Spring 2017

Prof. Charles Nicholas
ITE 356
Office hours: Tuesday and Thursday 2-3pm, or by appointment

The teaching assistants are:
Kevin Chu, MW 4:30-5:30, ITE 366
Chris Gardner, TTh 1-2pm, ITE 366

Spring 2017 Lecture Topics

A much condensed version of this course can be presented as a half-day tutorial. The most recent such tutorial is proposed for Document Engineering 2017

Course information

Monday and Wednesday 5:30-6:45pm
ITE 233




CMSC 313 or equivalent. You'll be expected to have a solid grasp of programming in assembler as well as a high-level language such as C. If you don't know assembly language you will need to take the course in a later semester. Knowledge of operating systems and networks will be useful but is not required.


cover of Practical Malware

Practical Malware Analysis
Sikorski and Honig
ISBN 978-1-59327-290-6
Publisher: no starch press
this book is Required
(electronic and paper versions are available, student may purchase format of their choice)
(zipfile of labs for UMBC only. Use right click and "save link as" to download this file.)

This book is available for the Kindle, but the chapters are numbered differently than the print edition. This book is the best available for the beginning malware analyst, in my opinion, but it focuses on Windows XP. However, this book is still useful because the tools and techniques are still relevant for newer versions of Windows, and indeed for malware on other systems.

The following books are not required, but may be helpful:

Malware Analyst's Cookbook and DVD
Ligh, Adair, Harstein and Richard
Publisher: Wiley
(save link as tarfile of DVD for UMBC only)

Reversing: Secrets of Reverse Engineering
Eldad Eilam
Publisher: Wiley
this book is not required, but it may be helpful

Windows Internals, Part 1 and Part 2
Russinovich, Solomon and Ionescu
Publisher: Microsoft Press
(I understand that these books are being revised.)

Be careful when dowloading "free" copies of these books! Use VirusTotal to examine any PDFs you get. Additional books, varying in quality, can be found on Wikibooks and other places.


We explore both static and dynamic malware analysis. Although malware takes many forms, we focus on executable binaries. We will cover object file formats, and the use of tools such as debuggers, virtual machines, and disassemblers. Obfuscation and packing schemes will be discussed, along with various issues related to Windows internals.

Students will acquire knowledge of relevant system internals, and experience in using various malware analysis tools. Students will also acquire insight into emerging tends in malware design, including efforts to deter analysis.

This will be a "hands on" course, and students are strongly encouraged to bring their laptops to every class session.

Approximate Schedule:

We will be following the textbook, Practical Malware Analysis, closely. In general, we will cover a chapter per week.

The topics for class sessions here. The course notes are under almost continuous construction. Don't rely on what you see, I can revise at any time!

Course Policies


We will have a mid-term exam and a comprehensive final examination. Both will be take-home. There will be roughly one homework/programming assignment every two weeks. One or more of the homeworks may involve reading articles or papers and writing short essays. Regular class attendance is expected.

Students in CMSC 491 will have points allocated as followed: 15% midterm, 20% final, homework/programming assignments 65%.

Students enrolled in CMSC 691 will be expected to write a white paper. The points will be allocated as follows: 15% midterm, 20% final, white paper 10%, homework/programming assignments 55%.
(A white paper is like a research paper, although it need not be as long or as comprehensive.)


Abuse of Resources

Abuse of the knowledge or experience you gain in this course may subject you to discipline under UMBC policy and/or criminal prosecution. Do not expect your status as a student to protect you if you break the law! Hacking into campus computers (other than systems approved for such a purpose) is a violation of UMBC policy, and may result in disciplinary action possibly including expulsion, in addition to possible criminal charges.

Academic Honesty

Academic dishonesty of any kind will be handled in accordance with University policy.

"By enrolling in this course, each student assumes the responsibilities of an active participant in UMBC's scholarly community, in which everyone's academic work and behavior are held to the highest standards of honesty. Cheating, fabrication, plagiarism, and helping others to commit these acts are all forms of academic dishonesty, and they are wrong. Academic misconduct could result in disciplinary action that may include, but is not limited to, suspension or dismissal. To read the full Student Academic Conduct Policy, consult the UMBC Student Handbook, the Faculty Handbook, or the UMBC Policies section of the UMBC Directory." [Statement adopted by UMBC's Undergraduate Council and Provost's Office.]



A collection of malware analysis resources, such as web sites, downloads, and so forth. Suggestions are welcome!

Reading List

Malware analysis is an active area of pure and applied research, and papers are appearing all the time. Students should know how to use the UMBC Library research port and other facilities to get copies of papers they want. I suggest this reading list. Again, suggestions for improving this list are welcome.