Reverse Engineering and Malware Analysis Roadmap

Welcome to the comprehensive roadmap for mastering reverse engineering and malware analysis. This roadmap is designed to guide individuals from beginner to expert level in the field of reverse engineering and malware analysis.

Foundations

0x00 Establishing a Secure Lab Environment

• Build a Malware Analysis Lab (Self-Hosted & Cloud) - The Malware Analysis Project 101

0x01 Mastering Reverse Engineering Tools

• Reverse Engineering For Everyone!
• Reversing with Lena151 – learn OllyDbg (old, but still very useful)
• REVERSING WITH IDA PRO FROM SCRATCH
• Introduction to Windbg and debugging windows
• Writing IDA plugins in C/C++
  • Reference: Hex-Rays C++ Docs
• IDA Plugin Writing in C++ v1.1
• IDA Plugin Writing in C++

Gathering Intelligence

0x02 Sourcing Malware Samples

• Malware Traffic Analysis
• VX Underground
• Malshare
• VirusShare
• Abuse.ch
• TheZoo
• VirusBay
• MalwareBazaar
• VirusSign

0x03 Gathering Threat Intelligence

• Benkow
• VXVault
• Cybercrime Tracker

Analyzing Malware Families

0x04 Understanding Common Malware Families

• Malpedia

Practical Exercises

0x05 Beginner Challenges and Writeups

First of all:

• Windows Stack Protection I: Assembly Code
• Windows Stack Protection II: Exploit Without ASLR
• Windows Stack Protection III: Limitations of ASLR
• The Wild World of Windows

• Material for Reverse Engineering Malware Practical Examples (2020 Jason Reaves)
• Beginner Malware Reversing Challenges (by Malware Tech)
• Solve the Malwarebytes CrackMe: a step-by-step tutorial
• MalwareTech Windows Reversing Challenge #1 Write-Ups
• MalwareTech Windows Reversing Challenge #2 Write-Ups
• MalwareTech Windows Reversing Challenge #3 Write-Ups
• Crackmes.one – various crackmes to help you exercise reversing
• "Nightmare" – a reverse engineering course created around CTF tasks
• FlareOn Challenge writeups
• Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

Understanding Low-Level Concepts

0x06 Assembly Language and PE Format

• Video 1 and Video 2 for x86 assembly introduction
• Intel official manual on assembly language (and free courses for other platforms)
• An In-Depth Look Into The Win32 Portable Executable File Format
• An In-Depth Look into the Win32 Portable Executable File Format (Part 2)
• Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
• PE101 and PE102 by Ange Albertini
• Introduction to the Portable Executable (PE) File Format
• Win32 Portable Executable File Format (SANS)
• Inside Windows PE
• Windows Internals 7th Edition
• Dynamic Linking and Windows PE
• Understanding Windows PE Files
• Binary Analysis Cookbooks
• Windows PE Parsing with Python
• Automation Techniques in C++ Reverse Engineering

Additional Assembly Resources

• Modern x64 Assembly
• Intro to x86 Assembly Language
• x86_64 Linux Assembly
• Intro x86 (32 bit)
• Practical x64 Assembly and C++ Tutorials
• Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
• Linux System Call Table for x86_64
• Learning assembly for linux-x64
• x86-assembly-cheat
• x86 Assembly Guide
• Assembly’s Perspective
• A Crash Course in x86 Assembly for Reverse Engineers
• Understanding C by learning assembly
• x86 Assembly Crash Course (YouTube)
• x86 and amd64 instruction reference
• Learn x86_64 Assembly: Part 0, Part 1, Part 2
• x86-64 Assembly Programming with Ubuntu
• Assembly for beginners
• Assembly Language Succinctly
• Everything you want to know about x86 microcode...
• Beginner "Hello World" in Assembly
• Quick Guide to Assembly (Berkeley)
• Compiler Explorer (godbolt.org)
• Introduction to ARM
• Introduction to ARM Assembly Basics
• The Art of Assembly Language - Hyde, Randall
• Assembly Language Step-by-Step: Programming with Linux - Duntemann, Jeff

0x07 Programming for Reverse Engineering

Proficiency in C/C++, Python, and Assembly is highly recommended.

• MalwareTech's article on programming for malware analysis
• Recommended Learning:
  • x86 Assembly: Iczelion's tutorial, Win32 Assembler for Crackers by Goppit
  • C/C++: The C Programming language (K&R), The C++ Programming language, Linux Programming by example
• Windows System Programming book
• C/C++ Notes - Windows API Programming Win32

Start Now with These Books!

After all this learning, you can now start with these essential books on Reverse Engineering & Exploitation:

Reverse Engineering & Exploitation

• Reversing: Secrets of Reverse Engineering - Eilam, Eldad
• Practical Reverse Engineering: x86, x64, ARM, Windows Kernel - Dang, Gazet, Bachaalany

Malware Unpacking

0x08 Manual Unpacking Techniques

Some ways...

• Way one: Unpacking Malware (Medium Article)
• Way two: Manually unpacking malware (Travis Mathison)

• Manual Unpacking Playlist (YouTube)
• ConfuserEx 2 Deobfuscation with Python and dnlib
• Unpacking UPX packer
• How to unpack UPX packed malware with a SINGLE breakpoint
• LLVM-powered deobfuscation of virtualized binaries
• Automating Malware Deobfuscation with Binary Ninja
• How To Quickly Unpack Qbot Loader Malware
• Anti-UPX Unpacking Technique
• x64Unpack: Hybrid Emulation Unpacker for 64-bit Windows Environments
• The Art Of Unpacking part 1
• The Art Of Unpacking part 2
• Statically Unpacking Shellcode-based PE Loaders
• DOSfuscation: Exploring Cmd.exe Obfuscation

Advanced Techniques

0x09 Virtualization-based Protectors

• Workshop: VM-based Obfuscation Analysis
• Tigress: Virtualization-Based Software Obfuscation Pt. 1
• VMProtect 3: Virtualization-Based Software Obfuscation Pt. 2
• Discussion on reverse engineering virtualization
• VMProtect 2 – Detailed Analysis of the Virtual Machine Architecture
• VMProtect 2 – Part Two, Complete Static Analysis
• SpeakEasy: a writeup solving a challenge from UIUCTF 2021
• Tickling VMProtect with LLVM
• Cracking programs with custom virtualization-based protectors
• Dealing with Virtualization packer
• Unpacking Virtualization Obfuscators
• Virtual Machine RE-building
• Breaking State-of-the-Art Binary Code Obfuscation via Program Synthesis
• Advanced Binary Deobfuscation

0x0a Malware Injection and Hooking

• A walk-through various techniques (by Endgame)
• Ready-made demos of various code injection techniques (source code)
• Review of various injection techniques (BlackHat 2019)
• Author's PE injection demos (source code)
• "Inline Hooking for programmers" (by MalwareTech) - Part 1 and Part 2
• Windows API Hooking (article in Red Teaming Experiments)
• Simple userland rootkit - a case study

0x0b Kernel-mode Malware

Before we dive into kernel-mode malware and rootkit techniques, it's important to understand the fundamentals of driver development and kernel programming. Below are some great starting points that will guide you through these concepts and provide a solid foundation.

Basic Driver Development Resources

• Catalog of key Windows kernel data structures
• Driver Development Part 1: Introduction to Drivers
• Driver Development Part 2: Introduction to Implementing IOCTLs
• Driver Development Part 3: Introduction to Driver Contexts
• Driver Development Part 5: Introduction to the Transport Device Interface
• Driver Development Part 6: Introduction to Display Drivers

Additional Resources

Memory Management in Kernel Mode

• How The Kernel Manages Your Memory
• Driver Basics - DMA Concepts
• Sharing Memory Between Drivers and Applications
• Windows NT Virtual Memory (Part I) & (Part II)

Handling IRPs (I/O Request Packets)

• Properly Pending IRPs - IRP Handling for the Rest of Us
• Rolling Your Own - Building IRPs to Perform I/O
• The Truth About Cancel - IRP Cancel Operations (Part I) & (Part II)
• Must-read: Microsoft: Handling IRPs

The Basics: Bugchecks Explained

• PFN_LIST_CORRUPT
• PAGE_FAULT_IN_NONPAGED_AREA
• KERNEL_DATA_INPAGE_ERROR
• NO_MORE_IRP_STACK_LOCATIONS

Important Books for Kernel and Driver Development

• Windows Kernel Programming (First Edition)
• Windows Kernel Programming, 2nd Edition
• Windows NT Device Driver Development
• Windows Internals, Part 1, 7th Edition - 2017
• Windows Internals, 7th Edition, Part 2 - 2021

Web Resources

• OSR Online: The first and most important resource about Windows Driver Development
• J00ru Blog - Reverse Engineering & Kernel Research

Key Resources for Kernel-mode Malware and Rootkit Techniques

• Starting with Windows Kernel Exploitation - setting up the lab
• Brief introduction to driver analysis methods by Matt Hand
• Rootkit analysis tutorial

Kernel-mode Rootkit Techniques:

• Hooking IDT
• SSDT hooks
• IRP hooks
• Kernel filters

0x0c Going Deeper

• Malware infecting MBR, bootkits, and UEFI firmware
• UEFI Reverse Engineering, Vulnerability Discovery, and Exploit Development

Learning Resources

0x0d Courses and Tutorials

• Mytechnotalent's Reverse Engineering Repository
• Octopus Labs
• Open Security Training
• Practical Malware Analysis learning materials
• Malware Analysis course (University of Cincinnati)
• Red/purple teaming: a malware development course by 0xPat
• Building C2 implants in C++
• Hasherezade's malware training repository

Obfuscation

• Practical Obfuscating Programs
• Program Obfuscation
• Invoke-Obfuscation: PowerShell obFUsk8tion
• Obfuscation-based Malware Update
• Techniques of Program Code Obfuscation
• A Tutorial on Software Obfuscation
• Code Obfuscation and Virus Detection

0x0e YouTube Channels and Videos

• Malware Analysis For Hedgehogs
• OALabs
• Colin's channel about malware
• DuMp-GuY TrIcKsTeR

0x0f Recommended Books

• Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software
• The Art of Computer Virus Research and Defense – Peter Szor
• "The "Ultimate" Anti-Debugging Reference" – by Peter Ferrie
• Malware Analyst's Cookbook and DVD
• Hacker Disassembling Uncovered – by Kris Kaspersky
• The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
• Rootkits and Bootkits – by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
• Windows System Programming (4th edition) – by Johnson M. Hart

Tips and Advice

0x10 Staying Motivated and Advancing Your Career

• Stay curious and eager to learn.
• Practice, practice, practice.
• Engage with the community.
• Contribute and share your knowledge.
• Stay up-to-date with the latest trends and techniques.
• Develop strong programming skills (C/C++, Python, Assembly).
• Embrace failure as a learning opportunity.
• Maintain a safe and controlled environment for your analysis.
• Respect intellectual property and adhere to ethical guidelines.

0x11 Getting a Malware Analyst Job

• Contribute to the community (research, blogs, open source).
• Stay active (conferences, CTFs).
• Build a solid online presence (GitHub, Twitter).
• Network with industry professionals.
• Continuously update your skills and knowledge.

Conclusion

This comprehensive roadmap provides a step-by-step guide for mastering reverse engineering and malware analysis. By following the suggested resources and engaging in practical exercises, you can build a strong foundation, develop advanced skills, and position yourself for a successful career in this field. Remember to stay motivated, curious, and always eager to learn. Good luck on your journey!

Additional Resources

Blogs and Websites

• MalwareTech
• Hasherezade's Blog
• Malwarebytes Labs
• FireEye Threat Research Blog
• Talos Intelligence Blog
• Securelist by Kaspersky
• The Malware Analyst's Cookbook
• 0xec
• Malwarebytes Unpacked
• SANS Internet Storm Center
• MalwareMustDie
• ReversingLabs

Forums and Communities

• MalwareTips
• Reverse Engineering Stack Exchange
• KernelMode.info
• Wilders Security Forums
• r/Malware on Reddit
• VirusTotal Community
• OSR Developer Community
• UnKnoWnCheaTs
• ru-board
• R0
• CrackLab

Tools and Software

• IDA Pro
• Ghidra
• x64dbg
• OllyDbg
• Immunity Debugger
• Wireshark
• Cuckoo Sandbox
• PEStudio
• Volatility
• Sysinternals Suite
• YARA
• Capstone
• Radare2
• Binary Ninja

Online Platforms and Challenges

• MalwareBazaar
• VirusTotal
• Hybrid Analysis
• Flare-On Challenge
• CTFTime
• Hack The Box

Upcoming Resources

I will be adding some random books to the REbooks folder soon. Stay tuned for more resources!

Acknowledgments

A big thank you to all the researchers, authors, and contributors who have shared their knowledge and resources in the field of reverse engineering and malware analysis. This roadmap wouldn't have been possible without their valuable contributions.

Contributing

Contributions are welcome! If you have any suggestions, resources, or improvements to this roadmap, please feel free to open an issue or submit a pull request.

Channel

Join OrcaCyberWeapons on Telegram!

Are you ready to dive into the depths of cybersecurity, reverse engineering, and advanced threat analysis? Look no further than OrcaCyberWeapons, your gateway to the world of cutting-edge security research and exploration.

What We Offer:

• Advanced Cybersecurity Insights: Delve into the latest trends, techniques, and strategies employed by cyber adversaries.
• Reverse Engineering Expertise: Uncover the inner workings of sophisticated malware and dissect exploit techniques.
• Malware Development and Analysis: Gain valuable insights into the creation, analysis, and mitigation of malware.
• APT Techniques and Defense Strategies: Explore the realm of advanced persistent threats (APTs) and fortify your defenses.

Whether you're a seasoned cybersecurity professional, an aspiring ethical hacker, or a curious enthusiast, OrcaCyberWeapons provides a platform for in-depth discussions, practical insights, and collaborative exploration.

[Join OrcaCyberWeapons on Telegram]