Many people approach me asking more or less the same questions: how to start RE, how to become a malware analyst, how did I start, what materials I can recommend, etc. So, in this section I will collect some hints and useful links for the beginners.
//NOTE: this article is periodically updated with new materials
The topic of reverse engineering (RE) is very broad. You can reverse engineer all sort of software for all sort of platforms. You can even reverse engineer hardware. But in this article I will focus mostly on the subset of skills that you need for analyzing malware on Windows.
Tools & environment
In order to not infect yourself, you need to prepare an isolated virtual environment with all the tools installed, where you can deploy the malware sample and analyze it. More details:
- Malware analysis for N00bs – part 1: malware and the tools for its analysis (slides)
- Malware Analysis Virtual Machine – by OALabs
- Creating a Simple Free Malware Analysis Environment – by MalwareTech
- Reviews of various tools for reverse engineering
Among the tools that you will use on daily will be debuggers and disassembles, such as IDA, Ghidra, BinaryNinja, OllyDbg (or some of its derivatives such as ImmunityDbg), x64dbg. Very useful and advanced, but not as user-friendly is WinDbg – also worth to learn it, but I don’t recommend it to beginners. Below you will find some courses that will help you familiarize with those tools:
- Reversing with Lena151 – learn OllyDbg (old, but still very useful)
- TiGa’s course on IDA Pro
- Introduction to WinDbg by Anand George
How to get malware samples, intelligence etc.?
If you are a beginner and not a member of any community yet, you can find fresh, nicely cataloged samples for free here:
You can also download them from some of the free online sandboxes and open repositories, such as:
For a threat intelligence, information about outbreaks, hashes of fresh samples etc, I recommend you to join twitter and follow some of the researchers that you know.
Check also some malware trackers, where you can find live links to the latest malware, and some more information about campaigns:
Common malware families
A catalogue of various articles on particular malware families you can find here:
Mind the fact, that the sourcecode of several popular malware families already leaked (i.e. ZeuS, Tinba, Gozi , Pony, Alina, Carberp). A bigger collection is available at VXUnderground, here. Strains that are currently in circulation may be based on them, or have some fragments of code copied. Hours of reading the leaked code may save you days of analysis! And even when you are dealing with a malware that was written from the scratch, the experience gained by reading the leaked code can help you recognize common approaches.
Similarly, malware authors don’t hesitate to adapt the toolkits that were written for a legitimate purpose, i.e. for Red Teams. An example of such tool that was leaked and is often being used in malware is Cobalt Strike (Avast on Cobalt Strike, Mandiant on Cobalt Strike).
Reversing is an art that you can learn only by doing, so I recommend you to start practicing directly. First try to practice by following step-by-step writeups.
- Beginner Malware Reversing Challenges (by Malware Tech)
- Malwarebytes CrackMe #1 + tutorial
- Malwarebytes CrackMe #2 + list of write-ups
- Malwarebytes Crackme #3 + list of write-ups
- https://crackmes.one/ – various crackmes to help you exercise reversing
- “Nightmare” – a reverse engineering course created around CTF tasks
Inside the compiled application
Reversing a native application requires you to understand some low-level concepts. If you want to focus on Windows malware (as I do), you will most of the time be dealing with PE files. When you watch an application under a debugger, you see it in a disassembled form – transformed to assembly language (assembler). So, the more about assembler, PE structure, and operating system you know, the easier will be for you to follow.
Here and here you will find some gentle introduction to x86 assembly. To get a deeper understanding and a grasp on other platforms too, check this free course. An invaluable, comprehensive resource about assembly is the official Intel manual.
For learning the PE format, I recommend you to read [this] + the articles of Matt Pietrek (i.e.   ), and Ange Albertini’s posters (PE101, PE102). You can start by my slides about PE. Check also PE-bear and try to view various executables, compare it with what you read about the format.
Programming for RE/malware analysis
Not all malware analysts are proficient programmers, but you need to have some basic skills, and at least be able to understand the code. The more fluent programmer you are, the better for you – you will be able to experiment with the techniques and create some tools helping you in analysis.
The languages that I use on daily are C/C++, Python, and assembler, and I am mostly agree with [this] MalwareTech’s article.
Some people ask me from where I learned particular languages, so here are some of the sources:
- x86 Assembler:
“Windows System Programming” is a very solid book covering Windows API and the related topics.
Malware usually comes packed, and in order to analyze the core you will have to unpack it from the outer, protective layer. Malware distributors may use legitimate, well-known packers and protectors, as well as custom ones, prepared with a special focus on AV evasion. This article explains the concept.
My vidoetutorials about unpacking malware are available here.
Protectors using virtualization
A separate class of executable protectors, also applied in malware, are the ones using virtualization. In contrast to the classic ones, they not only wrap the original code into another layer, but also modify the existing code, rewriting some fragments in a way that they can run only on a built-in Virtual Machine. This type of protectors are especially difficult to analyze, as they cannot be unpacked in a typical way. Sometimes reconstruction of the original executable is impossible, or time inefficient. I usually deal with them with the help of tracing. However, for less complex variants, it is possible to analyze the full VM logic, and reconstruct the code.
Below you can find some links on analysis of this type of protection method:
- Workshop: Analysis of Virtualization-based Obfuscation
- https://www.youtube.com/watch?v=PAG3M7mWT2c&t=13229s – a talk on reversing VMProtect
- VMProtect 2 – Detailed Analysis of the Virtual Machine Architecture
- VMProtect 2 – Part Two, Complete Static Analysis
- A solution to VMProtect challenge from UIUCTF 2021 – SpeakEasy: https://medium.com/@acheron2302/speakeasy-writeup-3af3375ab63
- “Tickling VMProtect with LLVM”:  (more on LLVM here)
You can practice de-virtualilzation on some dedicated crackmes – packed by simple, custom VM-protectors. Examples:
- Flare-On 8 Task 10 “Wizardcult”
Malware injection/impersonation methods
Most of the malware injects code into other processes. The common purposes of injections are: impersonating other applications and hooking. The implant can be a shellcode, as well as a full PE. Used methods are various. Among PE impersonation techniques, the most popular is Process Hollowing (aka RunPE) and Reflective DLL injection.
- a walk-through various techniques (by Endgame)
- ready-made demos of various code injection techniques (source code)
- Review of various injection techniques (BlackHat 2019) [Video] [PDF]
- https://github.com/odzhan/injection – an extensive set of examples
- List of my PE injection demos (source code)
Hooking is a technique that allows to intercept API calls. Malware uses this technique for various purposes, such as: being unnoticed by monitoring applications, intercepting the data being sent etc. From the other hand side, the same technique is also used by sandboxes, to monitor malware.
How the hooking works:
- “Inline Hooking for programmers” (by MalwareTech) – part #1 and part #2
- Windows API Hooking (at Red Teaming Experiments)
- My slides about various types of hooking
How a simple, userland rootkit utilizes hooking:
Kernel Mode malware
Most of the malware you will encounter works in userland. But from time to time you can come across some kernel mode malware modules. Reversing them is more difficult, and it will require different environment setup.
Setting up the environment for analyzing malware in kernel mode will follow the same steps as I described for Windows Kernel Exploitation practice, here:
Kernel mode modules are structured completely different than the ones that you encounter on daily in userland. This is why, before analyzing them, I strongly recommend you to get a general knowledge on drivers. In my opinion, the best introduction to the topic is a book “Windows Kernel Programming” by Pavel Yosifovich , and the set of accompanying examples that is available for free here. A briefer intro into the methodology of analyzing a driver (by Matt Hand) can be found here. Other notes on the topic, (by VoidSec) are available here (although the author focus mostly on Driver RE in context of exploitation, but most of the tips are valid also for malware researchers).
Below, you can find a very nice tutorial about reversing a kernel more rootkit:
More about techniques used by kernel mode rootkits you will find, i.e. here:
Keep in mind that some of the techniques of classic kernel mode rootkits no longer work on modern Windows.
Even lower level…
It is possible to install malware implants at even lower level than the Operating System’s kernel space. There are malware out there that infect MBR, such as Petya, and other bootlockers. A separate category are bootkits, which can hijack the whole boot sequence of the system, starting from the earliest stages. Of course preparing such implant is much more difficult than writing a conventional malware, so it is done very rarely. Here you can find a very interesting research on the malware that infects UEFI firmware: “Moon Bounce”.
- https://www.begin.re/ – Reverse Engineering for beginners
- Reverse Engineering Malware 101 and 102 – by MalwareUnicorn
- https://samsclass.info/126/126_S17.shtml – Practical Malware Analysis
- Malware Analysis course (University of Cincinnati)
- Red/purple teaming: a malware development course by 0xPat
- Building C2 implants in C++
- My training: malware_training_vol1 (work-in-progress)
- Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software
- The Art of Computer Virus Research and Defense – Peter Szor (old but very good book)
- “The “Ultimate”Anti-Debugging Reference” – by Peter Ferrie (old but still relevant compendium of various anti-debug techniques used by malware)
- Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
- Hacker Disassembling Uncovered – by Kris Kaspersky
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
- Rootkits and Bootkits – by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
- Windows System Programming (4th edition) – by Johnson M. Hart
- Gray Hat Python
Tips & ideas
- “How to Become (and Remain) a Malware Researcher” – by Todd Cullum
- “How to become the best Malware Analyst E-V-E-R” – by Hexacorn
- “So You Want To Be A Malware Analyst” – by Adam Kujawa
How to get a job as malware analyst?
From my experience, the best way is to contribute in the community. Be active, start researching on your own, show your passion, share what you learned. There is a big and very friendly community of researchers on twitter, it helped me a lot finding a job in this field. So, if you are not there yet, I strongly recommend you to join.