Linux Malware Reverse Engineering

Instructors:    Marion Marschalek
Dates:  June 23 to 26 2025
Capacity:   25

This fast-paced 4-day course will introduce students to reverse engineering Linux malware, starting off with a dense recap of x86-64 reverse engineering and Linux internals, leading through common and advanced Linux malware, Linux evasion tricks and packers, and closing off with a primer on analysis automation using scripting of a reverse engineering framework.

Students will walk away with a deep understanding of Linux binary analysis techniques and knowledge of the Linux threat landscape, being able to dissect advanced Linux malware in their day to day operation.

KEY LEARNING OBJECTIVES

• Sharpening of reverse engineering skills
• Proficiency in Linux binary analysis knowledge
• Understanding Linux malware
• Learning Linux analysis evasion techniques
• Analysis automation techniques

CLASS OUTLINE

Day 1

Hands on:

• Look at warmup malware (ransomware), get familiar with disassembly framework, measure temperature in the room (how many beginners/intermediate/advanced students are there)

Theory w/ hands on examples:

• x86-64 reverse engineering primer with practical examples
• Introduction to x86-64 assembly and instruction flow
• Introduction to disassemblers and debuggers
• Executable file formats, stack, heap memory
• System V ABI and calling conventions
• Linux and/or 64bit eastereggs (tailcall optimization, vararg functions, RIP-relative addressing, special processor extensions, etc.)

Hands on exercises:

• Warmup malware in depth, guided reverse engineering pointing out concepts explained prior. Close out day with self-guided reverse engineering exercises using a selection of beginner friendly malware samples.

Day 2

Theory w/ hands on examples:

• Linux environment and ELF file format
• Static vs. dynamic linking, linkers and loaders, symbols
• Linux libraries and library code, system calls

Hands on brief, guided exercises:

• Linux native analysis tools, showing concepts explained prior in analysis examples
• (eg. file, readelf, ldd, nm, strings, xxd, objdump, strace, ltrace)
• Linux process tracing, sandboxes, debuggers

Hands on guided reverse engineering:

• C++ malware
• Multi-threaded malware

Hands on self-guided:

• Real malware, putting learned concepts into practice
• Multi-purpose bots, IoT malware, Linux ransomware, applying learned skills in practice
• Exercises of various levels to entertain both beginner and advanced students, optional guided exercises for students who have trouble on their own

Day 3

Theory:

• Linux analysis evasion tricks
• Packers
• Process injection
• Static/dynamic analysis evasion, assorted tricks and counter measures
• Go and Rust malware

Hands on guided and self-guided exercises:

• Learn how to unpack malware
• Reverse engineer eBPF malware and Linux rootkits
• Linux APT malware and implants

Day 4

Theory (mellow morning for student brains after 3 days of RE challenge):

• The Linux threat landscape
• Common attack scenarios
• The role of exploits, script malware and executables
• Malware in cloud environments

Hands on guided exercises (more challenges):

• Automation and writing analysis tools
• Scripting within an analysis framework (Ghidra or Binary Ninja, samples will be provided)
• Sample mass processing, headless execution
• Analyze malware with eBPF and Frida tools

Hands on self guided:

• Write a script that extracts a simple call graph from malware samples, optionally enrich call graph with automatically extracted analysis artifacts
• Class Summary, homework, future projects, contact info

Hardware/Software Requirements

• Intel x86-64 laptop
• VirtualBox software
• ability to download and install software

Prerequisites

Prior knowledge of x86-64 reverse engineering and basic scripting skills ideal. Beginners are welcome, but learning curve will be steep. Environment set up before the class required, instructions will be sent out prior.

Who is This Course For:

Malware analysts, reverse engineers without malware background, very motivated beginners

Bio

Magion Marschalek is an independent security researcher with over 15 years of experience in the security industry, with a primary focus on reverse engineering, and background in malware research and detection, incident response, microarchitecture security and cloud security engineering. She has held positions in Intel and AWS and various threat detection companies, and has published ample research over the years, presenting at conferences like BlackHat, HITB, RSA and REcon. In 2015 Marion founded BlackHoodie, a series of hacker bootcamps which successfully attracts more women to the security industry.

To Register

Click here to register.