NOTE: This article may be updated as new resources are identified
Reverse engineering is a broad field with many niche specialities. There’s a lot of information out there to help you get started, but often hard to find. This article will provide a list of resources you can use to help build your malware analysis skills. It won’t attempt to list every resource available, but will focus on just a few references in each category so you don’t get overwhelmed with redundant choices.
There are two approaches you can take for practicing: find toy examples to demonstrate a concept, or work on real malware. While you are getting used to the fundamentals, using the tools, reading assembly instructions, following the basic analysis process, etc., toy examples are probably the best method. That’s because real examples will be overwhelming and make learning your objectives more difficult.
Once you’ve had some practice and are comfortable with the basics, you should move on to real malware. No matter how well programmed the toy examples are, they never compare to the real thing. If you spend months and months on the toy examples, you’ll get good at solving those types of problems. But you’ll find that when you move onto real files, it’s completely different.
Our recommendation is that once you can work through a toy example, you should move on to actual malware. Note that you don’t have to be able to complete the example quickly. But, if you can read the scenario, formulate and execute an analysis methodology, then it’s time to pick up real malware files.
The real files will be challenging. You won’t be able to analyze everything. Do what you can, and each new file, try to go a little bit deeper than you did on the last file. After a while, you will be able to analyze an entire malware sample. The next step is to simply practice and expand the types of files and techniques you can analyze.
Building Your Analysis Lab
The first step to practicing malware analysis is to build a testing lab where you can safely review malware without risking infection on your production network. This can be done through a stand alone computer or through virtual machines (VMs). VMs are the most common method used and is the method we will outline here.
We have an entire post on building your analysis lab which covers topics such as:
- How many VMs you need
- How to get free VM images
- Default configuration recommendations
- A minimal list of RE tool recommendations to start with
View the post at https://agdcservices.com/blog/how-to-build-a-malware-analysis-lab/ for full details.
Books provide some of the most structured information for the topic. They often discuss all aspects of a topic, laying out the information in a very practical manner which makes them a great resource to start with in your reverse engineering education.
Practical Malware Analysis by Micheal Sikorski; Andrew Honig
- One of the best reference books for learning malware analysis from scratch. This book covers both static and dynamic analysis; everything from triage analysis up to anti-debugging techniques and shellcode analysis. Each topic includes a number of labs so you can practice the techniques learned. The book is old and some tools are outdated, but it’s still one of the best, first books for learning the basics of malware analysis.
Learning Malware Analysis by Monnappa K A
- A similar book to Practical Malware Analysis, but more current. The topics are a little more varied than just malware analysis and include some incident response skills such as hunting malware using memory forensics, but this is still a good read for increasing your malware reverse engineering skills.
The IDA Pro Book by Chris Eagle
- Ida Pro is the most used disassembler for reverse engineering, and this book is the widely accepted reference manual for how to use Ida Pro to its fullest extent. Most of the topics are relevant to Ghidra also. How you accomplish the tasks will be different, but the capabilities discussed in this book will likely apply to both Ida Pro and Ghidra. But if you get a job reverse engineering malware, your provided disassembler will likely be Ida Pro.
The Ghidra Book by Chris Eagle and Kara Nance
- Written by the same author as the IDA Pro book, this is a good reference to learn how to use Ghidra’s functionality specifically to analyze malware.
Free Tutorials / Training
Here are some additional structured training that walk you through the analysis concepts and process. If books aren’t your preferred learning method, these are great options to look at.
- Two general reverse engineering tutorials that go over the entire methodology from building your analysis environment, to statically and dynamically analyzing a sample.
- A site where users can post training slides or videos for free. There are several RE videos that are great resources, but the “Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration” is a very well put together assembly introduction video by Xeno Kovah. In addition to this specific video, I would recommend any of the others taught by Xeno.
- Sam Bowne, a teacher at City College of San Francisco, teaches a malware reverse engineering class called CNIT 126: Practical Malware Analysis. As the name implies, he structured the class off of the Practical Malware Analysis book and each lecture is based on specific chapters. Each time the class is taught, it is recorded and later put on YouTube. If you don’t see the latest class on the website, go to YouTube and search for CNIT 126 and select the latest offering. This can be a great addition to reading the book yourself.
These youtube channels can give you a real time look at how you analyze malware. If you learn best by examples, watching live analysis on youtube is a fantastic option.
- Well done videos demonstrating real malware analysis. Often more focused on tricks you can use to get the job done versus going through a full methodology, but a nice resource to see how some of the reverse engineering theory is applied in practice.
- A collection of malware analysis videos ranging from malware theory to reverse engineering demonstrations, along with a few videos of topics like how to become a malware analyst. Most of the videos are pretty short and easily digestible.
- This is my channel where I go over malware analysis topics ranging from specific techniques you should know to full walkthroughs of current samples. The channel’s intent is for you to learn reverse engineering topics relevant to malware analysis. I try to talk about both the theory of what you need as well as demonstrate how that theory works in practice.
There’s no better way to learn malware analysis than by actually doing malware analysis. Once you’ve practiced the fundamentals and are ready to look at real samples, check out these repositories to download live malware samples to tear apart. Just remember to only open these files on a disconnected analysis machine and not your production hardware.
The malware samples are your best option, but sometimes may be overly complex. An alternative is to start with crackmes to practice the fundamentals. While we’re not a huge fan of toy examples, they can help in the beginning stages and crackmes are a good way to improve your ability to reverse engineering cryptographic functions.
- Registration is automatically approved. Large repository of malware
- No registration required. A blog about malware traffic that often includes malware for download.
- No registration required. Not the most active, but contains a decent number of malware samples that can be downloaded.
- Registration required by the site owner and can take a bit of time before approval is given. Once received, a very good resource for malware.
- Registration is automatically approved, but you need to use a business email account (no “disposable” email). Active sandbox with many current samples for download.
- Registration required to download malware and you need to be vetted prior to being given download permission.
- These are two of the primary sites for crackmes where you can search for samples by various options, difficulty level, programming language, platform, etc.
- Flare puts out a reverse engineering Capture The Flag (CTF) exercise every year. Each year’s CTF has numerous challenges, increasing in difficulty. The challenges will likely be too hard while you are learning in the beginning, but it can be very educational to read the write up solutions to get exposure to different analysis techniques and thought processes. There isn’t a single site that stores solutions write ups for all the different years, but if you google for “flare-on ctf solutions”, you will easily find solutions for every year’s answers.
Paid training can be a great investment to get guided, structured learning in place of, or in addition to, the other resources listed here. Sometimes there’s just no replacement for a step by step learning plan. If that’s what interests you, the resources below will help you find the best training to meet your goals.
- BSides conferences are held throughout the year all over the country. Many of them include training that is either free or a very affordable price. This can be a great way to obtain in-person instruction on reverse engineering topics. Just do a google search on bsides conferences in your region each year to see what may be available.
- Both these sites have a large library of IT courses that are viewed as part of a subscription plan. For a monthly price, you can view any of the courses in the catalogue. The courses typically are more on the beginner level, but can be an affordable option if you really like structured training.
- My company has several training courses, including 2 with on-demand options, “AFMRE Bonus Capstone Labs” and “A Crash Course In Deep Dive Malware Analysis”. The bonus capstone labs course is an add on to the in-person “Assembly For Malware Reverse Engineers” course. It contains 4 additional capstone labs complete with video walkthrough of the solutions. The deep dive malware analysis course is a more advanced course where you do a complete analysis of a typical RAT. Each step has written solutions in addition to the video walkthrough. See the training page for more details.