Reverse Engineering for Red Teamers

Course Synopsis

A hands-on, two-day course that turns assembly and binaries from a wall of hex into an operational advantage for offensive teams. Ten modules take you from reading x64 assembly through .NET/CIL, the PE format, Windows internals, malware structure, EDR internals, and vulnerability research - finishing with a full-chain capstone on a live target.

You work in IDA, dnSpy, x64dbg, NetHook, and Charles Proxy throughout. Every module opens with objectives and closes with hands-on exercises followed by detailed solution walkthroughs.

Register for the training →

Day 1 - Foundations

Module 01

Introduction to Assembly

x64 Registers and the CPU Model

  • 16 general-purpose registers: RAX through R15, addressable at 64/32/16/8-bit widths
  • RIP as the instruction pointer; RSP as the stack pointer
  • CPU flags: ZF, SF, CF, OF and what they drive (branches, conditional moves)
  • Volatile vs non-volatile registers and what the calling convention requires

The Stack and Calling Conventions

  • x86 cdecl/stdcall and thiscall vs x64: RCX, RDX, R8, R9 and shadow space
  • Function prologue and epilogue: push RBP, frame setup, sub RSP
  • Reading locals at negative RBP offsets and stack arguments at positive offsets
  • Frameless (RSP-relative) optimized code

Core Instructions and Control Flow

  • Data movement: mov, lea, movzx, movsx
  • Arithmetic and logic: add, sub, imul, xor, shl/shr
  • cmp and test; the signed vs unsigned Jcc family
  • Switch tables vs CMP chains; struct member access patterns; C++ vtable dispatch

Reading Code in IDA

  • Text view vs graph view; cross-references and call graphs
  • Renaming variables and functions as you build understanding
  • F5 pseudo-C decompiler and when to distrust it
  • Compiler optimizations, anti-disassembly tricks, and recognizing crypto/encoding loops
Module 02

.NET and CIL

The CLR Execution Model

  • Managed vs native: how the CLR loads assemblies and JITs CIL to native code
  • Assembly metadata, tokens, and the evaluation-stack machine model
  • Mapping C# source to IL opcodes and then to JIT-compiled x64
  • The managed/native interop boundary and P/Invoke

Reversing .NET in dnSpy

  • Navigating assemblies, types, and methods in dnSpy
  • Reading CIL: ldarg, ldloc, call, callvirt, newobj, and friends
  • Seeing the JIT-compiled native code alongside managed IL
  • Patching .NET binaries and rebuilding assemblies

Obfuscation and Recovery

  • String obfuscation patterns: recognizing and scripting a decrypt
  • de4dot: automated .NET deobfuscation and its limits
  • Reflection and late binding: how obfuscators use Type.GetMethod
  • Finding and extracting crypto keys embedded in managed code
Module 03

The Tooling

Static Analysis

  • IDA Free/Pro: layout, import/export triage, initial binary triage
  • IDA decompiler: using F5 effectively and recognizing its failures
  • dnSpy for managed .NET targets
  • Choosing the right disassembler for the target

Live Debugging

  • x64dbg: layout, plugins, attaching to running processes
  • Conditional breakpoints, logging breakpoints, and execution tracing
  • WinDbg for kernel-mode targets and symbol server setup
  • Frida for dynamic instrumentation and protocol reverse engineering

Traffic Interception

  • NetHook: hooking application calls before encryption to capture plaintext traffic
  • Charles Proxy: TLS interception and certificate pinning bypass
  • When to intercept vs when to read the binary directly

Scripting and Automation

  • IDAPython: automating repetitive analysis and renaming at scale
  • Detecting all crypto routine call sites with a script
  • x64dbg scripting for automated breakpoint-based extraction
Module 04

PE and MZ File Format

Headers and Structure

  • MZ/DOS header and the e_lfanew pointer to NT headers
  • IMAGE_FILE_HEADER: machine type, section count, characteristics
  • IMAGE_OPTIONAL_HEADER: image base, entry point, size of image, data directories
  • Section headers: virtual address, raw offset, characteristics (executable, writable, readable)
  • RVA to file offset translation

Export Table

  • IMAGE_EXPORT_DIRECTORY: the three parallel arrays (EAT, ENT, EOT)
  • Export by name, by ordinal, and forwarder exports
  • Manual export resolution in code; walking the EAT without GetProcAddress
  • ApiSet redirection and what api-ms-win-* DLLs actually resolve to

Import Table

  • IMAGE_IMPORT_DESCRIPTOR chain per imported DLL
  • ILT vs IAT: what the loader overwrites at load time
  • Import by name (IMAGE_IMPORT_BY_NAME) vs import by ordinal
  • Walking a live process IAT with iat_dumper.exe

Other Data Directories

  • Exception directory (.pdata): RUNTIME_FUNCTION and unwind info for x64 SEH
  • TLS directory: TLS callbacks and their use as early execution hooks
  • Base relocation directory: how ASLR is implemented at the format level
Module 05

Reversing Thick Clients and Protocols

MS-TDS and SQL Server

  • PRELOGIN and LOGIN7 handshake structure
  • The LOGIN7 password obfuscation algorithm: XOR-based encoding, step by step
  • TLS inside TDS and why a MITM approach still works in most deployments
  • Decoding captured TDS traffic to recover credentials

Windows Authentication

  • NTLM: NEGOTIATE, CHALLENGE, AUTHENTICATE - the three-message handshake
  • NTLMv1 vs NTLMv2 response computation
  • Capturing NetNTLMv2 hashes and cracking them offline
  • NTLM relay: why the protocol allows it and how operators exploit it
  • SMB2/3: protocol structure, signing, and encryption

RPC and Named Pipes

  • MS-RPC/DCERPC: binding handles, authentication, and opnum dispatch
  • MIDL and NDR: reading auto-generated stubs in IDA
  • Named pipe transport (ncacn_np) and IPC$ shares
  • High-value RPC interfaces and how to enumerate them
  • Kerberos on the wire: ticket structure and interception points

Extracting Embedded Secrets

  • Connection strings and hard-coded credentials in .NET assemblies
  • Secrets in native binaries: string search, entropy analysis, configuration parsing
  • Combining traffic interception with binary analysis to recover plaintext keys
Module 06

Windows Internals

The DLL Ecosystem and Syscall Boundary

  • DLL loading, forwarded exports, and ApiSet redirection (kernel32 to kernelbase)
  • User/kernel transition: ntdll Nt/Zw stubs, the System Service Number (SSN), and KiSystemCall64
  • SSDT (KeServiceDescriptorTable) and mapping SSNs to kernel functions
  • Privileged CPU structures: CR0/CR3/CR4, MSRs, IDT, GDT, and SWAPGS

PEB, TEB, and Key Structures

  • PEB.Ldr: LDR_DATA_TABLE_ENTRY, module list traversal for shellcode API resolution
  • Walking the EAT without GetProcAddress - the shellcode pattern in full
  • PEB anti-debug: NtGlobalFlag and heap flags
  • TEB: per-thread state, x86 SEH vs x64 table-based exception handling, TLS slots
  • VAD tree, token privileges, and object manager handles

COM and RPC Interfaces

  • COM: CLSID, IID, IUnknown, and how virtual method dispatch looks in IDA
  • Enumerating COM servers and finding exposed methods via type libraries
  • RPC: transports, interface binding, and reading RPC stubs in IDA

ETW and Embedded Detection

  • ETW architecture: providers, sessions, and consumers
  • The classic EtwEventWrite patch point and how it works
  • AMSI integration and its interception surface
  • Where Microsoft embeds telemetry in ntdll and ntoskrnl

Day 2 - Offense, Defense & Research

Module 07

Reversing Malware

Sample Structure and Triage

  • Typical dropper/packer/loader/payload stage architecture
  • Static triage workflow: file type, strings, imports, entropy, packing indicators
  • Dynamic analysis and unpacking overview
  • Safe lab handling and isolated execution environment setup

Obfuscation and Encryption

  • String obfuscation patterns and recognizing them in disassembly
  • Identifying RC4 from its key-scheduling and XOR loop shape
  • API hashing: recognizing the hash-compare dispatch pattern
  • Deobfuscation strategies and scripting decryption in IDAPython

Anti-Analysis Techniques

  • Debugger detection: IsDebuggerPresent, NtQueryInformationProcess, PEB flags
  • Timing attacks, exception-based checks, and heap flag detection
  • Anti-VM: CPUID feature checks and hardware artifact enumeration
  • Bypassing each technique in a debugger

Injection and Loading Patterns

  • Process hollowing and DLL injection via CreateRemoteThread
  • Reflective DLL injection: the self-loading PE technique
  • Shellcode position-independent code patterns and Heaven's Gate (32-to-64-bit)
  • Manual unpacking: ESP hardware breakpoint and OEP hunting
Module 08

Reversing EDR

EDR Sensor Architecture

  • Four telemetry layers: user-mode inline hooks, kernel callbacks, minifilters, ETW
  • How EDR products combine these layers and what each one sees
  • Kernel structures: PspCreateProcessNotifyRoutine[], ETW_REG_ENTRY
  • ELAM (Early Launch Anti-Malware) and its role in driver load ordering

User-Mode Hooks

  • Inline hook mechanics: the 5-byte JMP and its variants
  • Detecting and enumerating hooks with hook_finder.c
  • Unhooking techniques and direct syscalls
  • Why direct syscalls alone are not enough when ETW-TI is present

Kernel Callbacks and Minifilters

  • PsSetCreateProcessNotifyRoutineEx: process creation telemetry
  • ObRegisterCallbacks: handle access control and interception
  • PsSetLoadImageNotifyRoutine: DLL and driver load events
  • Minifilters: IRP interception for file and volume I/O
  • Reading a kernel driver in IDA and identifying its callback registrations

ETW Internals and ETW-TI

  • ETW from EtwEventWrite through the kernel to the consumer
  • ETW-TI: kernel-enforced threat-intelligence logging and why it matters
  • Key security ETW providers and what each one exposes
  • Collecting and analyzing ETW events with etw_collector.c
  • Monitoring call stacks at runtime with callstack_monitor.c
Module 09

Reversing for Research

Attack Surface and Unsafe Functions

  • Mapping attack surface categories: network input, file parsing, IPC, IOCTL
  • Known-unsafe functions: strcpy, sprintf, memcpy with attacker-controlled lengths
  • Tracing attacker-controlled input to dangerous sinks through a call graph

Memory Safety Bug Patterns

  • Stack buffer overflow: recognizing insufficient bounds checks from assembly
  • Format string bugs: printf(user_input) and the %n write primitive
  • Integer and signedness bugs: signed/unsigned mismatch, truncation, wraparound
  • Use-after-free and double-free patterns in assembly
  • Finding subtle bugs that survive a naive bounds check

IOCTL Interface Analysis

  • CTL_CODE macro: device type, function code, transfer method, access bits
  • Transfer methods: METHOD_BUFFERED, METHOD_IN/OUT_DIRECT, METHOD_NEITHER
  • IO_STACK_LOCATION: what the driver reads from the IRP
  • Reversing IOCTL dispatch handlers in IDA; IOCTL vulnerability patterns
  • Driver models: WDM vs KMDF and how the dispatch table differs
  • Tracing IOCTL call chains in WinDbg with kernel symbols

Crash Triage and Recognition

  • Reading a crash dump to identify the faulting instruction and controlled registers
  • Stack walk internals: RtlCaptureStackBackTrace and StackWalk64
  • Distinguishing exploitable from non-exploitable crashes
Module 10

Capstone: Full-Chain Challenge

Scenario: The TrueBank Client

  • One target, every skill - a thick-client banking application end to end
  • Work through five checkpoints: recon and triage, login decode, secret recovery, EDR hook mapping, and vulnerability discovery
  • Applies assembly reading, tooling, protocol decode, Windows internals, malware tradecraft, EDR awareness, and bug hunting together in a single target

Assembly-Level Bug Hunting

  • Compiler patterns that hide bugs: inlined checks, optimized comparisons, strength reduction
  • Identifying stack vs heap allocations in disassembly
  • Heap overflow via attacker-controlled length field
  • Chaining findings: how individual observations combine into a working attack path
Register for the training → Buy the bundle →