My Review on the Memory Forensics Black Hat Training Course by Monnappa K A
My Experience with Monnappa K A
In 2022, I took 3-day live Black Hat MEA malware analysis training course with the veteran Monnappa. It was titled “A Complete Practical Approach to Malware Analysis & Memory Forensics”. It was an intensive course and learned too many concepts not only in memory forensics, but also in static malware analysis, dynamic analysis, reverse engineering and various concepts in analyzing malware. Thus, I definitely recommend it if you got some experience in malware analysis and memory forensics (at least basic OS internals to get the most out of it).
Who is Monnappa K A?
Monnappa is a brilliant security researcher, author of the book Learning Malware Analysis, trainer at Black Hat/HITB/BruCON, review board member of Black Hat USA/Europe/Asia, creator of Limon Sandbox, and a winner of Volatility Plugin Contest 2016.
Why Monappa?
So, What Will I Learn by Attending the Course?
Regardless of the amazing malware analysis topics, I will just briefly outline the memory forensic topics that you will learn during the course:
- Memory Acquisition using various tools
- Volatility overview (the de-facto standard tool in analyzing memory dumps)
- Using different Volatility plugins (not imported by default)
- Fast introduction to OS internals concepts related to memory
- Various analysis techniques to hunt for APTs, rootkits, and RATs
- Detecting malware persistence and execution
- Multiple cases and hands-on labs analysis
- AND A LOT MORE
My Humble Review on the Course
To be honest, the course surprised me of how well-organized the topics put together in a way that make you understand the shortcomings of each method and why you need all of them together in order to analyze malware completely (from start to finish including other topics in malware analysis such as static and dynamic analysis). The course also talks deeply in some important Windows Internals concepts such as kernel structures (EPROCESS, ETHREAD, etc), System Service Descriptor Table (SSDT), Virtual Address Descriptor (VAD) tree, and more! In the lovely part “memory forensics”, we analyzed Rootkits, RATs, Droppers, Keyloggers, etc. How malware installed a malicious kernel driver and malicious DLL and how to detect them was also part of the training. Furthermore, it covered some process injection techniques such as the Hollow Process Injection. Overall, the course was very well-rounded and it only left me with one regret, that it finished!
Watch my full review video on the training course below!
I Cannot Afford Taking a Class with him!
Well, I was lucky to be sponsored by my company to attend such high-quality training and I completely understand that not every one can afford such training, so I got you covered and put some resources that you can learn from Monappa himself – ALL FREE, except his book is paid.
- YouTube Videos Featuring him:
- His Book: Learning Malware Analysis
- His GitHub Page (that includes the Volatility plugins he developed and other tools):
- Hollowfind: Volatility plugin to detect different types of process hollowing techniques
- Psinfo: Volatility plugin that collects the process related information from the VAD and PEB, used to detect suspicious memory regions for processes.
- His YouTube Channel
- His blog
Conclusion
I talked about a memory forensic course I took previously with Monnappa, my simple review on it, what may you learn during the course and what if you cannot afford taking with a class with him by listing some free and more affordable resources (by the same author) that you can check out as listed above!
~ Cya in the next one 🙂