When I started looking into the SANS FOR710 “Reverse-Engineering Malware: Advanced Code Analysis” course towards the end of 2022 the course was still fresh and new and there were not many reviews or opinions available about it online. So now after finishing the course I want to write a quick review and share my experience with it.
The course website mentions a number of prerequisites and describes the course as “an advanced level Windows reverse-engineering course that skips over introductory and intermediate malware analysis concepts.” Students are supposed to have skills and knowledge equivalent to the FOR610 course as well as experience with static and dynamic malware analysis.
Never having taken a SANS course before I wasn’t sure about these requirements, but was recommended by a colleague to take FOR710 without going through FOR610 based on previous experience (which includes work experience and trainings, including some chapters from the Zero2Auto course). I also decided to take the course online so I could take all the time I need to follow the lessons (which sometimes can be hard during in-person classes).
The SANS FOR710 course really shines with excellent didactics. Anuj is a great teacher, the on-demand videos being split into small parts is a great way to split complicated topics into manageable bites, and also enables students to go back to specific parts without having to scroll through long videos. This is probably part of all SANS on-demand courses, but I really liked it. Besides that, the exercises are absolutely great and I really enjoyed doing them. For me, they were a great mix with some guidance through questions and leaving enough room to figure things out by myself. The hints and solutions being hidden by default but also available when needed added to this concept. In general, doing the exercises felt a bit like doing a CTF and triggered my puzzle-solving-reflex.
The course content is split into three sections:
Following some thoughts on each of the sections.
This was by far my favourite section in the course and I wish I could have had more of it. The topics covered here can be very challenging and a roadblock, so I was very happy about this chapter. Concepts discussed here like DLL loading, shellcode, and API hashing are absolutely necessary to understand for any kind of malware analysis and this cannot be practiced enough.
This section covered a lot of things that I already had knowledge in. The Zero2Auto course starts with this topic, so content wise I was mostly familiar with this topic. Nevertheless, having a look at file encryption and key protection is certainly interesting, as well as looking at data encryption in malware.
Having done some automation for malware analysis before (e.g. for my Oski stealer analysis) I was of course on how to extend this knowledge and learn things like dynamic binary instrumentation and binary emulation. The first part in this section, “Python for Malware Analysis” I personally found mostly unnecessary - basic python concepts shouldn’t need to be explained in such an advanced course. In my opinion, adding “basic Python knowledge” to the requirements wouldn’t discourage many people and would avoid taking valuable space and time in this course for it. This chapter ends with applied Python malware config extraction using the PE module, which is a great exercise.
Dynamic binary instrumentation (DBI) with Frida and binary emulation using Qiling were new concepts for me and super interesting - I’m very curious to apply this knowledge outside of the course.
As mentioned before, the didactics and exercises are excellent and provide real value. From a content perspective, I think the course falls a bit short compared to the Zero2Auto course which provides significantly more content (but, in my opinion, lacks a bit on the didactics side). The difference of course is, that the SANS FOR710 course is scaled to be taught in one week. I don’t think Zero2Auto has this goal or limitation - allowing more content.
All in all, I think FOR710 is a great course especially for less experienced people who often feel like they need some guidance while analysing samples to gain experience and understand the thoughts and processes. In the end, analysing malware heavily relies on experience and practice - gaining that through exercises is incredibly valuable.
SANS offers a free demo for the course on the SANS FOR710 course page - there’s a “Course Demo” button at the top. I recommend to have a look and see for yourself before purchasing.
Also - as of now - there is no GIAC certification for this course (yet) - so no huge exam with a shiny certification.