Reverse Engineering and Malware Analysis Roadmap
Welcome to the comprehensive roadmap for mastering Reverse Engineering (RE) and Malware Analysis (MA). This roadmap is designed to guide individuals from beginner to expert level.
Foundations
0x00 Establishing a Secure Lab Environment
- Reverse Engineering For Everyone!
- Malware Analysis Virtual Machine – by OALabs
- Creating a Simple Free Malware Analysis Environment – by MalwareTech
0x01 Mastering Reverse Engineering Tools
- Reversing with Lena151 – learn OllyDbg (old, but still very useful)
- REVERSING WITH IDA PRO FROM SCRATCH
- Introduction to Windbg and debugging windows
Gathering Intelligence
0x02 Sourcing Malware Samples
- MalwareBreakdown
- Malware Traffic Analysis
- VX Underground
- Malshare
- VirusShare
- Abuse.ch Bazaar
- TheZoo
- VirusBay
0x03 Gathering Threat Intelligence
Analyzing Malware Families
0x04 Understanding Common Malware Families
Practical Exercises
0x05 Beginner Challenges and Writeups
- Beginner Malware Reversing Challenges (by Malware Tech)
- Solve the Malwarebytes CrackMe: a step-by-step tutorial
- MalwareTech Windows Reversing Challenge #1 Write-Ups
- MalwareTech Windows Reversing Challenge #2 Write-Ups
- MalwareTech Windows Reversing Challenge #3 Write-Ups
- Crackmes.one – various crackmes to help you exercise reversing
- "Nightmare" – a reverse engineering course created around CTF tasks
- FlareOn Challenge writeups
Understanding Low-Level Concepts
0x06 Assembly Language and PE Format
Understanding assembly language (primarily x86/x64) and the structure of executable files (like the Windows PE format) is crucial.
Assembly Resources:
- [Video Playlists]
- [Tutorials & Guides]
- Assembly Programming Tutorial (TutorialsPoint)
- Introductory Intel x86 (OpenSecurityTraining)
- Introduction to ARM (OpenSecurityTraining)
- Introduction to ARM Assembly Basics (Azeria Labs)
- Learning assembly for linux-x64 (GitHub Repo)
- x86 Assembly Guide (UVA)
- A Crash Course in x86 Assembly for Reverse Engineers (SensePost PDF)
- Understanding C by learning assembly (Recurse Center)
- Learn x86_64 Assembly Part 0, Part 1, Part 2 (gpfault)
- x86-64 Assembly Programming with Ubuntu (PDF Guide)
- Assembly for beginners (PC Assembly Language)
- Beginner "Hello World" in Assembly
- Assembly Language Overview (WhoIsHostingThis)
- Quick Guide to Assembly (Berkeley PDF)
- A gentle introduction into ARM assembly
- [References & Cheatsheets]
- [Tools & Advanced]
- [Books]
PE Format Resources:
- Official PE Format Documentation (Microsoft)
- Understanding Windows PE Files (0xrick)
- Peering Inside the PE (Matt Pietrek)
- PE101 and PE102 by Ange Albertini
Key Books/Internals:
- Windows Internals, Part 1 (7th Edition)
- Windows Internals, Part 2 (7th Edition) - Download
0x07 Programming for Reverse Engineering
Proficiency in C/C++, Python, and Assembly is highly recommended.
- MalwareTech's article on programming for malware analysis
- Recommended Learning:
- x86 Assembly: Iczelion's tutorial, Win32 Assembler for Crackers by Goppit
- C/C++: "The C Programming language" (K&R), "The C++ Programming language" (Stroustrup)
- Windows System Programming book
Essential Reverse Engineering Books
After covering the foundations, these books are crucial:
- Reversing: Secrets of Reverse Engineering - Eilam, Eldad
- Practical Reverse Engineering - Dang, Gazet, Bachaalany
- The IDA Pro Book - Eagle, Chris
Malware Analysis Books & Unpacking
0x08 Manual Unpacking Techniques
Learning to manually unpack malware protected by packers like UPX, Themida, VMProtect, etc.
- Unpacking Malware (Medium Article)
- Manually unpacking malware (Travis Mathison)
- Manual Unpacking Playlist (YouTube)
Essential Malware Analysis Books:
- Practical Malware Analysis - Sikorski & Honig
- Malware Analyst's Cookbook and DVD
- Linux Malware Incident Response
- Malware Forensics Field Guide for Windows Systems
Advanced Techniques
0x09 Virtualization-based Protectors
Analyzing protectors that use virtual machines (VMs) for obfuscation, like VMProtect.
- VMProtect 2 – Detailed Analysis (Part 1)
- VMProtect 2 – Complete Static Analysis (Part 2)
- Workshop: VM-based Obfuscation Analysis
0x0a Malware Injection and Hooking
Understanding how malware injects code into other processes and hooks functions.
- Ten Process Injection Techniques (Endgame)
- Injection Techniques Demos (Source Code)
- "Inline Hooking for programmers" (MalwareTech) - Part 1 and Part 2
0x0b Kernel-mode Malware
Understanding kernel drivers and rootkits requires a solid grasp of Windows internals and driver development.
Basic Driver Development Resources:
- CodeProject: Driver Dev Part 1 (Intro)
- CodeProject: Driver Dev Part 2 (IOCTLs)
- (See source for more parts)
Key Books/Resources for Kernel:
- Windows Kernel Programming (Pavel Yosifovich)
- Windows Internals (Parts 1 & 2)
- OSR Online (Essential Driver Dev Resource)
- J00ru Blog
- The Rootkit Arsenal
- Rootkits and Bootkits
Kernel-mode Rootkit Techniques:
0x0c Going Deeper
Learning Resources
0x0d Courses and Tutorials
- Open Security Training
- Practical Malware Analysis learning materials (Sam's Class)
- Malware Unicorn Workshops
- Hasherezade's malware training repository
0x0e YouTube Channels and Videos
0x0f Recommended Books (Links Above)
(Direct links provided in relevant sections earlier)
- Practical Malware Analysis (Sikorski & Honig)
- The Art of Computer Virus Research and Defense (Peter Szor)
- The "Ultimate" Anti-Debugging Reference (Peter Ferrie)
- Malware Analyst's Cookbook and DVD
- Hacker Disassembling Uncovered (Kris Kaspersky)
- The Rootkit Arsenal
- Rootkits and Bootkits (Matrosov, Rodionov, Bratus)
- Reversing: Secrets of Reverse Engineering (Eilam, Eldad)
- Practical Reverse Engineering (Dang, Gazet, Bachaalany)
- The IDA Pro Book (Eagle, Chris)
Tips and Advice
0x10 Staying Motivated and Advancing Your Career
- Stay curious and eager to learn.
- Practice, practice, practice.
- Engage with the community (forums, Discord, Twitter).
- Contribute: Share writeups, tools, or knowledge.
- Stay up-to-date: Follow blogs, researchers, conferences.
- Develop strong programming skills (C/C++, Python, Assembly).
- Embrace failure as a learning opportunity.
- Maintain a safe and controlled lab environment.
- Adhere to ethical guidelines and respect IP.
0x11 Getting a Malware Analyst Job
- Contribute to the community (research, blogs, open source).
- Stay active (conferences, CTFs).
- Build an online presence (GitHub, Twitter, personal blog).
- Network with professionals.
- Continuously update skills.
Conclusion
This comprehensive roadmap provides a step-by-step guide for mastering reverse engineering and malware analysis. By following the suggested resources and engaging in practical exercises, you can build a strong foundation, develop advanced skills, and position yourself for a successful career in this field. Remember to stay motivated, curious, and always eager to learn. Good luck on your journey!
Additional Resources & Tools
Explore these blogs, communities, and tools to further your learning.
Key Tools:
- IDA Pro / Ghidra / Binary Ninja / Radare2 (Disassemblers/Decompilers)
- x64dbg / Windbg / OllyDbg / Immunity Debugger (Debuggers)
- Wireshark (Network Analysis)
- Cuckoo Sandbox / CAPE Sandbox (Dynamic Analysis)
- PEStudio / PE-bear (PE Analysis)
- Volatility (Memory Forensics)
- Sysinternals Suite (System Monitoring)
- YARA (Pattern Matching)