Training


List of training sessions for Recon 2024:



Automating Reverse Engineering Processes with AI/ML, NLP, and LLMs

This course enhances reverse engineering (RE) processes through automation, focusing on efficiency and scalability in malware and firmware analysis by integrating Neural Networks (NN), Natural Language Processing (NLP), and Large Language Models (LLMs). It introduces Blackfyre, an open-source system combining a Ghidra plugin and Python library, essential for binary analysis and applying NN/NLP/LLM techniques in RE. The curriculum covers NN and NLP in malware analysis for threat classification and anomaly detection, and in firmware analysis for predicting function/binary names and detecting similarities. It also introduces BinaryRank, inspired by PageRank, but more efficient with linear complexity, for static analysis, improving NLP's effectiveness in binaries data representations. Advanced topics include LLMs for function and binary summarization, and malware analysis for signature and report generation. Designed for those with a foundational understanding of RE, Python object-oriented programming skills, and basic mathematical knowledge, the course aims to bolster NN/NLP/LLM capabilities in automating RE processes.


 

click here for more details



Modern Windows Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing 

This course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.
 

click here for more details



Mastering Advanced Fuzz Testing Techniques on UNIX 

This comprehensive four-day training course is meticulously designed for professionals seeking in-depth knowledge and practical skills in advanced fuzz testing techniques on UNIX (Linux, MacOS, ...). The course encompasses a thorough exploration of leading fuzzing tools such as AFL++, libafl, honggfuzz, and libFuzzer, providing an end-to-end perspective on the full fuzz testing workflow. We will look at targets with source code but also binary-only targets.


 

click here for more details



Software Deobfuscation Techniques

Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst reasoning about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand.
In this training, we get to know state-of-the-art code obfuscation techniques and look at how these complicate reverse engineering. Afterwards, we gradually familiarize ourselves with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.


 

click here for more details



The ARM64 Exploit Laboratory

The ARM64 Exploit Laboratory is a brand new class. 64-bit ARM CPUs, having already dominated the world of mobile devices, are starting to take centre stage in desktop and server computing.


This class is ideal for students who want to go from zero to deep in understanding and exploiting real world vulnerabilities on Linux ARM64. Students will study key differences between ARM32 and ARM64, dive into ARM64 assembly, debugging 64-bit processes and practically exploiting memory corruption vulnerabilities on ARM64. The class also covers practical Infoleak techniques, bypassing Stack Canaries and applying ARM64 Return Oriented Programming (ROP) techniques for exploiting real world software. Students will have ample time for hands on exercises to sharpen their exploitation skills.


 

click here for more details



Symbolic Execution with Angr

This is an 80% hands-on course with many demos, examples, exercises, and solutions. Exercises will be mostly x64 and ARM binaries for Linux, but we will also apply it to other architectures, such as MIPS and PowerPC. Although the theory behind symbolic execution is fascinating, we will only minimally cover it and will instead focus on the practical applications of angr.
Students are provided a preconfigured VM with all necessary tools and exercises. The instructor's computer screen and voice will also be recorded during each day and provided for reference. Students can then review the recordings during the course and retain them for use afterwards.


 

click here for more details



Windows Internals for Reverse Engineers

Join the esteemed senior security researcher and endpoint security engineer, as she takes you along a deep dive into the internals of the Windows 11 Operating System.
Covering Windows 11 "23H2", the upcoming "24H2", and Server 2022, you'll unravel the secrets of how GRU bootkits, PLA software supply chain implants, NSA backdoors, and other kernel and firmware malware work. You'll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!
You'll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you'll learn about how CPU architecture deeply ties into OS design, and how Intel's and AMD's mistakes can lead to more pwnage. This course is only taught twice a year, and this is your one and only chance to attend it in America!
We'll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), Kernel Address Sanitizer (KASAN) and Kernel Control-flow Enforcement Technology (KCET), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We'll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.


 

click here for more details



Advanced IC Reverse Engineering & Data Extraction

When it comes to encrypted devices, one may want to gather embedded evidences while another would like to be able to check if a hardware backdoor is present or if the component and / or its embedded firmware (boot ROM / user code) contain intrinsic breaches, that could be exploited by a pirate. The primary goal of this training is to provide Digital Forensics & Security Professionals as well as Government Services the skills, mindset and background information necessary to successfully: -Recover ICs internal architectures -Evaluate the efficiency of existing countermeasures -Extract NVMs contents (ROM & Flash), in order to analyze and evaluate the security of the embedded firmware, and extract secret informations The Students will be shown how such informations can be used to define easier methods to find / exploit firmware + hardware weaknesses for vulnerability analysis as well as for embedded evidence extraction purposes. Concretely, Students who complete this course will: -Find out how to perform low-level hardware reverse engineering -Develop analysis strategies for the target devices and apply these strategies to recover their embedded data


 

click here for more details



Advanced Malware Reverse Engineering

This 4 days course is a hands on training. We are going to reverse engineer samples and code our own scripts. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing"


 

click here for more details



Program Analysis for Vulnerability Research

This four-day course teaches sophisticated program analysis techniques and how to apply them to improve the auditing processes, improve your ability to identify interesting code paths, and to encode bug primitives for automated identification. Students will learn the basics of how to use Binary Ninja, and become familiar with many of the foundational program analysis theories and algorithms behind its analysis. Students will learn how to leverage the advanced analysis provided by Binary Ninja as well as how to extend it for their specific use cases. And in doing so, students will learn to perform advanced program analysis for vulnerability research across every architecture.


 

click here for more details



ATTACKING INSTANT MESSAGING APPLICATIONS 

Few publicly-known hacks have inspired the imagination of security researchers as much as exploits against IM (instant messaging) applications. 0-click attacks aimed against applications such as WhatsApp, iMessage, and Telegram have raised unprecedented interest and have often caused political turmoil. Yet, in sharp contrast with the curiosity that IM exploitation generates, public information about this surface remains scant. This training is our bid to bridge the gap.
This course will provide students with the knowledge and hands-on experience in reverse engineering, vulnerability research, and exploitation of real-world IM applications. The target audience is advanced security professionals.


 

click here for more details



MacOS Sonoma and iOS 17 Kernel Internals for Security Researchers 

This course introduces you to the low level internals of the iOS and macOS kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development. While this course is concentrating on MacOS Sonoma on the ARM64 cpu architecture the latest security enhancements of iOS 17 and some differences to the x86_64 architecture will also be discussed. The course material has been updated from the previous runs of the training.


 

click here for more details



RISC-V Security Training 

This Recon training program has been redesigned to suit Recon students looking for tactical exploit development skills when targeting RISC-V platforms. This training previously focused on the RISC-V architecture, CPU architecture security, and exploiting CPU design flaws. However, due to popular demand, this training has been augmented with guided laboratory examples for the exploitation of both CPU design flaws and software vulnerabilities at the firmware, kernel, and userland layers.  


 

click here for more details



Practical Baseband Exploitation 

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult objective. 

In reality, baseband exploitation is not as challenging! By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.


 

click here for more details