Advanced Malware Reverse Engineering

Instructor:  Marion Marschalek
Dates:  June 15 to 18 2026
Capacity:  25

This course aims to teach reverse engineers the world of malware, with a primary focus on Windows, while also shining a light on other platforms. Students will learn how to take apart about any malicious binary that comes their way, through combining state-of-the-art malware analysis tooling with advanced reverse engineering skills. This includes understanding and circumventing advanced self-protection mechanisms that modern day malware tends to employ.

In reality the analyst doesn't get to choose what type of malware lands on their dissection table. The sample could be your average C-written, loosely protected, and relatively small espionage bot. Or, it could be plain shellcode, or a highly complex piece of targeted malware, or a sophisticatedly packed ransomware, or a large Delphi binary with no prior verdict, or god forbid a Rust executable that has no useful indicators to it whatsoever.

This course aims to prepare analysts for all of these possibilities, to be able to handle what the modern day threat landscape has to give on a daily basis. The course starts out with Windows malware, but we'll also tackle Linux and MacOS malware, and do side quests on ARM samples. This challenge is intended to bring students closer to the level of universal binary understanding with the latest tools and techniques.

Course Overview

Day 1 of this training will bring students up to speed on common Windows malware and provide a recap of fundamentals, to then from there branch out on how to conquer other operating systems, file formats, and assembly languages. This first day will also have a lot of hands-on exercises to manifest foundations and teach the class the nifty tricks it often takes to reverse engineer a binary that doesn't want to be analyzed.

Day 2 will jump in on the deep end with defense mechanisms that malware is usually equipped with, since this is most often the first things an analyst encounters in the analysis process. We'll cover basic and advanced anti-analysis measures that thwart off static and dynamic tooling, and cover how to identify and circumvent these techniques. The class will learn how to see through the confusion malware tries to sow, using obfuscation, debugger and sandbox detection, multi-layered software packers and advanced stealth mechanisms.

On day 3 the class will get intense with revers engineering challenges that stem from compilers rather than obfuscation. I have seen entire analyst teams shudder at the prospect of having to proof the benignness of a reasonably big Delphi executable. But fear not, there are techniques that allow us to understand even the strangest products of a given build chain. This module includes Go and Rust malware, the newest additions to the pantheon of binary oddities.

Finally, on day 4 students will learn the world of exploit analysis, targeted malware, and rootkits. What do we do if all we have is a piece of shellcode, or only a piece of the puzzle in case of modular malware? Targeted malware is sophisticated in its own, typically less packed and obfuscated, more stealthy, and complex in its goal and purpose. We'll also shine a light on the role of rootkits these days, and how to tackle them as a reverse engineer. Finally the class wraps up with an analysis automation chapter, showing the power of analysis tool scripting.

Class Agenda

• Day 1: The malware reverse engineering process and background
  • Setup and test of exercise environment with warmup malware
  • Dense recap of Windows reverse engineering fundamentals - operating system internals, process execution, x86-64 assembly
  • Other operating systems, file formats, and architectures
  • How to elevate OS and architecture specific RE skills to general reverse engineering knowledge
  • Hands-on reverse engineering of select malware samples
• Day 2: Advanced software protection mechanisms in malware
  • Recap of debuggers and dynamic analysis techniques
  • Anti-analysis measures and obfuscation with extensive examples, understanding where automation and tooling start to fail
  • Common and advanced packers and how to circumvent them
  • Hands-on reverse engineering of protected malware
• Day 3: Binaries of programming languages that make our life harder
  • C++ malware reverse engineering
  • .NET and Delphi malware
  • Interpreted languages and custom virtual machines in malware
  • Rust and Go malware
• Day 4: Targeted malware, exploits and rootkits
  • Shellcode and exploit analysis
  • Advanced persistent threats and targeted malware samples, how to analyze modular malware
  • Rootkits, userland and kernel, including required OS internals background
  • Analysis automation, latest research and solutions, incl. IDA scripting and Frida

Hardware/Software Requirements

• Laptop with Intel chip with at least 50GB of free disk space and at least 8GB of RAM
• VMware virtualization software, VM with pre-installed tools will be provided
• Administrator privileges on the host machine are required

Prerequisites

• Reverse engineering experience on x86-64, beginner/intermediate/advanced, and a free online 8h binary analysis primer will be provided for beginner level students, to study at their leisure
• Foundational knowledge of operating system internals
• Basic scripting experience in Python, PowerShell and/or Bash

Objectives

• Sharpening of reverse engineering skills on different types of binaries, formats, even operating systems
• Understanding state-of-the-art malware on Windows and other operating systems, written in C/C++, .NET, Delphi, Rust and Go
• Learning tools and techniques specific to malware analysis to develop efficient reverse engineering workflows
• Profound understanding of malware evasion techniques, both static and dynamic and how to circumvent

Who Should Take This Course

• Reverse engineers of any level with interest in malware, beginners will need to take my free online 8h preparation class
• Malware analysts with the desire to increase the depth of their knowledge
• Software developers and security practitioners with a good systems internals foundation and keen interest in modern day malware attacks

BIO

Marion Marschalek is an independent security consultant and trainer with her consulting company Hack & Cheese. Prior to that she held senior positions at AWS and Intel, and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is a frequent speaker at major security conferences, including Black Hat, Defcon, HITB, RSA, and SyScan, among others. She used to teach reverse engineering classes at University of Applied Sciences St. Poelten, from where she graduated in 2011 with a Master's Degree in Information Security. In 2015 she started a hacker bootcamp for women titled BlackHoodie, which over the years established itself as a global initiative to attract more diverse talent to the security industry. In her spare time she enjoys long distance running.

To Register

Click here to register.