WarfaRE - Offensive Reverse Engineering

Pedram Amini and Ero Carrera

[ course cancelled: return to list ]


Understanding the inner workings of advanced malware goes beyond simply reverse engineering it. Thinking like the attacker helps in anticipating future techniques. The foundation of the course lies on building better defenses through an offensive mindset. Malware authors and attackers have the leading edge by being able to research and spend time developing their creations, often the defending side has no other option than to deal with it in a reactive manner. Learning how the game is played by both sides will give you the knowledge to anticipate the attacker's moves.

In order to be proactive we no longer can sit and wait to see what's coming, we have to be ready and how malware is developed and get our hands dirty doing it, then we will get the full picture.

What you will learn:

This course was designed for students who have an good understanding of x86 assembly and reverse engineering as well as more advanced students wishing to refresh their skills and learn new approaches to familiar problems. The course will cover Windows internals (user and kernel mode), tools of the trade (such as IDA Pro, OllyDbg, WinDBG), exploitation methodologies and the techniques used by advanced malware in a Windows platform. As this course is focused on understanding and developing potential malicious code, students might have to deal with real-world virus samples. The details of executable packing, obfuscation methods, anti-debugging, anti-disassembling and how protection tools are avoided will be revealed and reenforced with hands-on exercises.

Course structure:

The course is aimed not simply at understanding the ideas but also at developing practical implementations of the techniques discussed. A majority of the time in the course will be spent, compiling, disassembling and tinkering with the different tools and examples.

How the Course is Run:

This course is by no means a two-day lecture. Instead, you will be engaged in a number of individual and group hands-on exercises to reinforce and solidify everything that is taught in the class. Some of the exercises are held in a competitive nature, followed by class discussion to pin point elegant approaches and solutions that various individuals or groups may have used. Despite the fact that the course is held in Vegas, take home exercises will be available for the type-A personalities attending the course.

Who Should Attend

If you:

  • Are interested in the field of reverse engineering, malware analysis and tool development
  • Want to learn how some of nowadays threats work and be able to implement some of the techniques on your own creations
  • Want to discuss cutting edge technologies, techniques and ideas, or simply want to impress your friends...
  • Want to learn what's going on deep inside the Windows Operating System

then this class is for you.

Learning Environment:

Aside from direct class materials, slides and hands-on exercises, students will have many opportunities to engage in one-on-one questions with instructors. Furthermore, students will be divided into groups by experience to foster student-student knowledge transfer as well.


Prospective students should be comfortable operating Microsoft Windows, have a good understanding of x86 assembly, high level programming and OS concepts. The students will be expected to compile code and be able to follow it with a disassembler.

Course Length:

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Pedram Amini currently leads the security research and product security assessment team at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer- developing automation tools, plug-ins and scripts for software like IDA Pro and OllyDbg.

In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has previously presented at DEFCON, RECon, ToorCon and taught a sold out reverse engineering course at Black Hat US 2005. Pedram holds a computer science degree from Tulane University.

Ero Carrera is currently a reverse engineering automation researcher at SABRE Security, home of BinDiff and BinNavi. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.

While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking.

Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering

Register Button

Super Early:
Ends Feb 1

Ends Mar 1

Ends Apr 1

Ends Apr 11