Malware Reverse Engineering Courses

We offer state of the art malware reverse engineering courses focusing on static analysis with Ghidra.

After completing the first day of the course, each participant will be able to perform static reverse engineering of malware. Actual in-the-wild malware samples are analyzed in hands-on exercises to exemplify general concepts and challenges, which are usually related to anti-analysis techniques.

Classes can include a wide variety of topics such as analysis of malicious documents, other binary formats, scripting and automation of Ghidra, more advanced obfuscation techniques, object oriented code, as well as dynamic analysis. The precise selection of topics is highly customizable depending on your requirements.

We have outlined an example schedule below which has a strong focus on the Ghidra decompiler. This way, we can avoid a prolonged introduction to x86 assembly and give ad-hoc treatments only when it arises naturally during analysis. The only requirement for such a course is a solid understanding of the C programming language, notably including pointer arithmetic.

Since the pace and contents of the course are tailored to your needs, so is the price. Contact kapluenf@fen@mal.re for details.

About Us

We are study buddies with a background in Mathematics and Computer Science and currently work at CrowdStrike as malware reverse engineers.

• 
  • Lars Wallenborn
  • l-arrs@wallenborn.net
  • @larsborn
• 
  • Jesko Hüttenhain
  • jorefgsko@huettenhain.net
  • @huettenhain

Both of us are experienced teachers and have regularly taught as a team since 2008.

Example Course Schedule

Day 1: Orientation

• First steps with Ghidra
• Analysis of an unobfuscated malware sample
• Overcoming string obfuscation
• Reverse engineering paradigms

Day 2: Anti-Analysis Strategies

• Packed malware
• Control flow obfuscation
• Position-Independent code
• The Portable Executable (PE) format
• Dynamic API resolution
• Stack Strings
• Data structures (structs)

Day 3: Algorithm Identification

• Algorithm Identification Overview
• Cryptographic Algorithms
• Stream- vs. Block-Cipher
• Compression Algorithms
• Signatures (i.e. YARA)

Day 4: Malware Spotlight: REvil

• String Deobfuscation
• Ghidra Scripting/Automation with Java
• API Hashing
• Config Extraction

Day 5: Scale Yourself: Scripting

• How to use the Ghidra scripting API
• Automatic String Deobfuscation
• Combating Simple Anti-Analysis Techniques (Junk Code, Stack Strings)
• Analyzing Control Flow

Day 6 (Optional): Dynamic Analysis

• Behavioural Analysis
• Rudimentary VM Hardening
• API Tracing
• Dynamic Unpacking