Reverse Engineering Malware: Essential Skills
Spend 8 weeks with Anuj Soni building a hands-on, technical understanding of how attackers execute on Windows so you can validate alerts, assess threat reporting, and turn analysis into action.
Intro & Initial Examination (Static File Analysis)
In this session, we focus on first contact with a sample, before execution. You’ll learn how to identify PE file characteristics, extract and interpret strings, review imports to infer likely capabilities, spot common signs of packing or multi-stage loaders, and begin documenting observations using a structured workflow. By the end of this session, students should be able to look at a sample and say “Here’s what stands out, here’s what I think is happening, and here’s what I’d check next.”
Malware in Action (Behavioral Analysis)
This session moves from theory to execution. You’ll safely run malware in a controlled lab, observe process interactions, identify filesystem artifacts, and analyze network activity. You’ll learn how to separate meaningful behavior from noise and turn overwhelming telemetry into actionable analysis notes.
Static Code Analysis (Pseudocode)
This session introduces code analysis with Binary Ninja’s decompiler and high-level views so you can understand malware logic without getting lost in assembly. You’ll learn how to navigate unfamiliar code, pivot from strings and APIs into suspicious functions, follow control flow and decision points, recognize common Windows API usage patterns, and document your findings as analysis progresses. The focus is on building an analyst’s decision-making process so you can prioritize execution paths and avoid unnecessary deep dives into low-level assembly.
Static Code Analysis (Disassembly)
This session builds on the previous code analysis module by dropping down to disassembly to validate decompiled logic and understand malware behavior at the instruction level. You’ll learn how to read and interpret x86 and x64 assembly in Binary Ninja, follow control flow and conditional jumps, recognize function boundaries and calling conventions, and understand how data moves through registers, the stack, and memory. The focus is on connecting low-level instruction patterns back to higher-level malware behavior so you can validate earlier conclusions, accurately locate functionality, and understand how the malware actually executes at runtime.
Dynamic Code Analysis
This session introduces live debugging with x64dbg to observe malware behavior at runtime. You’ll learn how to set meaningful breakpoints, inspect registers, memory, the stack, function arguments, and return values, and step through execution to understand how decisions are made during runtime. You’ll also observe how packed malware transitions during execution and learn how to unpack samples once their real payloads are revealed in memory through the debugger.
Code Deobfuscation and Multi-Stage Execution
This session builds on your debugging foundation by focusing on how to recover and analyze malicious code that is hidden, injected, or generated at runtime. You’ll learn how to deobfuscate additional execution stages such as PE files and shellcode, identify memory allocation and permission changes associated with unpacking and injection, capture malicious code as it is written into memory, and debug DLL-based malware. You’ll also use emulation to quickly analyze extracted payloads and shellcode so you can recover the real code behind multi-stage malware and uncover the malware’s true behavior.
Data Deobfuscation
This session shifts focus from executable code to the hidden data that drives malware behavior, including obfuscated strings and configuration data. You’ll learn how to identify common data obfuscation techniques, locate encoded data in code and memory, and extract decoded content at runtime. By the end of the session, you’ll be able to uncover the hidden data that reveals the functionality attackers attempted to hide.
Evasive Techniques and Anti-Analysis
This session focuses on recognizing when malware alters its behavior to avoid analysis and learning practical ways to safely work around those obstacles. You’ll learn how to identify common anti-debugging and anti-analysis techniques, understand how malware detects debuggers and analysis environments, safely bypass or neutralize evasive logic through methods such as patching, and avoid false conclusions caused by incomplete execution. By the end of the session, you’ll be able to recognize and account for evasion techniques so the behavior you observe more accurately reflects how the malware operates in real-world environments.
Ideal student profile
- SOC analysts who want to move beyond alerts and understand what's actually executing
- Threat hunters and intelligence analysts who need to validate technical claims and reporting
- DFIR specialists building deeper code analysis skills
- Cybersecurity professionals who are serious about understanding code execution on Windows
What success looks like
- A repeatable static + dynamic analysis workflow you trust
- Confidence opening an unfamiliar sample without freezing
- The ability to form, test, and refine hypotheses about program behavior
- Comfort navigating disassembly, pseudocode, and debugger output
- The ability to explain what malware does, and support your conclusions with evidence
- A portfolio of completed analyses you can confidently discuss in interviews
- The vocabulary to communicate findings to engineering teams, leadership, and customers
Hear from past students
Questions, answered.
Ready to start?
Applications take under 5 minutes. Cohorts are capped to keep feedback personal.
Apply now