irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
6349c3aa8eabcec89abaa0e4108b8b63320c7c44
docker_file_analysis/data/exam-cheatsheets/05-book-index.md
T
tobias 6349c3aa8e Add malware patterns cheat sheet and book index 
04-malware-patterns.md: API→technique mapping, packer recognition,
anti-analysis assembly patterns, shellcode indicators, document
malware indicators, quick-reference lookup tables.

05-book-index.md: A-Z index of every tool, concept, API, technique,
and malware sample in the FOR610 course with book line numbers and
workbook lab references for quick lookup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 08:41:30 +02:00

348 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# FOR610 Course Book & Workbook Index
> Line numbers refer to book_clean.md. "L" prefix = Lab number in workbook.
## Section Map
| Section | Topic | Book Lines | Labs |
|---------|-------|-----------|------|
| **S1** | Malware Analysis Fundamentals | 432400 | L1.1L1.8 |
| **S2** | Reversing Malicious Code | 24525100 | L2.1L2.8 |
| **S3** | Beyond Traditional Executables | 51927800 | L3.1L3.12 |
| **S4** | In-Depth Malware Analysis | 786610100 | L4.1L4.9 |
| **S5** | Examining Self-Defending Malware | 1045313300 | L5.1L5.10 |
---
## A
| Topic | Book | Lab |
|-------|------|-----|
| accept-all-ips (httpd) | 1269 | L1.3 |
| AMSI monitoring | 6704 | L3.6 |
| AMSIScriptContentRetrieval | 6704 | L3.6 |
| Android analysis | — | — |
| Anti-debugging | 1048510674 | L5.1, L5.6 |
| Anti-sandbox | 11657 | L5.5 |
| Anti-VM detection | 10740 | L5.6 |
| Any.run (sandbox) | 239 | — |
| API hashing | 6286 | — |
| API Monitor | 18441860 | — |
| ASLR / DynamicBase | 81518190 | L4.2 |
| Assembly.Load (.NET) | 9677, 10047 | L4.8 |
| AutoOpen (VBA trigger) | 5771 | L3.3 |
## B
| Topic | Book | Lab |
|-------|------|-----|
| base64dump.py | 59886035 | L3.4, L4.5 |
| Beaconing | 304, 12981313 | L1.3, L1.6 |
| bbcrack | 1081310815 | L5.2 |
| Behavioral analysis | 72, 8961380 | L1.2, L1.6 |
| Binary Ninja | 1429 | — |
| BlockInput API | 1184211878 | L5.6 |
| box-js | 6687 | — |
| brbbot.exe (sample) | 39, 6621823 | L1.1L1.6, L4.1L4.4 |
| brxor.py | 1079910801 | L5.2 |
## C
| Topic | Book | Lab |
|-------|------|-----|
| C2 communication | 304, 32333353 | L1.3, L1.5, L1.6 |
| Calling conventions | 34773725 | L2.3, L2.4 |
| capa | 15581589 | L1.4, L5.4 |
| cdecl convention | 36713714 | L2.3 |
| CFF Explorer | 81748190 | — |
| chatroom.exe (sample) | 95979797 | L4.8 |
| checkbox.doc (sample) | 58836135 | L3.4 |
| CheckRemoteDebuggerPresent | 10669 | — |
| CMP instruction | 3153 | L2.5, L2.6 |
| Cobalt Strike beacon | 60606077 | L3.4 |
| Code analysis | 1390, 2452+ | L2.1L2.8 |
| Code injection | 1007410387 | L4.9, L5.4 |
| Compound expressions | 44744620 | L2.6 |
| Conditional jumps (Jcc) | 31533167 | L2.1, L2.5 |
| Control flow | 31373204 | L2.5, L2.6 |
| CreateFileA/W | 15211527 | L1.5 |
| CreateProcess | 38914028 | L2.7, L5.4 |
| CreateRemoteThread | 1009810105 | L4.9 |
| CreateToolhelp32Snapshot | 1011610123 | L4.9, L5.6 |
| CryptDecrypt | 17761860 | L1.5 |
| CSharpCodeProvider | 7462, 7625 | L3.12 |
| Cutter | 1428 | — |
| CyberChef | 1897, 74077625 | L1.5, L3.8, L3.12 |
## D
| Topic | Book | Lab |
|-------|------|-----|
| de4dot | 1000210004 | L4.8 |
| Decompilation | 73, 2643 | L2.1 |
| Detect It Easy (diec) | 860865 | L4.1 |
| Disassembly | 73, 2643 | L2.1 |
| DLL injection | 71057172 | L3.10 |
| DLL side-loading | 71057172 | L3.10 |
| dnSpyEx | 96129797 | L4.8 |
| Document_Open (VBA) | 5771 | L3.3 |
| Dropper pattern | 47654835 | L2.7 |
| drtg.exe (sample) | 1116111227 | L5.3 |
## E
| Topic | Book | Lab |
|-------|------|-----|
| Emulation | 14501589 | L1.4 |
| Entropy | 80358050 | L4.1 |
| EBP register | 3874, 3990 | L2.3 |
| EIP register | 62706275 | — |
| ESP register | 3714, 3740 | L2.3 |
| ExeInfo PE | 863 | L3.12 |
## F
| Topic | Book | Lab |
|-------|------|-----|
| fakedns | 11861195 | L1.3, L1.7, L1.8 |
| fastcall convention | 36923699 | — |
| fgg.js (sample) | 6668 | L3.7 |
| Fiddler | 22392245, 7042 | L3.2, L3.8L3.12 |
| FindResource | 47664791 | L2.7 |
| FindWindow API | 11730 | L5.6 |
| FLOSS | 1091410919 | L5.2, L5.3 |
| FS:[0] (SEH chain) | 1224012307 | L5.7 |
| FS:[30h] (PEB) | 10556 | L5.1, L5.9 |
| Function epilogue | 3874, 3990 | L2.3 |
| Function prologue | 38393860 | L2.3 |
## G
| Topic | Book | Lab |
|-------|------|-----|
| GetEIP technique | 62706275 | — |
| getdown.exe (sample) | 2322, 1050110674 | L1.8, L5.1, L5.2 |
| GetModuleHandle | 11730, 11946 | L5.6 |
| GetProcAddress | 62866306 | L5.4, L5.6 |
| GetTickCount | 1070810715 | — |
| Ghidra | 73, 1418, 26432705 | L2.1L2.8, L4.9, L5.2, L5.4, L5.5 |
| ghyte.exe (sample) | 11742210 | L1.7 |
| great.exe (sample) | 1013410387 | L4.9 |
## H
| Topic | Book | Lab |
|-------|------|-----|
| Hook injection (SetWindowsHookEx) | 1167111730 | L5.5 |
| httpd (web server) | 12691279 | L1.3, L1.6, L1.8 |
| HTTP C2 pattern | 32333353 | L1.3, L2.2 |
| HttpSendRequest | 33383353 | L2.2 |
| Hybrid Analysis | 239 | — |
| hubert.dll (sample) | 10799 | L5.2 |
## I
| Topic | Book | Lab |
|-------|------|-----|
| IAT (Import Address Table) | 836, 79377942, 8221 | L4.2, L4.3 |
| IDA | 1426 | — |
| ILSpy / ilspycmd | 74757480, 9677 | L3.12, L4.8 |
| INetSim | 21582172 | L1.7 |
| InternetOpen / InternetConnect | 32473296 | L2.2 |
| InternetReadFile | 1589, 3250, 6051 | L1.4, L2.2 |
| iptables | 23222359 | L1.8 |
| IsDebuggerPresent | 1055610674 | L5.1, L5.9 |
| iviewers.dll (sample) | 70077172 | L3.10 |
## JK
| Topic | Book | Lab |
|-------|------|-----|
| JavaScript deobfuscation | 64076700 | L3.6, L3.7 |
| JE/JZ, JNE/JNZ (jumps) | 31533167 | L2.1, L2.5 |
| jq (JSON processing) | 1562 | L1.4 |
## L
| Topic | Book | Lab |
|-------|------|-----|
| lansrv.exe (sample) | 11260 | L5.9 |
| LEA instruction | 4910 | L2.8 |
| LoadLibrary | 62866288, 7153 | L3.10, L5.10 |
| Local variables | 36133643 | L2.3 |
| Loops (assembly) | 43094488 | L2.5 |
| loveyou.js (sample) | 64966533 | L3.6 |
## M
| Topic | Book | Lab |
|-------|------|-----|
| Multi-stage malware | 60766080, 7042 | L3.8L3.12 |
| mydoc.docm (sample) | 57555771 | L3.3 |
## N
| Topic | Book | Lab |
|-------|------|-----|
| .NET analysis | 74757793, 95979797 | L3.12, L4.8 |
| .NET reflective loading | 9677, 10047 | L4.8 |
| NOP sled | 6220 | L3.5 |
| NtGlobalFlag check | 10656 | — |
| NtQueryInformationProcess | 1116311227 | L5.3 |
| NtUnmapViewOfSection | 1141111558 | L5.4 |
| numbers-to-string.py | 5788 | L3.3 |
## O
| Topic | Book | Lab |
|-------|------|-----|
| objects.js (SpiderMonkey) | 6496 | L3.6, L3.7 |
| OEP (Original Entry Point) | 8226 | L4.3, L5.8, L5.10 |
| oledump.py | 57555771 | L3.3, L3.4, L4.5 |
| OllyDumpEx | 8277 | L4.3, L5.4, L5.8 |
| OpenProcess | 1022010241 | L4.9 |
| OutputDebugString | 10673 | — |
## P
| Topic | Book | Lab |
|-------|------|-----|
| Package.exe (sample) | 70077172 | L3.10 |
| Packed binaries | 79378050 | L4.1 |
| Parameters (function) | 36713725 | L2.3, L2.4 |
| PDF analysis | 52805500 | L3.1 |
| pdf-parser.py | 53105500 | L3.1 |
| pdfid.py | 53105336 | L3.1 |
| PDFXCview.exe (sample) | 78668044 | L4.5L4.7 |
| PE file format | 861, 7939 | L1.1, L4.1 |
| pe_unmapper | 1344013444 | L5.10 |
| PEB (Process Environment Block) | 10556, FS:[30h] | L5.1, L5.9 |
| peframe | 846850 | L1.1, L4.8 |
| Persistence | 800, 1065, 2720, 5047 | L1.2, L2.8 |
| PeStudio | 816837 | L1.1, L4.1, many others |
| pestr | 779788 | L1.1, L4.8 |
| PowerShell encoded commands | 5988, 6997 | L3.4, L3.9, L3.11 |
| PowerShell ISE | 69977033 | L3.9, L3.11, L4.5 |
| Process hollowing | 1139811558 | L5.4 |
| Process Monitor | 911, 9541084 | L1.2, L4.5 |
| Process32First/Next | 1034610386 | L4.9, L5.6 |
| ProcDOT | 911, 11101150 | L1.2, L4.5 |
| PUSHAD / POPAD | 8140 | L4.3 |
## Q
| Topic | Book | Lab |
|-------|------|-----|
| qa.doc (sample) | 61486371 | L3.5 |
| QueryPerformanceCounter | 10715 | — |
## R
| Topic | Book | Lab |
|-------|------|-----|
| raas.exe (sample) | 10676 | L5.6 |
| radare2 | 1428 | — |
| RDTSC timing check | 1071010716 | — |
| ReadFile | 15211787 | L1.5 |
| Reflective loading (.NET) | 9677, 10047 | L4.8 |
| Registers (32-bit) | 28372845 | L2.1 |
| Registers (64-bit) | 49004936 | L2.8 |
| Registry Run keys | 786, 1065, 2720 | L1.2, L2.1 |
| RegOpenKeyEx | 27502768 | L2.1 |
| Regshot | 912, 9691068 | L1.2 |
| REP MOVSB | — | — |
| Resource extraction | 47664791 | L2.7 |
| Return values (EAX/RAX) | 2838, 3860 | L2.3 |
| roomsvisitor.saz (sample) | 7042 | L3.8 |
| rtfdump.py | 61486222 | L3.5 |
| runsc / runsc32 | 63066337 | L3.5, L4.6 |
| rwvg1.exe (sample) | 74077793 | L3.12 |
## S
| Topic | Book | Lab |
|-------|------|-----|
| Scylla | 82438277 | L4.2, L4.3, L5.8, L5.10 |
| ScyllaHide | 1072710736 | L5.3, L5.6 |
| scdbgc / scdbg | 60466052 | L3.4, L3.5, L4.6 |
| SEH (Structured Exception Handling) | 1224012307 | L5.7, L5.8 |
| setdllcharacteristics | 81778190 | L4.2 |
| SetWindowsHookExA | 1167111730 | L5.5 |
| Shellcode | 60466371 | L3.4, L3.5, L4.6, L4.7 |
| ShellExecute | 5014, 6533 | L2.8 |
| Sleep API | — | — |
| SpiderMonkey | 64886668 | L3.6, L3.7, L4.5 |
| speakeasy | 14691527 | L1.4 |
| Stack frame | 36133643 | L2.3 |
| Stack strings | 10898, 16342 | L5.2 |
| Static analysis | 165, 616880 | L1.1 |
| stdcall convention | 36753682 | L2.3 |
| steel1.pdf (sample) | 53105500 | L3.1 |
| strdeob.pl | 1089810900 | L5.2 |
| strings (tool) | 782787 | L1.1, L3.4, L5.2 |
| String obfuscation | 10485, 10799 | L5.2 |
| svchost.exe (sample) | 27502783 | L2.1L2.8 |
| System Informer | 911, 1025 | L1.2, L1.6L1.8, L4.2, L5.1 |
## T
| Topic | Book | Lab |
|-------|------|-----|
| TEST instruction | 1780 | L2.1, L5.1 |
| thiscall convention | 36953700 | — |
| TLS callbacks | 11260 | L5.9 |
| Tool detection (malware) | 10727, 11946 | L5.6 |
| translate.py | 6035 | L3.4 |
| trid | — | L3.3, L3.4 |
## U
| Topic | Book | Lab |
|-------|------|-----|
| Unpacking | 80908312, 7937 | L4.1L4.4, L5.3, L5.8, L5.10 |
| UPX | 79628140 | L4.1, L4.2 |
## V
| Topic | Book | Lab |
|-------|------|-----|
| vbprop.exe (sample) | 11657 | L5.5 |
| VirtualAlloc | 60156018 | L4.7 |
| VirtualAllocEx | 1030310311 | L4.9, L5.4 |
| VirtualProtect | 13264 | L5.10 |
| VirusTotal | 236264 | — |
## W
| Topic | Book | Lab |
|-------|------|-----|
| want.exe (sample) | 1219112247 | L5.7, L5.8 |
| WH_MOUSE_LL (hook) | 11671 | L5.5 |
| WinDbg | 1427 | — |
| WinHost32.exe (sample) | 1127011557 | L5.4 |
| Wireshark | 910, 9871030 | L1.2, L1.3, L1.6L1.8, L5.1 |
| WriteFile | 1521, 4791 | L1.5, L2.7 |
| WriteProcessMemory | 11398 | L5.4 |
## X
| Topic | Book | Lab |
|-------|------|-----|
| x64 calling convention | 49005103 | L2.8 |
| x64dbg / x32dbg | 16131706 | L1.5, L4.3L4.4, L5.1L5.10 |
| XOR encoding / loop | 6035, 10799 | L3.4, L5.2, L5.9 |
| XORSearch | 62526260 | L3.5, L5.2 |
## Y
| Topic | Book | Lab |
|-------|------|-----|
| YARA / yara-rules | 60606063 | L3.4 |
| yep.exe (sample) | 13264 | L5.10 |
## Z
| Topic | Book | Lab |
|-------|------|-----|
| ZwUnmapViewOfSection | 11427, 11554 | L5.4 |
Reference in New Issue View Git Blame Copy Permalink