|-------|------|-----|
| de4dot | 10002–10004 | L4.8 |
| Decompilation | 73, 2643 | L2.1 |
| Detect It Easy (diec) | 860–865 | L4.1 |
| Disassembly | 73, 2643 | L2.1 |
| DLL injection | 7105–7172 | L3.10 |
| DLL side-loading | 7105–7172 | L3.10 |
| dnSpyEx | 9612–9797 | L4.8 |
| Document_Open (VBA) | 5771 | L3.3 |
| Dropper pattern | 4765–4835 | L2.7 |
| drtg.exe (sample) | 11161–11227 | L5.3 |

## E

| Topic | Book | Lab |
|-------|------|-----|
| Emulation | 1450–1589 | L1.4 |
| Entropy | 8035–8050 | L4.1 |
| EBP register | 3874, 3990 | L2.3 |
| EIP register | 6270–6275 | — |
| ESP register | 3714, 3740 | L2.3 |
| ExeInfo PE | 863 | L3.12 |

## F

| Topic | Book | Lab |
|-------|------|-----|
| fakedns | 1186–1195 | L1.3, L1.7, L1.8 |
| fastcall convention | 3692–3699 | — |
| fgg.js (sample) | 6668 | L3.7 |
| Fiddler | 2239–2245, 7042 | L3.2, L3.8–L3.12 |
| FindResource | 4766–4791 | L2.7 |
| FindWindow API | 11730 | L5.6 |
| FLOSS | 10914–10919 | L5.2, L5.3 |
| FS:[0] (SEH chain) | 12240–12307 | L5.7 |
| FS:[30h] (PEB) | 10556 | L5.1, L5.9 |
| Function epilogue | 3874, 3990 | L2.3 |
| Function prologue | 3839–3860 | L2.3 |

## G

| Topic | Book | Lab |
|-------|------|-----|
| GetEIP technique | 6270–6275 | — |
| getdown.exe (sample) | 2322, 10501–10674 | L1.8, L5.1, L5.2 |
| GetModuleHandle | 11730, 11946 | L5.6 |
| GetProcAddress | 6286–6306 | L5.4, L5.6 |
| GetTickCount | 10708–10715 | — |
| Ghidra | 73, 1418, 2643–2705 | L2.1–L2.8, L4.9, L5.2, L5.4, L5.5 |
| ghyte.exe (sample) | 1174–2210 | L1.7 |
| great.exe (sample) | 10134–10387 | L4.9 |

## H

| Topic | Book | Lab |
|-------|------|-----|
| Hook injection (SetWindowsHookEx) | 11671–11730 | L5.5 |
| httpd (web server) | 1269–1279 | L1.3, L1.6, L1.8 |
| HTTP C2 pattern | 3233–3353 | L1.3, L2.2 |
| HttpSendRequest | 3338–3353 | L2.2 |
| Hybrid Analysis | 239 | — |
| hubert.dll (sample) | 10799 | L5.2 |

## I

| Topic | Book | Lab |
|-------|------|-----|
| IAT (Import Address Table) | 836, 7937–7942, 8221 | L4.2, L4.3 |
| IDA | 1426 | — |
| ILSpy / ilspycmd | 7475–7480, 9677 | L3.12, L4.8 |
| INetSim | 2158–2172 | L1.7 |
| InternetOpen / InternetConnect | 3247–3296 | L2.2 |
| InternetReadFile | 1589, 3250, 6051 | L1.4, L2.2 |
| iptables | 2322–2359 | L1.8 |
| IsDebuggerPresent | 10556–10674 | L5.1, L5.9 |
| iviewers.dll (sample) | 7007–7172 | L3.10 |

## J–K

| Topic | Book | Lab |
|-------|------|-----|
| JavaScript deobfuscation | 6407–6700 | L3.6, L3.7 |
| JE/JZ, JNE/JNZ (jumps) | 3153–3167 | L2.1, L2.5 |
| jq (JSON processing) | 1562 | L1.4 |

## L

| Topic | Book | Lab |
|-------|------|-----|
| lansrv.exe (sample) | 11260 | L5.9 |
| LEA instruction | 4910 | L2.8 |
| LoadLibrary | 6286–6288, 7153 | L3.10, L5.10 |
| Local variables | 3613–3643 | L2.3 |
| Loops (assembly) | 4309–4488 | L2.5 |
| loveyou.js (sample) | 6496–6533 | L3.6 |

## M

| Topic | Book | Lab |
|-------|------|-----|
| Multi-stage malware | 6076–6080, 7042 | L3.8–L3.12 |
| mydoc.docm (sample) | 5755–5771 | L3.3 |

## N

| Topic | Book | Lab |
|-------|------|-----|
| .NET analysis | 7475–7793, 9597–9797 | L3.12, L4.8 |
| .NET reflective loading | 9677, 10047 | L4.8 |
| NOP sled | 6220 | L3.5 |
| NtGlobalFlag check | 10656 | — |
| NtQueryInformationProcess | 11163–11227 | L5.3 |
| NtUnmapViewOfSection | 11411–11558 | L5.4 |
| numbers-to-string.py | 5788 | L3.3 |

## O

| Topic | Book | Lab |
|-------|------|-----|
| objects.js (SpiderMonkey) | 6496 | L3.6, L3.7 |
| OEP (Original Entry Point) | 8226 | L4.3, L5.8, L5.10 |
| oledump.py | 5755–5771 | L3.3, L3.4, L4.5 |
| OllyDumpEx | 8277 | L4.3, L5.4, L5.8 |
| OpenProcess | 10220–10241 | L4.9 |
| OutputDebugString | 10673 | — |

## P

| Topic | Book | Lab |
|-------|------|-----|
| Package.exe (sample) | 7007–7172 | L3.10 |
| Packed binaries | 7937–8050 | L4.1 |
| Parameters (function) | 3671–3725 | L2.3, L2.4 |
| PDF analysis | 5280–5500 | L3.1 |
| pdf-parser.py | 5310–5500 | L3.1 |
| pdfid.py | 5310–5336 | L3.1 |
| PDFXCview.exe (sample) | 7866–8044 | L4.5–L4.7 |
| PE file format | 861, 7939 | L1.1, L4.1 |
| pe_unmapper | 13440–13444 | L5.10 |
| PEB (Process Environment Block) | 10556, FS:[30h] | L5.1, L5.9 |
| peframe | 846–850 | L1.1, L4.8 |
| Persistence | 800, 1065, 2720, 5047 | L1.2, L2.8 |
| PeStudio | 816–837 | L1.1, L4.1, many others |
| pestr | 779–788 | L1.1, L4.8 |
| PowerShell encoded commands | 5988, 6997 | L3.4, L3.9, L3.11 |
| PowerShell ISE | 6997–7033 | L3.9, L3.11, L4.5 |
| Process hollowing | 11398–11558 | L5.4 |
| Process Monitor | 911, 954–1084 | L1.2, L4.5 |
| Process32First/Next | 10346–10386 | L4.9, L5.6 |
| ProcDOT | 911, 1110–1150 | L1.2, L4.5 |
| PUSHAD / POPAD | 8140 | L4.3 |

## Q

| Topic | Book | Lab |
|-------|------|-----|
| qa.doc (sample) | 6148–6371 | L3.5 |
| QueryPerformanceCounter | 10715 | — |

## R

| Topic | Book | Lab |
|-------|------|-----|
| raas.exe (sample) | 10676 | L5.6 |
| radare2 | 1428 | — |
| RDTSC timing check | 10710–10716 | — |
| ReadFile | 1521–1787 | L1.5 |
| Reflective loading (.NET) | 9677, 10047 | L4.8 |
| Registers (32-bit) | 2837–2845 | L2.1 |
| Registers (64-bit) | 4900–4936 | L2.8 |
| Registry Run keys | 786, 1065, 2720 | L1.2, L2.1 |
| RegOpenKeyEx | 2750–2768 | L2.1 |
| Regshot | 912, 969–1068 | L1.2 |
| REP MOVSB | — | — |
| Resource extraction | 4766–4791 | L2.7 |
| Return values (EAX/RAX) | 2838, 3860 | L2.3 |
| roomsvisitor.saz (sample) | 7042 | L3.8 |
| rtfdump.py | 6148–6222 | L3.5 |
| runsc / runsc32 | 6306–6337 | L3.5, L4.6 |
| rwvg1.exe (sample) | 7407–7793 | L3.12 |

## S

| Topic | Book | Lab |
|-------|------|-----|
| Scylla | 8243–8277 | L4.2, L4.3, L5.8, L5.10 |
| ScyllaHide | 10727–10736 | L5.3, L5.6 |
| scdbgc / scdbg | 6046–6052 | L3.4, L3.5, L4.6 |
| SEH (Structured Exception Handling) | 12240–12307 | L5.7, L5.8 |
| setdllcharacteristics | 8177–8190 | L4.2 |
| SetWindowsHookExA | 11671–11730 | L5.5 |
| Shellcode | 6046–6371 | L3.4, L3.5, L4.6, L4.7 |
| ShellExecute | 5014, 6533 | L2.8 |
| Sleep API | — | — |
| SpiderMonkey | 6488–6668 | L3.6, L3.7, L4.5 |
| speakeasy | 1469–1527 | L1.4 |
| Stack frame | 3613–3643 | L2.3 |
| Stack strings | 10898, 16342 | L5.2 |
| Static analysis | 165, 616–880 | L1.1 |
| stdcall convention | 3675–3682 | L2.3 |
| steel1.pdf (sample) | 5310–5500 | L3.1 |
| strdeob.pl | 10898–10900 | L5.2 |
| strings (tool) | 782–787 | L1.1, L3.4, L5.2 |
| String obfuscation | 10485, 10799 | L5.2 |
| svchost.exe (sample) | 2750–2783 | L2.1–L2.8 |
| System Informer | 911, 1025 | L1.2, L1.6–L1.8, L4.2, L5.1 |

## T

| Topic | Book | Lab |
|-------|------|-----|
| TEST instruction | 1780 | L2.1, L5.1 |
| thiscall convention | 3695–3700 | — |
| TLS callbacks | 11260 | L5.9 |
| Tool detection (malware) | 10727, 11946 | L5.6 |
| translate.py | 6035 | L3.4 |
| trid | — | L3.3, L3.4 |

## U

| Topic | Book | Lab |
|-------|------|-----|
| Unpacking | 8090–8312, 7937 | L4.1–L4.4, L5.3, L5.8, L5.10 |
| UPX | 7962–8140 | L4.1, L4.2 |

## V

| Topic | Book | Lab |
|-------|------|-----|
| vbprop.exe (sample) | 11657 | L5.5 |
| VirtualAlloc | 6015–6018 | L4.7 |
| VirtualAllocEx | 10303–10311 | L4.9, L5.4 |
| VirtualProtect | 13264 | L5.10 |
| VirusTotal | 236–264 | — |

## W

| Topic | Book | Lab |
|-------|------|-----|
| want.exe (sample) | 12191–12247 | L5.7, L5.8 |
| WH_MOUSE_LL (hook) | 11671 | L5.5 |
| WinDbg | 1427 | — |
| WinHost32.exe (sample) | 11270–11557 | L5.4 |
| Wireshark | 910, 987–1030 | L1.2, L1.3, L1.6–L1.8, L5.1 |
| WriteFile | 1521, 4791 | L1.5, L2.7 |
| WriteProcessMemory | 11398 | L5.4 |

## X

| Topic | Book | Lab |
|-------|------|-----|
| x64 calling convention | 4900–5103 | L2.8 |
| x64dbg / x32dbg | 1613–1706 | L1.5, L4.3–L4.4, L5.1–L5.10 |
| XOR encoding / loop | 6035, 10799 | L3.4, L5.2, L5.9 |
| XORSearch | 6252–6260 | L3.5, L5.2 |

## Y

| Topic | Book | Lab |
|-------|------|-----|
| YARA / yara-rules | 6060–6063 | L3.4 |
| yep.exe (sample) | 13264 | L5.10 |

## Z

| Topic | Book | Lab |
|-------|------|-----|
| ZwUnmapViewOfSection | 11427, 11554 | L5.4 |