This hands-on workshop is designed to give cybersecurity professionals, malware researchers, reverse engineers, and low-level developers a rare opportunity to study malware from both sides: how it is analyzed in depth and how many of its underlying techniques are developed on Windows systems.
Over the course of 32+ hours, students will build practical skills across Windows internals, C/C++ development, x86/x64 fundamentals, reverse engineering, and malware-focused tradecraft. Instructors Pavel Yosifovich and Uriel Kosayev bring complementary expertise in Windows internals, malware research, reverse engineering, and low-level offensive and defensive security concepts.
or $150 X 6 installments
24+ hours
on-demand video
Assignments
In class assignments
105+
Articles & lessons
30+
downloadable resources
Cross-device
Access on mobile & TV
Certification
Certificate of completion
Whether you’re an aspiring ethical hacker, a seasoned Cybersecurity professional, a cybersecurity enthusiast, an IT professional, a Red Teamer, or a Security Researcher, this workshop offers a unique opportunity to enter deeply into the world of malware offensive techniques.
Malware remains one of the most important subjects in modern cybersecurity because it sits at the intersection of operating system internals, offensive tradecraft, reverse engineering, and detection engineering. To properly understand malicious code, students need more than signatures or high-level indicators; they need to understand how malware executes, how it abuses Windows functionality, how it hides, and how its behaviour can be dissected methodically.
This course provides a comprehensive path into malware analysis and development, starting with the foundations that make deeper research possible. Students build the required understanding of Windows internals, native development, assembly, .NET, COM, and the Native API before moving into malware analysis workflows, unpacking, shellcode, macro-based threats, and real-world reverse engineering case studies such as Sunburst and DarkSide.
From practical lab setup and PE analysis to runtime unpacking, import reconstruction, and malware-inspired development techniques, this training helps students connect theory to real technical behaviour. Whether you’re focused on reverse engineering, threat research, detection development, or advancing your low-level Windows knowledge, this course provides the skills needed to understand malware beyond surface-level analysis.
Our trainers are seasoned industry-insiders with a deep, practical understanding of cybersecurity research and development
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques”, “Malware Analysis On Steroids” books, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response.
25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses on PentesterAcademy, and “Windows Internals” series of courses on PluralSight.
This opening module sets the direction for the course and introduces the relationship between malware analysis and malware development. Students are introduced to the mindset needed to study malware properly, including how malicious code behaves, how low-level Windows concepts support both analysis and development, and why these two perspectives are closely connected.
The module also frames the course as a technical, research-driven journey through Windows internals, reverse engineering, and malware-focused development. It prepares students for the deeper material that follows by establishing the purpose, scope, and overall approach of the training.
This module gives students the core Windows knowledge needed for the rest of the course. It introduces the internal concepts that shape how software runs on Windows, including processes, threads, virtual memory, APIs, and the object model.
Students also use tools such as Task Manager and Process Explorer to observe these concepts in action. The goal is to build a solid understanding of how Windows behaves under the hood, creating the foundation needed for later malware analysis, reverse engineering, and development topics.
This module gives students the core Windows knowledge needed for the rest of the course. It introduces the concepts that shape how software runs on Windows, including processes, threads, virtual memory, APIs, and the object model.
Students also use tools such as Task Manager and Process Explorer to observe these concepts in action. The goal is to build a solid understanding of how Windows behaves under the hood, creating the foundation needed for later malware analysis, reverse engineering, and development topics.
This module moves from basic Windows concepts into the APIs and internal structures that drive process execution, memory management, and threading. Students learn how processes are created, configured, inspected, and terminated, while also exploring the lower-level details that shape how code runs inside a process, from attributes and the PEB to memory layout and thread behaviour.
As the module develops, students work through memory allocation, heaps, process and thread enumeration, and thread creation in real Windows applications. Together, these topics provide the groundwork for later modules on injection, malware behaviour, and low-level development techniques.
This module introduces DLLs as a core part of Windows application development and shows how they are built, loaded, and used in real processes. Students learn the difference between implicit and explicit linking, how dependencies affect execution, and why DLLs play such an important role in both normal software behaviour and low-level Windows development.
The module then moves into techniques for working with DLLs inside other processes, including common injection concepts and related Windows mechanisms. Together, these lessons help students understand how DLL-based techniques appear in both legitimate software and malware.
This module gives students the low-level architecture and assembly foundation needed to understand how code actually executes on Windows. It introduces key x86/x64 concepts such as operating modes, instructions, operands, calling conventions, branching, and stack behaviour, helping students build confidence reading and reasoning about assembly.
As the module develops, students move from core instruction flow into shellcode concepts and execution, connecting assembly knowledge to the kinds of low-level behaviour encountered in reverse engineering and malware research. The aim is to make students comfortable enough with assembly and program flow to follow later analysis work without treating machine code as a black box.
This module introduces how .NET applications work under the hood. It explains the core ideas behind the CLR, intermediate language, assemblies, metadata, and managed execution, helping students understand what makes .NET different from native Windows code and why it matters in analysis and reverse engineering.
Students also explore how .NET code interacts with Windows APIs and why .NET binaries are often easier to inspect, decompile, and reason about than native applications. The module provides the foundation needed to analyse .NET-based tooling and malware with more confidence later in the course.
This module introduces COM as a core Windows technology and shows how its components, interfaces, and activation model work. Students learn how COM clients and servers interact, how objects are created and accessed, and why COM remains an important part of both Windows development and malware tradecraft.
As the module progresses, students move from theory into usage, including creating COM objects, working with smart pointers, exploring interfaces with OLE/COM Object Viewer, and understanding in-process and out-of-process activation. The module also touches on callbacks and implementation details, helping students see how COM is used in real Windows software and why it matters in both analysis and development.
This module introduces students to the Native API layer that sits beneath many of the higher-level Windows functions developers use every day. It explores how Windows exposes lower-level functionality through native system calls and internal interfaces, giving students a clearer understanding of how processes, handles, registry operations, and other core system activity can be observed and manipulated closer to the operating system itself.
As the module progresses, students examine the Object Manager, registry-related APIs, and techniques for enumerating processes and handles using native functionality. The aim is to deepen students’ understanding of how Windows really works under the hood while preparing them for later malware analysis and development topics that rely on lower-level system knowledge.
This module introduces the mindset and workflow behind malware analysis, helping students understand how to approach suspicious files in a structured way. It covers the role of attacker TTPs, the basics of malware classification, and how analysts interpret AV and EDR detection names to build context before diving deeper into a sample.
The module also establishes the foundation for later reverse engineering work by setting up the analysis lab and introducing core triage techniques such as PE structure, strings analysis, packing detection, and early signs of malicious functionality. Together, these lessons give students a clear starting point for examining malware methodically rather than relying on guesswork or surface-level indicators.
This module moves into malware reverse engineering through real-world case studies and staged analysis workflows. Students begin with the SolarWinds Sunburst attack, using it as a guided example to understand how a complex backdoor can be approached, broken down, and analysed methodically from initial triage through to deeper code-level investigation.
The module then expands into VBA macro and shellcode analysis, helping students understand how malicious logic is hidden, staged, and executed across different formats and technologies. Together, these lessons strengthen students’ ability to trace program flow, recognise suspicious functionality, and reverse engineer malware beyond surface-level indicators.
This module focuses on the reverse engineering of native malware through a detailed DarkSide ransomware case study. Students begin with initial analysis and then move into runtime code unpacking, learning how native malware hides its logic in memory and how analysts can work methodically through that behaviour as the sample reveals more of itself.
The module then explores techniques such as dynamic API resolution, rebuilding the import address table, and dissecting attacker TTPs within a real-world ransomware sample. Together, these lessons help students develop a more structured approach to analysing C/C++ malware and understanding how complex native threats conceal, stage, and execute their functionality.
This module brings the course together by shifting from analysis into implementation, showing how low-level Windows concepts can be applied when building and testing malware-related techniques. Students explore how native executables can be kept minimal, how payloads can be stored and accessed in different ways, and how memory-sharing and mapped-file concepts can be used to support more advanced behaviour.
Using DarkSide-inspired techniques as a reference point, the module also examines how common malware ideas translate into real code and design decisions. The focus is on helping students understand how these techniques are constructed, how they behave at runtime, and why a solid grasp of Windows internals is essential for both malware research and defensive understanding.
Students will benefit from a basic understanding of programming and Windows operating system concepts, but the course is designed to build the technical foundation step by step. Prior exposure to C/C++, Windows internals, or reverse engineering is helpful, though not strictly required for every part of the training. Because the course moves into assembly, malware analysis, and low-level development concepts, curiosity and a willingness to work through technical material carefully are just as important as prior experience.
This course helps students move beyond high-level security concepts and into the kind of technical depth valued in malware research, reverse engineering, threat hunting, detection engineering, red teaming, and security product development. By understanding how malware is built, analyzed, and executed on Windows, students develop skills that are directly relevant to advanced offensive and defensive roles. It is especially valuable for anyone who wants to strengthen their low-level technical credibility in modern cybersecurity work.
Yes. The training includes practical analysis of real-world case studies, including malware and attack techniques that help students understand how modern threats behave in practice. These examples are used to teach structured analysis, reverse engineering methodology, unpacking, and behavioural dissection, rather than relying only on simplified demonstrations or theory.
Yes. One of the distinguishing features of this course is that it approaches malware from both the analysis and development perspectives. Students explore how low-level Windows techniques are implemented in code so they can better understand how malicious software operates, how certain behaviours are constructed, and how those behaviours can later be recognized, analyzed, or detected in the real world.
The course covers a broad technical range, including Windows internals, processes, memory, threads, DLLs, x86/x64 fundamentals, .NET, COM, the Native API, PE analysis, packing detection, shellcode, and reverse engineering workflows for both managed and native malware. These topics are taught as connected building blocks, giving students the background needed to understand malware behaviour from multiple angles rather than as isolated techniques.
Learn advanced analysis techniques from real-world malware and harness this knowledge to craft your own malware, understanding attacker strategies. Empower yourself with both defensive and offensive cybersecurity skills.
or $150 X 6 installments
Gain Insider Knowledge for Free: Subscribe to Updates From the TrainSec Knowledge Library
Immerse yourself in cutting-edge Cybersecurity knowledge from industry-insiders. Access reliable research insights, practical-driven learning hub, and updates on the latest cybersecurity trends.
