The FLARE Guide to Windows Internals and Advanced Reversing // Josh Stroschein, Jae Young Kim

Virtual | March 22-31 | 32 Hours

BOOK NOW

ABSTRACT

Developed by the FLARE team at Google Cloud Security, this immersive virtual training provides a comprehensive deep dive into the complex world of modern Windows malware. Drawing on years of frontline reverse engineering experience, the course moves beyond basic reverse engineering to target the sophisticated techniques adversaries use to evade detection. You will gain mastery of low-level Windows internals and advanced tradecraft by dissecting challenging samples that mirror real-world threats.

You will build hands-on expertise in key areas, replacing legacy workflows with Time Travel Debugging (TTD) to record and query execution traces. The curriculum covers the full spectrum of modern threats: analyzing multi-stage shellcode, defeating anti-disassembly and anti-debugging tricks, and dissecting EDR bypass techniques like process injection and indirect system calls. You will also deconstruct ransomware cryptography and master the complex art of reversing C++ and .NET binaries.

By the end of this course, you will possess a powerful toolkit for deconstructing malicious software. You will be able to defeat advanced obfuscation, reconstruct complex code flows, and extract critical intelligence using both manual and automated techniques.

INTENDED AUDIENCE

This is an ideal course for security analysts, malware analysts/researchers and blue teams/defenders that need to get hands-on diving deep into malicious software to create and update detections.

KEY LEARNING OBJECTIVES

  • Mastering Cutting-Edge Evasion & Anti-Analysis: You'll not only understand how malware hides, but you'll master evasive process injection techniques and understand how indirect syscalls are used to bypass EDR, defeat modern anti-debugging tricks, and reconstruct multi-stage shellcode to uncover hidden payloads. You’ll gain a significant advantage in analyzing malware designed to resist detection and analysis.

  • Advanced Analysis with Specialized Tools & Techniques: You'll go beyond conventional reversing to tackle the hardest challenges in malware analysis. The course provides hands-on expertise with Time Travel Debugging (TTD) for efficient behavioral analysis, teaches you to reconstruct C++ and .NET binaries, and shows you how to dissect ransomware cryptography to extract critical information.

  • Building Custom Tools for Automated Analysis: This training isn't just about manual analysis; it's about efficiency and scale. You'll learn to automate complex tasks by leveraging C# scripting for .NET analysis and JavaScript extensions for TTD. This skill enables you to build your own custom tools to automatically defeat obfuscation and extract key intelligence, turning you into a more effective and productive analyst.

BOOK NOW

COURSE OUTLINE

Session 1

Class Introductions

  • Introduce Instructors
  • Course overview and Logistics

Unraveling Shellcode

  • Analyzing Position Independence in Shellcode
  • Defeating Code Decryption and Obfuscation
  • Tracing and Reconstructing Runtime Linking with the Process Environment Block (PEB) and PE File Export Directory
  • Unraveling Hashes to Determine Imports

LAB Reverse Engineering Multi-Stage Shellcode

  • Defeat Code Decryption
  • Reconstruct API Calls from Hashes
  • Determine Final Payload Capabilities

Mitigating Anti-Analysis Techniques

  • Understand Recursive Descent and Linear Sweep Algorithms
  • Recognizing How Malware Uses Timing Checks, Exception Handling, Memory Scanning and TLS Callbacks for Anti-Debugging
  • Fixing Control Flow With Manual Patching to Overcome Opaque Predicates and Other Anti-Disassembly Techniques

LAB Defeating Anti-Analysis

  • Bypass Anti-Debugging and Anti-Analysis Techniques
  • Reconstruct Code to Defeat Control Flow Obfuscation

Session 2

Leveraging Time Travel Debugging (TTD) for Malware Analysis

  • Understanding Key TTD Components and Capturing Traces
  • Analyzing Malware with the Debugger Object Model and LINQ
  • Automating TTD Analysis with JavaScript Extensions
  • Practical TTD: Techniques for Effectively Triaging Trace Files

LAB Harnessing TTD to Unravel Malware Obfuscation

  • Identifying Payloads from Process Hollowing in .NET Binaries
  • Automating Shellcode Downloader Analysis Through Scripting

Session 3

Advanced Evasion and Stealth Techniques

  • Investigating Process-Based Evasion
  • Understanding Asynchronous Procedure Calls and Early Bird Injection Techniques
  • Mastering System Calls in Windows and Avoiding Version Pinning
  • Uncovering and Function Hook Evasion

LAB Unraveling Advanced Evasive Malware

  • Reverse Engineering and Reconstructing Process Injection
  • Analyzing Indirect System Call Evasion

Session 4

LAB Dissecting Ransomware Cryptography

  • Understanding Hybrid Cryptography: Symmetric and Asymmetric Encryption Models
  • Analyzing Cryptographic Algorithms and Libraries in Binaries
  • Case Studies: Deciphering the Cryptographic Implementations of Conti v2 and Babuk
  • Extracting Keys and Other Cryptographic Artifacts from Ransomware Binaries

LAB Reverse Engineering Ransomware Encryption

  • Analyze and Reverse Engineer the Encryption Scheme
  • Extract Key Material from a Ransomware Sample

Session 5

Reverse Engineering Modern C++ Binaries

  • Deconstruct C++ object-oriented principles
  • Perform virtual function table (VFT) analysis
  • Identify the use of the Standard Template Library (STL)

LAB Reconstructing a Modular C++ Backdoor

  • Identify and reconstruct C++ classes
  • Analyze class inheritance and polymorphism
  • Trace virtual function dispatch and program flow

Session 6

Deobfuscating .NET Malware

  • Understanding the .NET Framework and Common Malware Tactics
  • Deconstructing Obfuscated .NET Binaries
  • Reversing and Unpacking Multi-Assembly Malware
  • Automating Analysis with .NET Reflection and C# Scripting

LAB Defeating Protected .NET Malware

  • Defeating Control Flow Obfuscation and Unpacking a .NET Dropper
  • Analyzing Encrypted Payloads and Defeating Obfuscation
  • Automating String and Payload Decryption via C# Scripting
BOOK NOW

Knowledge Prerequisites

x86/x64 assembly: Students must be comfortable reading and debugging assembly.

Scripting proficiency (Python/JS): Some labs utilize scripting to augment analysis. Students must be able to write/debug Python (for Triton) and read JavaScript (for WinDbg). (Note: To ensure the class moves efficiently, we provide robust scaffolding/templates. Students focus on the logic, not boilerplate code.)

Familiarity with a disassembler (IDA Pro/Ghidra/Binary Ninja) and standard Windows internals (PE structure, Win32 API) is assumed.

System Requirements

A laptop with at least 6 GBs RAM, 50 GB free hard disk space and the ability to run VirtualBox virtualization software. Newer M1, M2, and M3 Macs will not be directly supported due to limitations in virtualization technology available. An alternative cloud-based VM can be provided on-demand.

Students will be provided with

Students will be provided with all course materials - slides, demo files, lab files and detailed lab solutions. Students will also be provided with a custom VM that can be used to complete all course exercises.

Laptops with Apple Silicon are NOT supported in this class. Please ensure that your laptop has an Intel or equivalent x86-64 processor.

YOUR INSTRUCTORS: Josh Stroschein and Jae Young Kim

Josh is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. Josh is a reverse engineer with the FLARE team at Google Cloud (Mandiant), where he focuses on tackling the latest threats. He holds a Doctor of Science from Dakota State University. Josh is an accomplished trainer and regular speaker at places such as Ring Zero, BlackHat, Defcon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

Jae Young Kim is a Senior Reverse Engineer on Mandiant's FLARE Team where he reverses malware and contributes to FLARE's automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.

BOOK NOW
Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Ringzer0Ringzer0
Cancellation Policy

60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
SPRING:2026 // Virtual Training // March 22-31

OTHER VIRTUAL TRAINING COURSES

Fuzzing the Linux Kernel
Spring 2026 Virtual Training

Fuzzing the Linux Kernel

This training guides security researchers and software engineers through the field of Linux kernel fuzzing. In a series of lectures and practical labs, the training explores using fuzzing for finding kernel memory corruption bugs and analyzing their security impact.
READ MORE
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated