The FLARE Learning Hub freely distributes quality reverse engineering and malware analysis educational content from the FLARE team.
The FLARE Learning Hub modules are hosted as web-published Google Docs, which are linked in the respective descriptions below. This repository contains all corresponding artifacts for each module, including lab exercise and demonstration binaries, disassembler databases, and scripts.
Refinements to existing modules and new modules will be published on an ongoing basis.
- Malware Analysis Crash Course
- The Go Reverse Engineering Reference
- An Introduction to Time Travel Debugging
To start working on a module, we strongly recommend setting up a safely isolated virtual machine (VM) environment using FLARE-VM, which provides the tools necessary to complete the lab exercises and demonstrations. We also recommend using a virtualization product that supports snapshots, which allows you to record the VM in a clean state and revert to that state when starting a new analysis. All modules currently only support Intel x86-64 environments.
While all distributed binaries and scripts are crafted for the sole purpose of hands-on exercise and demonstration, they may be flagged as malicious by automated systems as some exhibit malware-like behavior. This project is not responsible for any damage or loss resulting from executing the binaries and scripts outside of a secured, isolated virtual machine environment.
The password for any password-protected ZIPs in this repository is flare.
Authors: Jae Young Kim and Nick Harbour
Module Link: Malware Analysis Crash Course
Module Directory: /macc
As static analysis tools and sandbox products continue to progress, they provide increasingly valuable information about malware binaries. However, when reliability and accuracy are critical, making definitive statements about a malware sample still necessitates a comprehensive understanding of the program through manual reverse engineering.
This is a crash course on reading, interpreting, and manipulating assembly code, which remains the cornerstone of a reverse engineer’s skill set. By the end of this training, you will have developed the practical skills necessary to begin analyzing typical Windows malware samples.
The course starts with the basics of x86 assembly and gradually introduces higher-level programming constructs. It also includes the essential Windows knowledge required to begin reversing Windows-based malware.
Emphasizing a learn-by-doing approach, the course progression weaves in numerous assembly hacking exercises. We believe the repetition of writing assembly and debugging the results is the most effective way to quickly master the fundamentals needed to reverse larger, complex programs. The course also features flash quizzes as well as multiple labs with detailed solutions.
Authors: Jae Young Kim
Module Link: The Go Reverse Engineering Reference
The Go Reverse Engineering Reference is a comprehensive reference for reverse engineering Go executables. The reference consists of three sections:
- Language Reference: The Language Reference section breaks down each Go language feature and examines how the compiler implements it at the assembly level.
- Runtime Reference: The Runtime Reference section covers key Go runtime topics (including program initialization, runtime type descriptors, and write barriers) and provides an exhaustive list of compiler-emitted runtime functions with contextual explanations.
- Executable Reference: The Executable Reference section covers the structure and layout of a Windows Go executable with the goal of identifying and contextualizing every type of data and metadata in a binary.
All material in this reference is currently restricted to Windows AMD64 executables compiled with Go version 1.24.0.
Authors: Josh Stroschein and Jae Young Kim
Module Link: An Introduction to Time Travel Debugging
Module Directory: /ttd
Time Travel Debugging (TTD), a technology offered by Microsoft as part of WinDbg, records a process’s execution to create a trace file that can be replayed forwards and backwards. Unlike conventional debugging, which only allows for forward execution tracing, TTD's "rewind" capability is particularly powerful for malware analysis and reverse engineering. This feature allows an analyst to inspect program behavior over time, significantly speeding up triage by quickly pinpointing malicious events. The ability to step forwards and backwards through execution is also instrumental in understanding and bypassing anti-analysis and obfuscation techniques.
TTD captures a program's execution path and state, creating a trace output through a transparent layer that allows full interaction with the operating system. A trace file preserves an execution record that can be shared with colleagues to facilitate collaboration, circumventing environmental differences that can affect the results of live debugging. Specific points in execution can also be bookmarked and shared to direct a coworker’s analysis. Furthermore, it includes debugger data model objects, enabling users to query the trace with LINQ to find specific events like module loads, shellcode execution, or process injection events.
This module is an introduction to TTD and its application to Windows malware analysis. The module incorporates a detailed demo and a lab to provide guided, hands-on practice. It also includes a reference for using JavaScript to automate TTD tasks along with several example scripts. By the end of the module, you should be ready to start incorporating this powerful tool into your malware triage workflow and speed up your analysis under complex debugging scenarios.
We are not currently accepting contributions to this repository, but any errata, suggestions, and feedback are welcome at flare-learning-hub@google.com.
Subscribe to the FLARE mailing list for community announcements by sending an email with the subject "subscribe" to flare-external@google.com.
