docker_file_analysis/data/exam-cheatsheets/05-book-index.md

FOR610 Course Book & Workbook Index

Line numbers refer to book_clean.md. "L" prefix = Lab number in workbook.

Section Map

Section	Topic	Book Lines	Labs
S1	Malware Analysis Fundamentals	43–2400	L1.1–L1.8
S2	Reversing Malicious Code	2452–5100	L2.1–L2.8
S3	Beyond Traditional Executables	5192–7800	L3.1–L3.12
S4	In-Depth Malware Analysis	7866–10100	L4.1–L4.9
S5	Examining Self-Defending Malware	10453–13300	L5.1–L5.10

---

A

Topic	Book	Lab
accept-all-ips (httpd)	1269	L1.3
AMSI monitoring	6704	L3.6
AMSIScriptContentRetrieval	6704	L3.6
Android analysis	—	—
Anti-debugging	10485–10674	L5.1, L5.6
Anti-sandbox	11657	L5.5
Anti-VM detection	10740	L5.6
Any.run (sandbox)	239	—
API hashing	6286	—
API Monitor	1844–1860	—
ASLR / DynamicBase	8151–8190	L4.2
Assembly.Load (.NET)	9677, 10047	L4.8
AutoOpen (VBA trigger)	5771	L3.3

B

Topic	Book	Lab
base64dump.py	5988–6035	L3.4, L4.5
Beaconing	304, 1298–1313	L1.3, L1.6
bbcrack	10813–10815	L5.2
Behavioral analysis	72, 896–1380	L1.2, L1.6
Binary Ninja	1429	—
BlockInput API	11842–11878	L5.6
box-js	6687	—
brbbot.exe (sample)	39, 662–1823	L1.1–L1.6, L4.1–L4.4
brxor.py	10799–10801	L5.2

C

Topic	Book	Lab
C2 communication	304, 3233–3353	L1.3, L1.5, L1.6
Calling conventions	3477–3725	L2.3, L2.4
capa	1558–1589	L1.4, L5.4
cdecl convention	3671–3714	L2.3
CFF Explorer	8174–8190	—
chatroom.exe (sample)	9597–9797	L4.8
checkbox.doc (sample)	5883–6135	L3.4
CheckRemoteDebuggerPresent	10669	—
CMP instruction	3153	L2.5, L2.6
Cobalt Strike beacon	6060–6077	L3.4
Code analysis	1390, 2452+	L2.1–L2.8
Code injection	10074–10387	L4.9, L5.4
Compound expressions	4474–4620	L2.6
Conditional jumps (Jcc)	3153–3167	L2.1, L2.5
Control flow	3137–3204	L2.5, L2.6
CreateFileA/W	1521–1527	L1.5
CreateProcess	3891–4028	L2.7, L5.4
CreateRemoteThread	10098–10105	L4.9
CreateToolhelp32Snapshot	10116–10123	L4.9, L5.6
CryptDecrypt	1776–1860	L1.5
CSharpCodeProvider	7462, 7625	L3.12
Cutter	1428	—
CyberChef	1897, 7407–7625	L1.5, L3.8, L3.12

D

Topic	Book	Lab
de4dot	10002–10004	L4.8
Decompilation	73, 2643	L2.1
Detect It Easy (diec)	860–865	L4.1
Disassembly	73, 2643	L2.1
DLL injection	7105–7172	L3.10
DLL side-loading	7105–7172	L3.10
dnSpyEx	9612–9797	L4.8
Document_Open (VBA)	5771	L3.3
Dropper pattern	4765–4835	L2.7
drtg.exe (sample)	11161–11227	L5.3

E

Topic	Book	Lab
Emulation	1450–1589	L1.4
Entropy	8035–8050	L4.1
EBP register	3874, 3990	L2.3
EIP register	6270–6275	—
ESP register	3714, 3740	L2.3
ExeInfo PE	863	L3.12

F

Topic	Book	Lab
fakedns	1186–1195	L1.3, L1.7, L1.8
fastcall convention	3692–3699	—
fgg.js (sample)	6668	L3.7
Fiddler	2239–2245, 7042	L3.2, L3.8–L3.12
FindResource	4766–4791	L2.7
FindWindow API	11730	L5.6
FLOSS	10914–10919	L5.2, L5.3
FS:[0] (SEH chain)	12240–12307	L5.7
FS:[30h] (PEB)	10556	L5.1, L5.9
Function epilogue	3874, 3990	L2.3
Function prologue	3839–3860	L2.3

G

Topic	Book	Lab
GetEIP technique	6270–6275	—
getdown.exe (sample)	2322, 10501–10674	L1.8, L5.1, L5.2
GetModuleHandle	11730, 11946	L5.6
GetProcAddress	6286–6306	L5.4, L5.6
GetTickCount	10708–10715	—
Ghidra	73, 1418, 2643–2705	L2.1–L2.8, L4.9, L5.2, L5.4, L5.5
ghyte.exe (sample)	1174–2210	L1.7
great.exe (sample)	10134–10387	L4.9

H

Topic	Book	Lab
Hook injection (SetWindowsHookEx)	11671–11730	L5.5
httpd (web server)	1269–1279	L1.3, L1.6, L1.8
HTTP C2 pattern	3233–3353	L1.3, L2.2
HttpSendRequest	3338–3353	L2.2
Hybrid Analysis	239	—
hubert.dll (sample)	10799	L5.2

I

Topic	Book	Lab
IAT (Import Address Table)	836, 7937–7942, 8221	L4.2, L4.3
IDA	1426	—
ILSpy / ilspycmd	7475–7480, 9677	L3.12, L4.8
INetSim	2158–2172	L1.7
InternetOpen / InternetConnect	3247–3296	L2.2
InternetReadFile	1589, 3250, 6051	L1.4, L2.2
iptables	2322–2359	L1.8
IsDebuggerPresent	10556–10674	L5.1, L5.9
iviewers.dll (sample)	7007–7172	L3.10

J–K

Topic	Book	Lab
JavaScript deobfuscation	6407–6700	L3.6, L3.7
JE/JZ, JNE/JNZ (jumps)	3153–3167	L2.1, L2.5
jq (JSON processing)	1562	L1.4

L

Topic	Book	Lab
lansrv.exe (sample)	11260	L5.9
LEA instruction	4910	L2.8
LoadLibrary	6286–6288, 7153	L3.10, L5.10
Local variables	3613–3643	L2.3
Loops (assembly)	4309–4488	L2.5
loveyou.js (sample)	6496–6533	L3.6

M

Topic	Book	Lab
Multi-stage malware	6076–6080, 7042	L3.8–L3.12
mydoc.docm (sample)	5755–5771	L3.3

N

Topic	Book	Lab
.NET analysis	7475–7793, 9597–9797	L3.12, L4.8
.NET reflective loading	9677, 10047	L4.8
NOP sled	6220	L3.5
NtGlobalFlag check	10656	—
NtQueryInformationProcess	11163–11227	L5.3
NtUnmapViewOfSection	11411–11558	L5.4
numbers-to-string.py	5788	L3.3

O

Topic	Book	Lab
objects.js (SpiderMonkey)	6496	L3.6, L3.7
OEP (Original Entry Point)	8226	L4.3, L5.8, L5.10
oledump.py	5755–5771	L3.3, L3.4, L4.5
OllyDumpEx	8277	L4.3, L5.4, L5.8
OpenProcess	10220–10241	L4.9
OutputDebugString	10673	—

P

Topic	Book	Lab
Package.exe (sample)	7007–7172	L3.10
Packed binaries	7937–8050	L4.1
Parameters (function)	3671–3725	L2.3, L2.4
PDF analysis	5280–5500	L3.1
pdf-parser.py	5310–5500	L3.1
pdfid.py	5310–5336	L3.1
PDFXCview.exe (sample)	7866–8044	L4.5–L4.7
PE file format	861, 7939	L1.1, L4.1
pe_unmapper	13440–13444	L5.10
PEB (Process Environment Block)	10556, FS:[30h]	L5.1, L5.9
peframe	846–850	L1.1, L4.8
Persistence	800, 1065, 2720, 5047	L1.2, L2.8
PeStudio	816–837	L1.1, L4.1, many others
pestr	779–788	L1.1, L4.8
PowerShell encoded commands	5988, 6997	L3.4, L3.9, L3.11
PowerShell ISE	6997–7033	L3.9, L3.11, L4.5
Process hollowing	11398–11558	L5.4
Process Monitor	911, 954–1084	L1.2, L4.5
Process32First/Next	10346–10386	L4.9, L5.6
ProcDOT	911, 1110–1150	L1.2, L4.5
PUSHAD / POPAD	8140	L4.3

Q

Topic	Book	Lab
qa.doc (sample)	6148–6371	L3.5
QueryPerformanceCounter	10715	—

R

Topic	Book	Lab
raas.exe (sample)	10676	L5.6
radare2	1428	—
RDTSC timing check	10710–10716	—
ReadFile	1521–1787	L1.5
Reflective loading (.NET)	9677, 10047	L4.8
Registers (32-bit)	2837–2845	L2.1
Registers (64-bit)	4900–4936	L2.8
Registry Run keys	786, 1065, 2720	L1.2, L2.1
RegOpenKeyEx	2750–2768	L2.1
Regshot	912, 969–1068	L1.2
REP MOVSB	—	—
Resource extraction	4766–4791	L2.7
Return values (EAX/RAX)	2838, 3860	L2.3
roomsvisitor.saz (sample)	7042	L3.8
rtfdump.py	6148–6222	L3.5
runsc / runsc32	6306–6337	L3.5, L4.6
rwvg1.exe (sample)	7407–7793	L3.12

S

Topic	Book	Lab
Scylla	8243–8277	L4.2, L4.3, L5.8, L5.10
ScyllaHide	10727–10736	L5.3, L5.6
scdbgc / scdbg	6046–6052	L3.4, L3.5, L4.6
SEH (Structured Exception Handling)	12240–12307	L5.7, L5.8
setdllcharacteristics	8177–8190	L4.2
SetWindowsHookExA	11671–11730	L5.5
Shellcode	6046–6371	L3.4, L3.5, L4.6, L4.7
ShellExecute	5014, 6533	L2.8
Sleep API	—	—
SpiderMonkey	6488–6668	L3.6, L3.7, L4.5
speakeasy	1469–1527	L1.4
Stack frame	3613–3643	L2.3
Stack strings	10898, 16342	L5.2
Static analysis	165, 616–880	L1.1
stdcall convention	3675–3682	L2.3
steel1.pdf (sample)	5310–5500	L3.1
strdeob.pl	10898–10900	L5.2
strings (tool)	782–787	L1.1, L3.4, L5.2
String obfuscation	10485, 10799	L5.2
svchost.exe (sample)	2750–2783	L2.1–L2.8
System Informer	911, 1025	L1.2, L1.6–L1.8, L4.2, L5.1

T

Topic	Book	Lab
TEST instruction	1780	L2.1, L5.1
thiscall convention	3695–3700	—
TLS callbacks	11260	L5.9
Tool detection (malware)	10727, 11946	L5.6
translate.py	6035	L3.4
trid	—	L3.3, L3.4

U

Topic	Book	Lab
Unpacking	8090–8312, 7937	L4.1–L4.4, L5.3, L5.8, L5.10
UPX	7962–8140	L4.1, L4.2

V

Topic	Book	Lab
vbprop.exe (sample)	11657	L5.5
VirtualAlloc	6015–6018	L4.7
VirtualAllocEx	10303–10311	L4.9, L5.4
VirtualProtect	13264	L5.10
VirusTotal	236–264	—

W

Topic	Book	Lab
want.exe (sample)	12191–12247	L5.7, L5.8
WH_MOUSE_LL (hook)	11671	L5.5
WinDbg	1427	—
WinHost32.exe (sample)	11270–11557	L5.4
Wireshark	910, 987–1030	L1.2, L1.3, L1.6–L1.8, L5.1
WriteFile	1521, 4791	L1.5, L2.7
WriteProcessMemory	11398	L5.4

X

Topic	Book	Lab
x64 calling convention	4900–5103	L2.8
x64dbg / x32dbg	1613–1706	L1.5, L4.3–L4.4, L5.1–L5.10
XOR encoding / loop	6035, 10799	L3.4, L5.2, L5.9
XORSearch	6252–6260	L3.5, L5.2

Y

Topic	Book	Lab
YARA / yara-rules	6060–6063	L3.4
yep.exe (sample)	13264	L5.10

Z

Topic	Book	Lab
ZwUnmapViewOfSection	11427, 11554	L5.4