Where do I start...?
Getting started learning a new skill or concept can be daunting, especially with such large and complex topics as malware analysis and reverse engineering. Don't worry - this page will help you get started! Below I've organized resources that will help get you started learning malware analysis and reverse engineering. If you're not sure where to start, start at the beginning! If you have some experience, please feel free to skip ahead. Please note that I will favor resources I've created or are familiar with. This doesn't mean that there aren't better resources out there for you though - everyone learns differently and my style may not always work the best for you. If you have any questions, don't hesiate to join the Discord and ask away - there is a channel dedicated to helping you get started there as well.
Building A Lab Environment
Before you start learning, you'll want to have a lab environment. Most of the content I teach is centered around Windows, but I often use a variety of resources to help. Using virtualization software is a common practice and where I spend most of my time performing analysis or even writing code... VirtualBox and VMWare are both popular options. VirtualBox is open-source while VMWare provides a non-commercial option. If you're not sure where to start, try them both out. Once you have virtualization software installed, proceed to check-out the following distributions to help you get a purpose-built VM.
FLARE-VM
The FLARE-VM, maintained by the FLARE team at Google, is designed to provide you with the vast majority of tools you need for reverse engineering and malware analysis. Unlike popular Linux distributions, the FLARE-VM is not a ready to go VM that you download. Instead, you have to run installation scripts to build out an existing VM. Instructions can be found on the project's Github page, as well as links to find a Windows 10 ISO to get started from.
REMnux
REMnux is another popular MA/RE VM. It's built off of Linux and provides another ready to-go environment for analysis. Since this distro uses Linux, you can download an OVA ready to import directly into your virtualization software. I typically have at least two VMs for analysis - a FLARE-VM and a REMnux VM.
Kali
Kali is another popular Linux-based distribution. While it's geared more for red team operations, it contains many useful tools. I find myself using it from time to time so it's handy to have around. However, if you already have a FLARE-VM and REMnux you could probably queue this one up to explore later.
Building Core Skills
Whether you want to learn advanced malware analysis skills, become a penetration tester, or do vulnerability research - learning to reverse engineer will help you develop a solid foundation. Where you want to end up determines where you start, but you'll find many of the low-level skills and concepts you pick up here to translate well to a wide variety of technologies and use-cases.
Assembly
Learning low-level concepts such as CPU design and architecture are a must and in my opinion, learning assembly is a great way to do that. Plus, when it comes to reverse engineering you are often times looking at this low-level representation of machine code (i.e. binary). This series will cover many essential topics to help you understand assembly. It also walks you through setting up a lab environment so you can practice creating your own small assembly programs to help make the learning more concrete.
Playlist on YouTube
C
Learning at least some C is a must and this playlist will cover what you need to know. The C language is often considered the cornerstone of reverse engineering. This powerful language unlocks the secrets of how systems truly function, giving you the low-level expertise to analyze malware.. C's simplicity and close-to-hardware nature provide an unparalleled foundation for understanding compiled code, making it an essential skill for anyone serious about cybersecurity and software exploration
Playlist on YouTube
Reverse
Engineering
Once you have basic assembly and/or C knowledge, I suggest start looking at the world through the lens of reverse engineering. Many RE courses begin with an assembly refresher, so if you already know some ASM/C you could start here to see how you do - don't worry, if you're feeling a bit rusty you can always go back and refresh.
Playlist on YouTube
PE File
Format
Learning file formats, and particulary the portable executable (PE) format, is essential learning. Whether you plan to become a seasoned reverse engineer or perform basic triage analysis, understanding how this file format is used by Microsoft Windows is essential. While this playlist is topic-driven, it is designed to be consumed in playlist order - so if you're not sure where to start, just hit play!
Playlist on YouTube
Assembly
This is a 90 minute crash-course in x86 assembly - so whether you're looking to get started or need a refresher, this is a great place to start. This course provides instructions on how to create sample binaries to follow along and takes a unique approach by combining both C and assembly in one course! You'll use sample C programs to disassemble with IDA Pro to not only learn basic assembly, but also how to use this venerable disassembler and decompiler.
Course on Pluralsight
Getting Started with RE
This nearly 4 hour course covers everything from assembly basics to using debuggers and performing reverse engineering. There are several hands-on labs to help you practice the skills you are learning. This is a great course to introduce you to all the essential tools, topics, and tricks to get started learning reverse engineering!
Course on Pluralsight
IDA Pro
Basics
When reverse engineering, a significant amount of time is spent analyzing disassembled or decompiled code, and no other tool is as widely known for this task as IDA Pro. First, you’ll explore IDA’s core functionality and common use cases for cyber security professionals. Next, you’ll discover how IDA handles a variety of executable file formats and processor architectures. Finally, you’ll get hands-on with IDA Pro to explore key user interface components and see the decompiler in action.
Course on Pluralsight
Ghidra
Basics
To become effective at reverse engineering, you have to know how to utilize tools designed to disassemble and decompile code. First, you’ll explore Ghidra’s core functionality and common use cases by security professionals. Next, you’ll discover what Ghidra can, and can’t do. Finally, you’ll get hands-on with Ghidra and explore its primary features and essential navigation. When you’re finished with this course, you’ll have the skills and knowledge of Ghidra needed to start learning this essential tool.
Course on Pluralsight
Basic Malware Analysis
Basic malware analysis skills don't necessarily require an understanding of assembly. In fact, learning some basic malware analysis while learning reverse engineering may help you understand the role RE plays in a more practical context. However, moving onto advanced malware analysis will certainly require low-level knowledge. In any case, these resources will help you get started and require no prior knowledge of assembly to do so.
Malware
Mondays
The Malware Mondays live stream is designed to provide you with a fully interactive live stream experience! Learning objectives will be posted on Monday for you to practice that week's skills, and a live stream on the following Friday will walk you through the analysis. This series is designed to build fundamental skills and is a series you can start at the beginning to experience like a course, or just pick a topic you need to brush up on!
Playlist on YouTube
Mentoring
Sessions
This series of live streams is designed to not only help provide some advice on how to get started learning malware analysis and reverse engineering, but also to start learning some basic analysis skills. If you're not sure which one to start with, I'd suggest the stream titled "How to get started with Malware Analysis and Reverse Engineering?".
Playlist on YouTube
Online
Sandboxes
I consider learning online threat intelligence platforms and sandboxes part of your basic malware analysis skills. This video walks you through performing basic triage analysis using Any.Run - a popular (and partially free) online sandbox. This certainly isn't the only one I recommend, but it's a great place to get started to learn the basics!
Video on YouTube
Initial File Triage
Malware is distributed in many forms and the first step in identifying it is knowing how to use basic tools. In this course you'll learn the necessary skills to start down the path of a malware analyst. First, you'll explore key terminology and how to handle malware in a safe manner. Next, you’ll get hands-on with basic tools used to perform initial file triage, which is a critical first step as it often sets the stage for how your analysis will proceed. Finally, you’ll enter the world of malware obfuscation to better understand how it is used and the impact it has on your analysis efforts.
Course on Pluralsight
Malicious Activity Detection
Threat actors are constantly evolving their tactics, tools, and evasion techniques. In this course you’ll learn the skills necessary to utilize this information to create custom detections with Yara, Suricata, and Sigma. First, you’ll explore the use of Yara to detect malicious files. Yara enables you to stay on the cutting edge of detecting the newest file-based threats. Next, you’ll get hands-on with Suricata creating custom rules to alert to malicious or suspicious network traffic. As most malware will need to communicate outside of your network, monitoring the network can provide valuable insight into catching malicious activity. Finally you’ll dive into Sigma to create detections from endpoint log files. This will allow you to identify malicious activity based on behavioral data from your endpoints.
Course on Pluralsight
Initial
Access
Techniques
Malware is distributed through a wide variety of complex channels, utilizing obfuscation and subterfuge to avoid detection. In this course you’ll learn the skills necessary to identify these stages and get hands-on with the tools to unravel them to extract key indicators of compromise. First, you’ll explore how malware is delivered, identifying commonly abused technologies, and learn about critical mitigations. Next, you’ll get hands-on exploring malicious infrastructure to understand how threat actors can proactively compromise your organization. You will also see how malware command and control works and techniques for identifying this type of communication. Finally, you’ll dive deep into performing malware analysis on a variety of initial access artifacts, such as office documents and PowerShell scripts.
Course on Pluralsight
Intermediate Malware Analysis
I consider basic analysis learning all of the skills required to perform essential triage analysis - using a sandbox, dumping strings, utilizing signatures (such as Yara or those found in Detect-It-Easy). Moving into intermediate skills introduces you to more advanced techniques, but still (imo) stops short of spending significant time in tools such as IDA Pro. The Malware Mondays series will cover many of these skills, such as learning to capture malware activity using Process Explorer and Process Monitor, and I won't list it again here. While not an exhaustive list, here are some resources I suggest learning next.
Creating Yara Rules
You are often consuming Yara rules without even realizing it! The next step is to learn how to create your own. I have previous courses listed here that introduce you to Yara basics, but this (relatively) short playlist will build upon those skills and also introduce how to create Yara rules from hex-patterns (or disassembled code).
Playlist on YouTube
More Assembly
You really can't learn too much assembly and this series is designed to help you continue that learning. Using the open-source software reverse engineering tool Ghidra, this series will help you identify calling conventions, control and data structures and even the basics of reversing C++ objects.
Playlist on YouTube
C Structures
Re-creating structures is another key reverse engineering activity and this playlist will introduce you to the basics of identifying and creating them in IDA Pro. Structures are used extensively in the Windows API and by malware authors and software developers, understanding how they are used can help identify key program capabilities and data.
Playlist on YouTube
Decompiling
.NET
I like to introduce decompilation of .NET as I begin to transition into more advanced reverse engineering. This not only allows you to become more familair with the RE process, but decompilation of .NET produces C#/VB.NET versus assembly, so it can be a bit easier to learn to reverse engineer. This video will introduce you to dnSpyEx - the go-to tool for reversing .NET binaries!
Obfuscation
in .NET
As you progress in this learning path, you will begin to tackle obfuscation in a more head-on fashion. This video will introduce you to code obfuscation in .NET and how to get around it using real-world malware.
Unpacking
from
Memory
Unpacking is a loaded term these days, but you'll often encounter malware that, after a convoluded execution chain, ends in a new PE file showing up in memory. Sometimes these files can be dumped from memory and recovered without having to perform exhaustive RE work. This video will give you some ideas using a REDLINE stealer sample.
Reversing
.NET
Looking for a more formal and organized approach to reversing .NET malware? This course will do just that! A significant amount of malware is written in .NET making it crucial to understand and be able to reverse engineer these binaries. Not only will this course teach you how to reverse engineer .NET binaries, but it will introduce you to a reverse engineering methodology that you can build upon with more complex samples and tools.
Course on Pluralsight
Reversing
.NET & Java
This older course will introduce you not only to reversing .NET, but Java as well. While the course may be a bit older than other content I have listed here, many of the fundamental concepts and techniques have not changed much over the years and is still a great place to get started!
Course on Pluralsight
Advanced Malware Analysis
Most advanced malware analysis training ends with spending most of the time in tools such as IDA Pro - which is my preferred disassembler/decompiler. Advanced techniques cover a wide range of topics, from analyzing shellcode and Windows internals to defeating code obfuscation and debugging. Here are a list of resources that will help you move into this next stage of your career!
Anti-Analysis in
LockBit3
There is no point in holding back - let's jump right in! This playlist will introduce you to a variety of anti-analysis techniques using the infamous Lockbit 3 (Black) ransomware. You'll learn it uses the PEB for runtime-linking, trampolines to complicate analysis, and other anti-analysis to disrupt disassembly and debugging efforts!
Playlist on YouTube
Full Analysis of NullMixer
At this point in learning, it is also a great idea to start combining full-scope or comprehensive analysis. This series is designed to do just that! Starting with basic triage, it moves quickly into unpacking the malware, creating custom IDS rules with Suricata and wrapping up with Yara rule creation.
Playlist on YouTube
Creating and Analyzing
Shellcode
Learning the ins and outs of shellcode is also an important skill to obtain. This series will not only teach you how to create shellcode, but also common techniques such as position independence and runtime-linking. You'll also learn common shellcode analysis tools and how to debug shellcode.
Playlist on YouTube
Identifying & Defeating Packing
Malware authors routinely utilize packing techniques to complicate the analysis of their code. This course will teach you techniques for identifying and defeating packing so that key characteristics and behaviors can be identified.
Course on Pluralsight
Code ObfuscationTechniques
Malware authors routinely utilize obfuscation techniques to complicate the analysis of their code. This course will teach you techniques for identifying and defeating code obfuscation so that key characteristics and behaviors can be identified.
Course on Pluralsight
Anti-Analysis
Techniques
Anti-reverse engineering and anti-debugging techniques are often used by malware authors to disrupt or prevent analysis, helping them to avoid detection. This course will teach you effective strategies for detecting and defeating these techniques.
Course on Pluralsight
GoLang & Modbus
This course will teach the basics of analyzing GoLang binaries and how to identify OT-specific threats using the FrostyGoop malware.
Course on Pluralsight
Manual Unpacking of UPX
UPX is a popular open-source packer used by malicious and non-malicious actor alike. This video will teach you how to apply basic unpacking skills to manually unpack UPX samples. You'll also learn key RE tools suchas x64dbg and Scylla as well as other key aspects of dumping PE files from memory.
Unpacking w/ Time-Travel Debugging
Time-travel debugging (TTD) is a way of debugging using WinDBG that allows for both forward and backward debug sessions! This can become an incredible time saver, as it can help you avoid having to restart your analysis in a debugger over and over again... Learn how to use TTD by unpacking a commodity malware - VIDAR.