Advanced Techniques for Reverse Engineering Windows Malware

Josh Stroschein
In-Person Training | August 3 - 6 | 4 days


Advanced Techniques for Reverse Engineering Windows Malware

Josh Stroschein

Book Now

This hands-on course equips security professionals with the advanced techniques needed to reverse engineer complex Windows malware using industry-standard tools. Learn to bypass obfuscation, analyze hidden functionalities, and generate actionable threat intelligence to protect your organization.


Advanced malware is actively evading detection. Malware authors are increasingly using obfuscation, packing, and other anti-analysis techniques to make their creations a complex maze for security analysts. Traditional security tools are falling short. These sophisticated threats can bypass even the most advanced security products, leaving your organization blind to potential breaches and attacks. In, Advanced Techniques for Reverse Engineering Windows Malware, gain the skills to dissect complex malware. Learn to identify and bypass obfuscation techniques, using industry-standard tools like IDA Pro and Ghidra. Develop strategies for static and dynamic analysis to uncover hidden functionalities and generate actionable threat intelligence. You will also learn how to identify and unravel prevalent packing techniques, anti-analysis techniques and other forms of obfuscation such as control-flow obfuscation and hiding string and API calls.

By the end of this course you will have the insight to understand and anticipate where malware authors will employ these techniques to disrupt your analysis and how to unravel their obfuscation. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

This is a fast-paced course designed to take you deep into malware reverse engineering! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 4 days of lecture, but an immersive and interactive learning experience full of hands-on exercises and labs!


This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.


  • Perform in-depth analysis on a wide variety of malicious artifacts, such as .NET and native code binaries.
  • Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
  • Learn how malware authors dynamically construct import tables for function calls
  • Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior (PE file format)
  • Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes



Day 1: Binary Triage and Unraveling Initial Access Malware

  • Learn common delivery techniques and how to extract valuable information
  • Master core malware analysis tools and how to perform effective triage
  • Tackle .NET malware through decompilation and dynamic analysis

Day 2: Identifying Code Obfuscation

  • Identifying signs of packing and obfuscation in native code formats (PE files)
  • Developing strategies for detecting known and custom packers
  • Unpacking malware using reversing tools and debuggers
  • Reversing malware that uses AutoIt and Golang
  • Identifying anti-analysis techniques and developing mitigations
  • Process hollowing and other code injection techniques

Day 3: Reversing Shellcode and the PE File Format

  • Malware use of shellcode – extracting and analyzing
  • Digging deep into the PE file format
  • Dynamically constructing import tables and other methods for calling Windows APIs
  • Identifying string obfuscation through hashes, encryption and other techniques

Day 4: Unraveling Malware Capabilities

  • Identifying the use of cryptography
  • Finding malware configurations and creating config extractors
  • Identifying malware C2 patterns in network traffic
  • Tracing the use of Windows API calls
  • Handling advanced code protectors such as VMProtect


A laptop with the ability to run virtualization software such as VMWare or VirtualBox. Access to the system BIOS to enable virtualization, if disabled via the chipset. A laptop that the attendee is comfortable handling live malware on. Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used.


Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. Josh is an accomplished trainer, providing training at places such as Ringzer0, BlackHat, Defcon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

View Josh's featured videos on reverse engineering and other related topics on his YouTube channel: