Choose Your Malware Analysis Adventure: FOR610 or FOR710?

This blog is jointly authored by Anuj Soni and Lenny Zeltser.

Choosing between SANS FOR610^TM: Reverse-Engineering Malware: Malware Analysis Tools and Techniques^TM and FOR710^TM: Reverse-Engineering Malware: Advanced Code Analysis^TM can be challenging, especially if you’re eager to advance your malware analysis skills. To help you decide, we’ve created a ten-question self-assessment designed to gauge whether FOR610 or FOR710 is the best fit for you.

Which Course Is Right for You?

As you may have heard, we’ve been expanding the content in both FOR610 and FOR710, ensuring they remain at the cutting edge of malware analysis and reverse engineering. These courses are designed for professionals looking to deepen their expertise in dissecting complex malware, strengthening threat detection, and improving defense strategies.

Even if you’re not reverse-engineering malware every day, the skills covered in these courses are highly relevant for:

• Incident Handlers and Forensics Experts
• Malware Analysts
• Threat Intelligence Analysts
• Security Operations Center (SOC) Analysts
• Senior Windows Security Professionals
• Anyone responsible for malware analysis and threat detection

FOR610 provides a strong foundation in malware analysis, teaching students how to use a range of tools to examine the inner workings of malicious software. The course emphasizes static and dynamic analysis techniques to help analysts move beyond automated tools to gain deeper insights into real-world malware.

FOR710 is designed for advanced malware analysts with prior experience in the fundamentals covered in FOR610. It focuses on in-depth reverse engineering of sophisticated malware, including 32-bit and 64-bit Windows executables. A key component of FOR710 is analyzing obfuscation algorithms and developing automation to streamline malware analysis at scale.

Common Questions We Get

As course authors, we frequently hear such questions as:

• Am I ready for FOR710?
• Should I take FOR610 first?
• I’ve taken FOR610—am I ready for FOR710?
• I’ve taken other SANS courses—can I jump straight to FOR710?
• I have experience in forensics but not malware analysis—where should I start?

There is no one-size-fits-all answer to these of questions since everyone’s experience level varies. That’s why we recommend reading the course syllabus and prerequisite statements carefully. However, this quiz can help you assess your readiness from a malware analysis perspective.

Take the Self-Assessment — No Google Allowed!

This is a self-assessment quiz, so please don’t use a search engine, ask a peer, or look up answers. Instead, rely on your own knowledge and experience to see where you stand. After completing the quiz, you’ll find a separate link with answers and explanations to help you understand your results.

Ready? Let’s Go!

Grab a pen and paper, write down your answers, and when you’re done, review the answer key at the end of the blog to see how you did. We look forward to seeing you in FOR610 or FOR710—whichever course is the best fit for you!

Thanks and good luck!

Anuj Soni & Lenny Zeltser – Course Authors, FOR610 and FOR710

FOR610 or FOR710? Let’s Find Out

1. When analyzing a Windows executable, which static property provides insight into the libraries and functions the program depends on?

A. Threat Local Storage (TLS)

B. The file overlay

C. The program's imports

D. The program's exports

2. If a Windows executable contains no readable strings and exhibits suspicious behavior when executed, what might this suggest?

A. The binary is corrupted.

B. The binary is packed.

C. The binary is targeting Linux systems.

D. The binary is likely benign.

3. A Windows executable makes repeated DNS queries to a suspicious domain. What is the most likely reason?

A. To identify nearby network devices for lateral movement.

B. To resolve the domain name to an IP address for Command and Control (C2) communication.

C. To generate noise and distract defenders from other malicious activity.

D. To trigger DNS-based load balancing for performance optimization.

4. While debugging malware in x64dbg, you need to pause execution at a specific instruction even after restarting the session. Which type of breakpoint should you set?

A. A software breakpoint, as it modifies memory and is ideal for runtime monitoring.

B. A memory breakpoint, as it remembers where the breakpoint was set.

C. An INT3 breakpoint, as it injects a special instruction to pause execution.

D. A hardware breakpoint, as it remains active even if new code is unpacked dynamically.

5. A malware sample uses OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. What is the malware attempting to do?

A. Inject code into another process.

B. Create a new thread for debugging purposes.

C. Allocate memory for shellcode execution within itself.

D. Read memory from a remote system for data exfiltration.

6. In a disassembler, you see the following instructions:

PUSH EBP

MOV EBP, ESP

SUB ESP, 40

What does this code indicate?

A. The program is making a system call.

B. The program is returning from a function call.

C. The function is setting up a stack frame.

D. The function is dynamically allocating memory.

7. While debugging a malicious executable, you suspect it uses the VirtualAlloc API to allocate memory for code injection. You set a breakpoint on the VirtualAlloc function. How should you analyze the API call?

A. Set a breakpoint after the VirtualAlloc call and inspect the instruction pointer (EIP/RIP) to assess the memory allocation details.

B. Examine parameters in registers or stack at the breakpoint to determine the allocation size and memory protection flags, then continue execution and observe the return value in EAX/RAX for the base address of the allocated memory.

C. Search memory for suspicious executable code near the expected allocation size instead of setting a breakpoint.

D. Focus on the ESP/RSP register at the breakpoint to understand the function's stack impact.

8. Which disassembly construct suggests the presence of a loop in the code?

A. A JMP instruction that jumps to a previous address

B. A CALL instruction

C. A RET instruction

D. A NOP instruction

9. When a CALL instruction is executed in x86/x64 assembly, what happens to the program's control flow and the stack?

A. The address of the current instruction is pushed onto the stack, and execution continues from the called function.

B. The stack is cleared, and execution continues from the called function.

C. The address of the called function is pushed onto the stack, and execution continues to the next instruction.

D. The address of the next instruction is pushed onto the stack, and execution jumps to the called function.

10. You see the following snippet:

CMP EAX, 5 

JZ target_label 

What does this code do?

A. Compares EAX to 5 and jumps to target_label if EAX is greater than 5.

B. Compares EAX to 5 and jumps to target_label if EAX equals 5.

C. Increments EAX by 5 and jumps to target_label.

D. Subtracts 5 from EAX and jumps to target_label.

Answers Key

1. C - The program's imports.

Explanation: The import table provides valuable insights into the libraries (DLLs) and functions (APIs) the executable relies on, offering insights into its capabilities and potential behavior.

2. B - The binary is packed.

Explanation: Most executables contain readable strings (e.g., error messages, function names, DLL names). Packing tools like UPX or custom packers typically compress or encrypt a binary's code and strings, making static analysis tools ineffective until the binary is unpacked.

3. B - To resolve the domain name to an IP address for Command and Control (C2) communication.

Explanation: Repeated DNS queries to a suspicious domain often indicate C2 communication, where malware contacts a remote server for instructions, updates, or data exfiltration.

4. D - A hardware breakpoint, as it remains active even if new code is unpacked dynamically.

Explanation: Hardware breakpoints do not modify memory and remain reliable even when malware extracts new code at runtime.

5. A - Inject code into another process.

Explanation: The API sequence OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread is characteristic of process injection, where malware writes and executes its code inside another process to evade detection.

6. C - The function is setting up a stack frame.

Explanation: This sequence forms a function prologue, which establishes a stack frame for managing local variables and function arguments.

7. B - Examine parameters in registers or stack at the breakpoint to determine the allocation size and memory protection flags, then continue execution and observe the return value in the EAX/RAX register for the base address of the allocated memory. You can then monitor memory beginning at the base address to see if code is eventually placed there.

Explanation: When the program pauses at the breakpoint, the function's input parameters (e.g., allocation size, memory protection flags) are found on the stack (x86) or in the registers (x64). After the function executes and returns, the base address of the allocated memory is stored in EAX (x86) or RAX (x64), which can be examined to determine where the allocation occurred.

8. A - A JMP instruction that jumps to a previous address.

Explanation: A loop occurs when execution jumps backward to repeat a section of code.

9. D - The address of the next instruction is pushed onto the stack, and execution jumps to the called function.

Explanation: When a CALL instruction executes, the address of the next instruction (the return address) is pushed onto the stack, allowing execution to resume at that location once the function completes.

10. B - Compares EAX to 5 and jumps to target_label if EAX equals 5.

Explanation: The CMP instruction compares EAX to 5, setting the zero flag (ZF) if they are equal. The JZ (Jump if Zero) instruction executes the jump if the zero flag is set.

Scoring Guide

• 7/10 or higher: You’re ready for FOR710—assuming you meet the prerequisite malware analysis experience outlined in the course syllabus.
• 5/10 or 6/10: You’re in the gray area. You might need some additional preparation before taking FOR710, and it's crucial that you have experience equivalent to FOR610.
• 4/10 or lower: You’ll likely benefit from taking FOR610 first. If you’ve already taken FOR610 but still score low, we recommend reviewing the material before attempting the quiz again.

You’ve Taken the Quiz—Now Choose Your Path

Whether you're building a foundation in malware analysis or ready to tackle advanced reverse engineering, the SANS FOR610 and FOR710 courses offer the expertise you need. Take the next step in your journey—explore the course details and find the right fit for your skill level today!

Register FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques or FOR710: Reverse-Engineering Malware: Advanced Code Analysis today!