How to start RE/malware analysis?

Many people approach me asking more or less the same questions: how to start RE, how to become a malware analyst, how did I started, what materials I can recommend, etc. So, in this section I will collect some hints and useful links for the beginners.

//WARNING: this article is a work-in-progress

The topic of reverse engineering (RE) is very broad. You can reverse engineer all sort of software for all sort of platforms. You can even reverse engineer hardware. But in this article I will focus mostly on the subset of skills that you need for analyzing malware on Windows.

Tools & environment

In order to not infect yourself, you need to prepare an isolated virtual environment with all the tools installed, where you can deploy the malware sample and analyze it. More details:

Learning tools

Among the tools that you will use on daily will be debuggers and disassembles, such as IDA, Ghidra, OllyDbg (or some of its derivatives such as ImmunityDbg), x64dbg. Very useful and advanced, but not as user-friendly is WinDbg – also worth to learn it, but I don’t recommend it to beginners. Below you will find some courses that will help you familiarize with those tools:

How to get malware samples, intelligence etc.?

If you are a beginner and not a member of any community yet, you can find fresh, nicely cataloged samples for free here:

You can also download them from some of the free online sandboxes and open repositories, such as:

For a threat intelligence, information about outbreaks, hashes of fresh samples etc, I recommend you to join twitter and follow some of the researchers that you know.

As you will become more proficient, I recommend you to join also this community:

Check also some malware trackers, where you can find live links to the latest malware, and some more information about campaigns:

Common malware families

A catalogue of various articles on particular malware families you can find here:

Mind the fact, that the sourcecode of several popular malware families already leaked (i.e. ZeuS, Tinba, Gozi , Pony, Alina, Carberp). Strains that are currently in circulation may be based on them, or have some fragments of code copied. Hours of reading the leaked code may save you days of analysis! And even when you are dealing with a malware that was written from the scratch, the experience gained by reading the leaked code can help you recognize common approaches.


Reversing is an art that you can learn only by doing, so I recommend you to start practicing directly. First try to practice by following step-by-step writeups.

Check also writeups from an annual FlareOn Challenge. It contains variety of reverse engineering tasks with growing difficulty level.

Inside the compiled application

Reversing a native application requires you to understand some low-level concepts. If you want to focus on Windows malware (as I do), you will most of the time be dealing with PE files. When you watch an application under a debugger, you see it in a disassembled form – transformed to assembly language (assembler). So, the more about assembler, PE structure, and operating system you know, the easier will be for you to follow. Here and here you will find some gentle introduction to x86 assembly. To get a deeper understanding and a grasp on other platforms too, check this free book.

For learning the PE format, I recommend you to read [this] + the articles of Matt Pietrek (i.e. [1] [2] [3]), and Ange Albertini’s posters (PE101, PE102). Check also PE-bear and try to view various executables, compare it with what you read about the format.

Programming for RE/malware analysis

Not all malware analysts are proficient programmers, but you need to have some basic skills, and at least be able to understand the code. The more fluent programmer you are, the better for you – you will be able to experiment with the techniques and create some tools helping you in analysis.

The languages that I use on daily are C/C++, Python, and assembler, and I am mostly agree with [this] MalwareTech’s article.

Some people ask me from where I learned particular languages, so here are some of the sources:

Windows System Programming” is a very solid book covering Windows API and the related topics.

Malware unpacking

Malware usually comes packed, and in order to analyze the core you will have to unpack it from the outer, protective layer. Malware distributors may use legitimate, well-known packers and protectors, as well as custom ones, prepared with a special focus on AV evasion. This article explains the concept.

To get familiar with manual unpacking, check the series of tutorials “Unpacking With Anthracene” [1][2][3][4], and other tutorials from Tuts4You.

My vidoetutorials about unpacking malware are available here.

Malware injection methods

Most of the malware injects code into other processes. The common purposes of injections are: impersonating other applications and hooking. Used methods are various. The most popular is Process Hollowing (aka RunPE) and Reflective DLL injection.


Hooking is a technique that allows to intercept API calls. Malware uses this technique for various purposes, such as: being unnoticed by monitoring applications, intercepting the data being sent etc. From the other hand side, the same technique is also used by sandboxes, to monitor malware.

How the hooking works:

  • “Inline Hooking for programmers” (by MalwareTech) – part #1 andย  part #2

How a simple, userland rootkit utilizes hooking:

Kernel Mode malware

Most of the malware you will encounter works in userland. But from time to time you can come across some kernel mode malware modules. Reversing them is more difficult, and it will require different environment setup.

Setting up the environment for analyzing malware in kernel mode will follow the same steps as I described for Windows Kernel Exploitation practice, here:

Below, you can find a very nice tutorial about reversing a kernel more rootkit:

More about techniques used by kernel mode rootkits you will find, i.e. here:


YouTube channels


Tips & ideas

How to get a job as malware analyst?

From my experience, the best way is to contribute in the community. Be active, start researching on your own, show your passion, share what you learned. There is a big and very friendly community of researchers on twitter, it helped me a lot finding a job in this field. So, if you are not there yet, I strongly recommend you to join.

16 Responses to How to start RE/malware analysis?

  1. withrich says:


  2. More about techniques used by kernel more rootkits you will find, i.e. here: s/more/mode

  3. Pingback: Reverse Engineering in CTF Tips – fareedfauzi

  4. Nanna says:

    What are some CS classes hat help improve Reversing Skills?

  5. Eilon says:

    Awesome as always.

  6. Gio says:

    Many thanks for sharing this! Would you tell some more about your environment for malware analysis? Which setup are you using, whether you use hardened VM and how hardened, what is your typical workflow, if you use any sandboxes too, if and how you store samples, etc

    • hasherezade says:

      Hi! My setup for malware analysis is very simple. As a base system I use Linux (Debian) with Wireshark (to sniff the traffic from the guest if needed). Then I use Windows on VirtualBox. On Windows I have all my tools installed (PE-bear, debuggers, PIN tools, SysInternals Tools, Fiddler, etc). I don’t usually use hardened VMs, just a basic setup.
      I start from viewing a sample in PE-bear, then I am unpacking it (with PE-sieve, or manually if needed). Once I have the sample unpacked, I view it again in PE-bear, to get a general overview. If it is not obfuscated, I just open it in IDA and start analyzing statically. If the sample is complex or obfuscated, I start from tracing it by a PIN tracer. I usually use TinyTracer ( first), then eventually some more complex traces. They give me tags that I am loading to IDA to better understand the obfuscated parts.
      Depending on a sample, I can switch from static to dynamic analysis multiple times. Sometimes I may start from a behavioral analysis, observing API calls with ProcMon, observing eventual traffic with Fiddler or Wireshark.
      I do several iterations, renaming functions in IDA, adding comments.
      When the sample is defending itself against analysis, I find those branches by PIN tracers, and patch them to make the malware “blind”. Sometimes I import functions from malware to experiment with them (with libPeConv).
      I hope it answers your question ๐Ÿ™‚

  7. Sanyuj says:

    Thankyou for sharing all of this @hasherezade !!!
    I came to know about you from a paper i read about PrincessLocker unpacking.
    Love your content and wish to contribute to the community soon!

  8. ahmedES says:

    any recommended resources to learn shellcoding ?

  9. Pingback: trimstray/the-book-of-secret-knowledge

  10. Adrian Dostoevksy says:

    Thank you for this amazing post.

  11. regular_user says:

    which is your recommendation? “Windows 10 System Programming” or “Windows System Programming”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s