List of training sessions for Recon 2020:

Click here to register.


3-Day trainings

Software Deobfuscation Techniques

Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst who still aims to reason about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand.

In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.

Register here !

Click here for more details

  • Instructor: Tim Blazytko
  • Dates: 16-18 June 2020
  • Location: Monville Hotel
  • Capacity: 20 Seats
  • Price: 3450$ CAD before May 1, 4050$ CAD after.

Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing

This course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (AVs, IPS, IDS, EDR, and such) and how the attackers design and operate tools in order to ensure redeployment promptly after detection or public disclosure by researchers or security vendors.

The course will also cover real-case scenarios that impair (effectively slow-down or dissuade) a reverse engineering effort and make the job of a first responder tougher. The techniques will be demonstrated in two ways: by reversing real malware samples and then reimplementing an improved version of malware code or, by developing custom attacker's tools. The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier but, it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses primarily on windows malware and on the analysis and tweaking/re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the comprehension of complex malware techniques.

Register here !

Click here for more details

  • Instructor: Silvio La Porta and Antonio Villani
  • Dates: 16-18 June 2020
  • Location: Monville Hotel
  • Capacity: 20 Seats
  • Price: 3450$ CAD before May 1, 4050$ CAD after.

4-Day trainings

Integrated Circuit Reverse-Engineering and Firmware Extraction

Integrated Circuit Reverse-Engineering can be used in an offensive and defensive context. On the offensive part, hackers are extracting firmwares from secure Integrated Circuits mostly to create compatible products such as printer cartridges. On the other hand, forensics agencies are using the same techniques to extract evidence from encrypted devices.

Evidence Extraction from encrypted devices is a challenge for forensics agencies around the world. Usual methods effectiveness is decreasing which creates a need for new solutions. In addition, security evaluation of hardware wallets, authentication tokens and other valuable assets are suffering from the fact that the embedded firmwares can not be assessed.

Until now, successful hardware attacks are designed on fault injection (VCC, laser, EM). These techniques however are no longer successful on a number of secure Integrated Circuits which creates a need for more potent solutions.

Integrated Circuit Reverse-Engineering is providing all necessary information for understanding how these secure chips are working but is also the perfect basis for designing attacks (from fault injection to micro-probing) that proved very successful other the past years.

Analyzing hardware at the transistor level requires various knowledge about circuits, how they are designed, manufactured and tested. However, the skills required for performing vulnerability and/or risk analysis as well as data extraction are accessible to those who are already familiar with software and network security.


Register here !

Click here for more details

  • Instructor: Olivier Thomas
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.


Automated Reverse Engineering with Binary Ninja

This comprehensive 4-day course will train both novice and advanced reverse engineers to leverage Binary Ninja's features to automate reverse engineering and security research tasks, such as deobfuscation and patching, structure and class recovery, executable unpacking, vulnerability discovery, and writing shellcode payloads and exploits. Students will hit the ground running with a fast paced comprehensive overview of Binary Ninja’s user interface before diving directly into the defining features of the tool: the Python API and Binary Ninja Intermediate Languages, or BNIL. We will cover both the Low Level IL and Medium Level IL and why they are both superior to native disassembly for program analysis. From there, we will work in-depth with the Python API and explore how to develop plugins to serve as force multipliers in students’ analysis tasks; this will include more obscure aspects of the API, such as automating creation of structures, creating new BinaryViews, and post-analysis callbacks. Finally, we will further apply these automation techniques to search for vulnerabilities in binary code and generate an exploit, along with a shellcode payload in C with the Shellcode Compiler.

Register here !

Click here for more details

  • Instructor: Josh Watson
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 20 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.


Hunting and Reversing UEFI Firmware Implants

This 4-day course introduces students to real-world attack scenarios on devices powered by UEFI firmware. The course starts from low-level internals of modern operating systems boot process from the perspective of a security researcher interested in bootkits analysis, detection/forensics and vulnerability research. After the OS boot process, the course going down to the firmware, and discuss UEFI architecture and internals with focus on security researcher needs (include common vulnerabilities and design mistakes). The second part of the course focused on UEFI firmware implants (from hardware and firmware perspective), it's cover threat modeling, attack surface, forensics, and reverse engineering. The course will build a mindset for hunting unknown firmware threats include the supply chain perspective.

Students will learn about UEFI internals from different perspectives such as firmware implant developer, malware and vulnerability researcher over the course. After the course, students will have knowledge about common firmware attacks, exploits, security feature bypasses and architectural mistakes in the firmware development process which can potentially lead successful implant installation. During the course, most part of exercises based on hardware-based challenges specially created to have the same environment as in real life.

Register here !

Click here for more details

  • Instructor: Alex Matrosov
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 15 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.


An Introduction to Modern Binary Exploitation

This four-day training will teach students without prior experience how to develop exploits for modern binary software, taking them from 1990s style stack buffer overflows through contemporary exploitation of use-after-frees in programs protected by DEP and ASLR. The training will focus on exploiting Linux user mode x86/x64 binaries, but the lessons learned from the class are widely applicable to other platforms and architectures. The course is taught by two RPISEC alumni who were involved in the initial development and teaching of RPISEC’s Modern Binary Exploitation course ( https://github.com/rpisec/mbe ), but the material for this course is all new.

Register here !

Click here for more details

  • Instructor: Jeremy Blackthorne
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 30 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Program Analysis Training for Vulnerability Research

This four-day course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API for the purpose of vulnerability research with the goal of improving auditing processes, improving ability to identify interesting code paths, and encoding bug primitives. In the class, students will learn Binary Ninja inside and out by extending its analysis capabilities to support a custom architecture which is difficult to analyze manually. Students will also leverage the Binary Ninja plugin architecture to identify vulnerabilities in a machine architecture independent way. After taking this course students will have experience working with the least intuitive and even some undocumented parts of Binary Ninja to create powerful program analysis tools which can be used across architectures.

Register here !

Click here for more details

  • Instructor: Sophia d’Antoine
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

WebAssembly Security from Reversing to Vulnerability Research

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the "game changer for the web".This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques. Students shall be presented with lots of hands-on exercises allowing them to internalize concepts and techniques taught in class. Hope you will like it !!

Register here !

Click here for more details

  • Instructor: Patrick Ventuzelo
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Real-world IoT & embedded device hacking

In this 4-day training students will learn how to attack real, on-the-market and supposedly secure devices that have sold millions of units and are widely used. Often, these devices are used in critical and/or sensitive applications. The training focuses on teaching how to perform a hardware security analysis, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses. A big focus is on identifying inherently insecure architectures: Devices that can not be made secure from a hardware perspective, for example because of design-mistakes or the selection of insecure chips. The devices the students will hack range from point-of-sale terminals, over bitcoin wallets and automotive control systems up to industrial controllers as used in power plants. The training also covers how the conducted attacks can be prevented and how secure devices architectures can be constructed.

Register here !

Click here for more details

  • Instructor: Thomas Roth
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 20 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Side-Channel Power Analysis & Fault Injection with the ChipWhisperer

This 4-day course takes you through side-channel power analysis & fault injection attacks on embedded systems (32-bit Arm Cortex M3/M4 as well as 8-bit XMEGA). This course concentrates on low-level embedded systems such as found in many IoT devices, as well as boot ROM and similar code. Students should have a good background in embedded design or hardware hacking, and the course assumes good familiarity with C & Python. Using many hands-on labs, students will use the ChipWhisperer hardware to walk through attacks on software AES, hardware AES, password checks, RSA, and more. Results of the attack include recovering encryption keys with DPA, bypassing JTAG security checks, bypassing password checks, and more. Students leave the course with a ChipWhisperer setup they keep, meaning they can continue to experiment with the provided material, and then apply it to their own targets after the course is complete.

Register here !

Click here for more details

  • Instructor: Colin O'Flynn
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 24 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Reverse Engineering Malware

Learn how to unpack and Reverse-Engineer malware in this 4-day class.

Covered Topics: Unpacking, Static and Dynamic Analysis, IDA Python and Targeted Attacks.

Register here !

Click here for more details

  • Instructor: Nicolas Brulez
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 24 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Windows Internals for Reverse Engineers

For the first time ever, join both the co-author of the Windows Internals book series from Microsoft Press, as well as an esteemed security researcher and endpoint security engineer, as they take you along a deep dive into the internals of the Windows NT kernel architecture. Covering Windows 10 “20H1”, the upcoming “20H2”, and Server 2019, you’ll unravel the secrets of how rootkits, PLA implants, NSA backdoors, and other kernel-mode malware abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work. You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.We’ll cover the new Windows 10 kernel changes, including the introduction of Virtual Trust Levels (VTL) combined with Virtualization Based Security (VBS) to make pass-the-hash attacks virtually impossible, Hyper Visor Code Integrity (HVCI) to prevent unsigned kernel code execution, even with Ring 0 vulnerabilities, as well as new mitigations such as Kernel Control Flow Guard (KCFG), eXtended Control Flow Guard (XFG) and Intel Control-flow Enforcement Technology (CET) to protect against exploitation. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT for new DRTM-based attestation. Enclaves and Attestation, both through Software Guard Extensions (SGX) and VBS, and TPM-based Measured Boot, will also be on the menu.


Register here !

Click here for more details

  • Instructor: Alex Ionescu and Yarden Shafir
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 5400$ CAD.

Windows Internals for Reverse Engineers

For the first time ever, join both the co-author of the Windows Internals book series from Microsoft Press, as well as an esteemed security researcher and endpoint security engineer, as they take you along a deep dive into the internals of the Windows NT kernel architecture. Covering Windows 10 “20H1”, the upcoming “20H2”, and Server 2019, you’ll unravel the secrets of how rootkits, PLA implants, NSA backdoors, and other kernel-mode malware abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work. You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.We’ll cover the new Windows 10 kernel changes, including the introduction of Virtual Trust Levels (VTL) combined with Virtualization Based Security (VBS) to make pass-the-hash attacks virtually impossible, Hyper Visor Code Integrity (HVCI) to prevent unsigned kernel code execution, even with Ring 0 vulnerabilities, as well as new mitigations such as Kernel Control Flow Guard (KCFG), eXtended Control Flow Guard (XFG) and Intel Control-flow Enforcement Technology (CET) to protect against exploitation. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT for new DRTM-based attestation. Enclaves and Attestation, both through Software Guard Extensions (SGX) and VBS, and TPM-based Measured Boot, will also be on the menu.

Register here !

Click here for more details

  • Instructor: Alex Ionescu and Yarden Shafir
  • Dates: 22-25 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 5400$ CAD.

Automated Reverse Engineering with Machine learning and Binary Analysis

Reverse engineering (RE) applications (e.g. malware and vulnerability analysis) have historically been a manual and time-intensive process performed by skilled practitioners. In this course, we will introduce, discuss, and demonstrate (via labs) how Binary Analysis and Machine Learning (ML) techniques can be leveraged to address automation and scaling challenges with respect to reverse engineering. In particular, we will introduce students to several prominent intermediate representation (IR) languages (i.e. VEX LLVM, and p-code) and show how the IR can be utilized to perform advanced static and dynamic analysis of desired firmware. Since advanced binary analysis can generates valuable meta-data about a target binary (or a collection of binaries), we will discuss and demonstrate how meta-data generated from a vast collection of binaries can be analyzed via Machine Learning techniques (e.g. clustering and classifying) to discover patterns and insights that inform and guide the automated reverse engineering process.

Register here !

Click here for more details

  • Instructor: Malachi Jones PhD
  • Dates: 15-18 June 2020
  • Location: Monville Hotel
  • Capacity: 25 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

The ARM IoT Exploit Laboratory

A new decade, a new class. The 2020 Edition of the ARM Exploit Laboratory is a 4-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. Past students of the ARM IoT Exploit Laboratory can take their skills to the next level, and new students will be presented with an even deeper dive into exploit development on ARM. In addition to 32-bit exploit development, we shall feature an introduction to 64-bit ARM exploitation with real world examples.

The class covers everything from an introduction to ARM assembly (32 and 64 bit) all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

Register here !

Click here for more details

  • Instructor: Saumil Shah
  • Dates: 15-18 June 2020
  • Location: Monville Hotel
  • Capacity: 30 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Reverse Engineering with Ghidra

This is a majority hands-on course on using Ghidra for reverse-engineering. Exercises will include PE and ELF files and will be in a variety of architectures, to include x86, x86-64, PowerPC, MIPS, and ARM. This course balances fundamentals with modern applications. After completing this course, students will have the ability to perform analysis of real-world binaries in Ghidra with both manual and automated techniques. Students will know how to leverage Ghidra’s strengths and how to complement its weaknesses.


Register here !

Click here for more details

  • Instructor: Evan Jensen
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 30 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

MacOS and iOS Kernel Internals for Security Researchers

With the release of MacOS Catalina and iOS 13 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the low level internals of the MacOS and iOS kernels from the perspective of a security researcher interested in kernel level vulnerability analysis, kernel rootkit/malware analysis/detection or driver development. While this course is concentrating on MacOS Catalina on the x64 cpu architecture the latest security enhancements of iOS 13 will also be discussed. The course material was updated to the latest security features of MacOS Catalina and iOS 13. This is the first course that introduces Apple's new concept of SystemExtensions and introduces you to DriverKit and EndpointSecurity.

The course will focus on the MacOS side and therefore all training excercises will be performed on MacOS Catalina. However iOS security specifics will also be covered by the course, if they are different from the MacOS way.

Register here !

Click here for more details

  • Instructor: Stefan Esser
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 25 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Botnet Takeover Attacks For Reverse Engineers

Learn how to apply reverse-engineering to botnet takeover attacks. This 4-day training will teach the fundamentals of botnet command-and-control protocol reversing, identifying and breaking cryptography, as well as reconstructing botnet topologies and identifying weaknesses in their infrastructure. Students will learn to use this knowledge to design botnet takeover attacks and practice their skills in various hands-on exercises.

Register here !

Click here for more details

  • Instructor: Brett Stone-Gross and Tillmann Werner
  • Dates: 15-18 June 2020
  • Location: Monville Hotel
  • Capacity: 24 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.

Advanced Fuzzing and Crash Analysis

This class is designed to introduce students to the best tools and technology available for automating vulnerability discovery and crash triage with a focus on delivering a practical approach to applying this technology in real deployments at any scale.

Register here !

Click here for more details

  • Instructor: Richard Johnson
  • Dates: 15-18 June 2020
  • Location: Hilton Double Tree Hotel
  • Capacity: 24 Seats
  • Price: 4600$ CAD before May 1, 5400$ CAD after.