The FLARE Team's Guide to Reverse Engineering Modern Malware

Instructor:  Josh Stroschein
Dates:  June 15 to 18 2026
Location:  Google Montreal Office
Capacity:  30

This four-day, hands-on training provides a comprehensive deep dive into the complex world of modern Windows malware, equipping you with the practical skills to dissect and understand even the most sophisticated threats. Designed for experienced security professionals and aspiring malware analysts, this course goes beyond basic reverse engineering to focus on the advanced techniques used by malicious actors to evade detection and analysis. You'll gain a mastery of low-level Windows internals, reverse engineering tools, and automation by working with challenging samples.

This course is the culmination of years of frontline reverse engineering and incident response support from the FLARE team at Google. You will gain hands-on expertise in key areas, including leveraging Time Travel Debugging (TTD), a technology that allows you to record a complete execution trace and replay it both forwards and backwards. The training covers how malware hides its execution using multi-stage shellcode, hinders analysis through anti-disassembly and anti-debugging tricks, and bypasses modern EDR systems with direct syscalls and process injection techniques. You will also learn to dissect ransomware cryptography to extract critical intelligence and master the complex art of reversing C++ and .NET binaries to understand their inner workings. These are essential skills needed for anyone reverse engineering modern malware.

By the end of this course, you will possess a powerful toolkit for deconstructing malicious software. You will be able to defeat advanced obfuscation, reconstruct complex code flows, and extract critical intelligence from malware using both manual and automated techniques. Familiarity with assembly language and Windows operating system internals is essential, as the course assumes a solid foundation and immediately dives into advanced techniques.

Course Outline

Day 1

[Module] Class Introductions

• Introduce Instructors
• Course overview and Logistics

[Module] Unraveling Shellcode

• Analyzing Position Independence in Shellcode
• Defeating Dynamic Code Decryption and Obfuscation
• Tracing and Reconstructing Runtime Linking with the Process Environment Block (PEB) and PE File Export Directory
• Unraveling Hashes to Determine String Values
• Using Reverse Engineering Tools for Shellcode Analysis

[Lab] Reverse Engineering Multi-Stage Shellcode

• Defeat Dynamic Code Decryption
• Reconstruct API Calls from Hashes
• Determine Final Payload Capabilities

[Module] Mitigating Anti-Analysis Techniques

• Understand Recursive Descent and Linear Sweep Algorithms
• Recognizing How Malware Uses Timing Checks, Exception Handling, Memory Scanning and TLS Callbacks for Anti-Debugging
• Fixing Control Flow With Manual Patching to Overcome Opaque Predicates and Other Anti-Disassembly Techniques

[Lab] Defeating Anti-Analysis

• Bypass Anti-Debugging and Anti-Analysis Techniques
• Reconstruct Code to Defeat Control Flow Obfuscation

Day 2

[Module] Leveraging Time Travel Debugging (TTD) for Malware Analysis

• Understanding Key TTD Components and Capturing Traces
• Analyzing Malware with the Debugger Object Model and LINQ
• Automating TTD Analysis with JavaScript Extensions
• Practical TTD: Techniques for Effectively Triaging Trace Files

[Labs] Harnessing TTD to Unravel Malware Obfuscation

• Identifying Payloads from Process Hollowing in .NET Binaries
• Automating the Extraction of Encrypted Strings Through Script Development

[Module] Advanced Evasion and Stealth Techniques

• Investigating Advanced Process-Based Evasion Through Process Hollowing
• Understanding Asynchronous Procedure Calls (APC) and Early Bird Injection Techniques
• Mastering System Calls in Windows and Avoiding Version Pinning
• Uncovering and Defeating Function Hooking
• Evading and Bypassing Modern Endpoint Detection and Response (EDR) Systems in Malware

[Labs] Unraveling Advanced Evasive Malware

• Reverse Engineering and Reconstructing Process Injection
• Analyzing and Bypassing Indirect System Call Evasion

Day 3

[Module] Dissecting Ransomware Cryptography

• Understanding Hybrid Cryptography: Symmetric and Asymmetric Encryption Models
• Analyzing Cryptographic Algorithms and Libraries in Binaries
• Case Studies: Deciphering the Cryptographic Implementations of Conti v2 and Babuk
• Extracting Keys and Other Cryptographic Artifacts from Ransomware Binaries

[Lab] Reverse Engineering Ransomware Encryption

• Analyze and Reverse Engineer the Encryption Scheme
• Extract Key Material from a Ransomware Sample
• Determine Ransomware Capabilities through Windows API Analysis

Day 4

[Module] Reverse Engineering Modern C++ Binaries

• Deconstruct C++ object-oriented principles
• Perform virtual function table (VFT) analysis
• Identify the use of the Standard Template Library (STL)

[Lab] Reconstructing a Modular C++ Backdoor

• Identify and reconstruct C++ classes
• Analyze class inheritance and polymorphism
• Trace virtual function dispatch and program flow

[Module] Deobfuscating .NET Malware

• Understanding the .NET Framework and Common Malware Tactics
• Deconstructing Obfuscated .NET Binaries
• Reversing and Unpacking Multi-Assembly Malware
• Automating Analysis with .NET Reflection and C# Scripting

[Lab] Defeating Protected .NET Malware

• Defeating Control Flow Obfuscation and Unpacking a .NET Dropper
• Analyzing Encrypted Payloads and Defeating Obfuscation
• Automating String and Payload Decryption via C# Scripting

Hardware/Software Requirements

A laptop with at least 6 GBs RAM, 50 GB free hard disk space and the ability to run VirtualBox virtualization software. Newer M1, M2, and M3 Macs will not be directly supported due to limitations in virtualization technology available. An alternative cloud-based VM can be provided on-demand.

Prerequisites

Students should have prior experience with malware analysis and key concepts in network security. A strong understanding of assembly language is essential. Familiarity with basic computer science concepts, including data structures and object-oriented programming, will be highly beneficial.

Objectives

• Mastering Cutting-Edge Evasion & Anti-Analysis: You'll not only understand how malware hides, but you'll master evasive process injection techniques and understand how direct and indirect syscalls are used to bypass EDR, defeat modern anti-debugging tricks, and reconstruct multi-stage shellcode to uncover hidden payloads. You'll gain a significant advantage in analyzing malware designed to resist detection and analysis.
• Advanced Analysis with Specialized Tools & Techniques: You'll go beyond traditional reversing to tackle the hardest challenges in malware analysis. The course provides hands-on expertise with Time Travel Debugging (TTD) for efficient behavioral analysis, teaches you to reconstruct C++ and .NET binaries, and shows you how to dissect ransomware cryptography to extract critical information.
• Building Custom Tools for Automated Analysis: This training isn't just about manual analysis; it's about efficiency and scale. You'll learn to automate complex tasks by leveraging C# scripting for .NET analysis and JavaScript extensions for TTD. This skill enables you to build your own custom tools to automatically defeat obfuscation and extract key intelligence, turning you into a more effective and productive analyst.

Who Should Take This Course

This is an ideal course for security analysts, malware analysts/researchers and blue teams/defenders that need to get hands-on diving deep into malicious software to create and update detections.

Who Would Not Be a Good Fit for This Course

This is an advanced course. Individuals who are new to the field of malware analysis and reverse engineering would not be a good fit. Specifically, this training is not for you if: You do not have a strong foundation in x86 and x64 assembly language and Windows internals. You are not comfortable using tools like IDA Pro, Ghidra, and debuggers (e.g., WinDbg, x64dbg) to analyze complex binaries. You have not previously performed manual malware analysis.

BIO

Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. Josh is a reverse engineer with the FLARE team at Google Cloud (Mandiant), where he focuses on tackling the latest threats. He holds a Doctor of Science from Dakota State University. Josh is an accomplished trainer and regular speaker at places such as Ring Zero, BlackHat, Defcon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

To Register

Click here to register.