Reverse Engineering Malware III

This intensive 3-day course equips cybersecurity professionals with the practical skills to dissect Windows malware and understand the internals of executable binaries. Through hands-on labs and real-world case studies, participants will deconstruct the Portable Executable (PE) format, analyze the internal mechanisms of the Windows operating system, and explore how modern ransomware operates at a binary level.

Using live samples of Cactus and LockBit 3.0, students will trace malware behavior, unravel execution flows, and extract TTPs from packed and obfuscated binaries. The course bridges theory and practice by exploring how system APIs, memory management, and persistence techniques are abused.

Participants will work with professional-grade tooling, including IDA Pro, Ghidra, x64dbg, PE-Bear, Detect It Easy, and much more. Emphasis is placed on unpacking techniques, API resolution, string decryption, and code flow recovery. By the end of the course, students will not only understand how malware works but also how the OS responds internally, forming a deep, OS-level perspective essential for analysts, threat hunters, and reverse engineers alike.

Course curriculum

    1. REM 3 Day 1 Part I

    2. REM 3 Day 1 Part II

    3. REM 3 Day 2 Part I

    4. REM 3 Day 2 Part II

    5. REM 3 Day 3 Part I

    6. REM 3 Day 3 Part II

About this course

  • 6 lessons
  • 8.5 hours of video content

Requirements

While not mandatory, it is recommended that participants have the following tools installed to fully engage with the hands-on exercises:

  • Windows Flare VM

These tools will enhance your ability to work effectively with the course materials and practical exercises.

Additional Training

View more trainings