VulnCon Logo
Neel Pathak
Staff Researcher, Trellix
Pratik Kadam
Security Researcher, Trellix

Name of Traning:

Practical Malware Analysis Bootcamp

A full description of the training:

In this program, participants will get to know the internals of malwares, understanding its behavior, origins, and modes of infiltration. The session explores topics from fundamental structure of PE files to advanced techniques seen in a day to day analysis of malwares. You'll gain hands-on experience in dissecting malicious code and get familiar with various tools used by Malware analysts and reverse engineers. The session will cover the fundamental principles of malware analysis, guiding you through the identification and classification of various types of malware

The training is designed to bridge the gap between entry-level and intermediate malware analysts. Participants will be working hands-on with recent malware samples to get a good grasp over sophisticated evasion techniques

Outline of the Class

Malware Introduction

  • What is a malware
  • Identifying malicious or benign files
  • Setting up a Lab for safe Malware Reversing

Pe File Format

  • Parsing PE files from headers to overlay
  • Analyzing Import and Export Address Table (IAT and EAT)

Brief Introduction to Windows internals and API

  • Windows Architecture
  • Windows Kernel Objects and Handles
  • Windows Data Structures Primer

Assembly Language Basics Refresher

  • X86 Architecture Review with Stack Usage and general OPcodes

Static Malware Analysis

  • Playing with Disassembly
  • Recognition of Packed vs Unpacked Malwares

Malware Evasion techniques

  • Process Injection
  • Process Replacement
  • APC Injection
  • DLL Persistence
  • User mode Rootkits
  • Persistence using Windows Registry
  • Lab

Anti-VM Techniques

  • Detection using VM Configuration and Hardware
  • MAC Address Checks and vulnerable instructions
  • Lab

Anti-Disassembly Techniques

  • Return Pointer Abuse
  • Disassembler Assumptions
  • Breaking stack frame Analysis
  • Lab

Anti-Debugging Techniques

  • Anti Debugging through Windows API calls
  • Structure Matching
  • TLS Callbacks
  • Memory Scanning
  • Lab

.Net Compiled Malware

  • Overview of .NET Compiled Malware
  • Utilizing DNSpy and reading Decompiled code
  • Common Protections

Dynamic Malware Analysis

  • Malware Sandboxes and their pros and cons
  • Mapped and unmapped PE file
  • Common Unpacking techniques
  • Debugging through a malware sample
  • Extracting payload from a packed malware Lab

Writing Signatures for detection as well as Hunting purposes

  • Pattern matching and using Yara for Threat Hunting


  • Comfortable with reading C Code
  • Basic understanding of the Windows environment


  • Course material (pdf copy)
  • Lab solution material
  • Malware samples used in the sessions
  • VM links to download


  • Reversing VMProtect/Themida or other commercial packer based malware/software
  • Malware Removal training


Neel Pathak
Staff Researcher, Trellix

Neel works as a Staff Researcher at Trellix's Advanced Research Center and has over a decade of hands-on experience in handling malware campaigns and various detection technologies. He enjoys analyzing and dissecting malware samples that arrive through various attack vectors, such as emails and drive-by downloads. Neel has gradually developed an interest in the Threat Intel domain and loves tracking some notorious APT groups with their updated TTPs. He also works on authoring proactive detections for Trellix products to keep up with the cyber threat landscape. In addition to his work, he enjoys traveling and playing cricket.

Pratik Kadam
Security Researcher, Trellix

Pratik is a Security Researcher working at Trellix's Advanced Research Center, where he focuses on email and network security, and preventing phishing and malware attacks. He has a passion for reverse engineering and vulnerability analysis, and he enjoys learning new tools and techniques to enhance his skills. In his spare time, he enjoys playing Souls games, as he loves challenges.