Reverse Engineering Malware

Instructors: Nicolas Brulez
Dates: 15-18 June 2015
Capacity: 20 Seats

Day 1: Manually unpacking Malware

During the first day, students will focus on unpacking files manually in order to get working executables. Most famous packers will be covered in order to introduce various techniques that can be used on unknown packers. Also known as: How to unpack properly. Once completed, students will work on "malicious packers" and learn how to unpack samples of famous malware families. Nowadays, malware uses custom polymorphic packers to slow down analysis and thwart detection.

Day 2: Malware Analysis 0x65

Once the samples are unpacked, the next step is to perform Reverse Engineering. The second day focuses on analyzing malicious code. A big part of the day is spent on reverse engineering shellcode statically. Some tricks never published before will be shown to the students. The rest of the course focuses on detecting malicious behavior inside the disassembly.

Day 3-4: APT Reverse Engineering

Using the information learned in the first two days, students will work on several APT samples.

The goal of those two days is to be able to identify the actions of the threats, to be able to document their features and understand how they interact with C&C servers to receive commands.

Hands-on training:

During this 4 day course, students will focus mainly on hands-on exercices.

A minimum number of slides will be provided when methotology is needed, but students will "learn by doing".

Who should attend?

This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.

Class Requirements


Students should be familiar with Debugging and IDA Pro: The class is not an introduction to reverse engineering. Students should be familiar with Assembly: We won't cover assembly basics during the class. Students should have a laptop with required software installed before attending the class. Students should be familiar with VMware Workstation (or the VM of their choice).

Minimum Software to install:


Nicolas currently works at Kaspersky Lab as Principal Malware Researcher. His responsibilities include analyzing targeted attacks and complex malwares and Incident Handling.

Prior to joining Kaspersky Lab, Nicolas worked as a senior virus researcher for Websense Security Labs, and as the head of software security at Digital River/Silicon Realms when he was in charge of the anti-reverse engineering techniques used in the Armadillo protection system.

Over the last 16 years, Nicolas has authored numerous articles and papers on reverse engineering and presented at various security conferences such as RECON, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, Pacsec etc.

To Register

Click here to register.