🎯 Goal
Understand how software and malware operate at the lowest levels. Learn to disassemble, debug, and analyze malicious code to uncover its behavior, capabilities, and indicators—crucial for incident responders, threat hunters, and red teamers creating custom tools.
🔑 Key Skills to Learn
- CPU Architecture Basics: x86/x64 assembly fundamentals, registers, memory layout (stack, heap), calling conventions.
- Static Analysis: Extracting strings, imports, PE/ELF/Mach-O headers, packer identification (UPX, custom).
- Dynamic Analysis: Running samples in sandboxes (ANY.RUN, Cuckoo), monitoring processes, registry, network calls (Process Monitor, Wireshark).
- Debugging: Setting breakpoints, stepping through code, modifying registers/flow (x64dbg, WinDbg).
- Disassembly: Reading compiled code with Ghidra/IDA Free, creating diagrams, renaming variables, understanding control flow.
- Unpacking: Manual unpacking techniques, dumping memory, rebuilding imports.
- Common Malware Techniques: Process injection, API hooking, keylogging, C2 communication patterns, anti-analysis tricks (anti-VM, anti-debug).
- Reverse Engineering for Non-Malware: Analyzing firmware, proprietary protocols, or patching binaries (useful for red team tool modification).
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Ghidra | NSA's open-source reverse engineering suite (disassembler, decompiler). |
| IDA Freeware | Industry-standard disassembler (free version for x86/x64). |
| x64dbg / x32dbg | Windows debugger for dynamic analysis. |
| WinDbg | Windows kernel and user-mode debugger. |
| Radare2 / Rizin / Cutter | Open-source reverse engineering framework (CLI + GUI). |
| PE-bear / PEBrowse | PE header and structure analysis. |
| Detect It Easy (DIE) | File type and packer identifier. |
| Process Monitor (Sysinternals) | Real-time registry, process, and file system monitoring during dynamic analysis. |
| VirusTotal | Multi-engine hash lookup and basic file analysis. |
| ANY.RUN / Triage | Interactive online sandbox (free community tier). |
📖 Free Learning Resources
- OpenSecurityTraining.info – Free, instructor-led courses: "Intro to x86", "Introduction to Reverse Engineering". Link
- Malware Unicorn’s Reverse Engineering 101/102 – Free structured workshops with Windows and Linux binaries. Link
- Practical Malware Analysis Labs – Free labs associated with the book, no book purchase needed to access samples. Link
- PicoCTF – Past reverse engineering challenges for beginners (ARM, x86). Link
- CrackMes.one – Community-contributed reverse engineering challenges. Link
- All Things RE (YouTube) – OALabs – Malware analysis and unpacking walkthroughs. Link
- TCM Security (YouTube) – Practical reverse engineering and exploit development introductions. Link
- The Zoo (theZoo) – A curated repository of live malware samples for analysis (ethical use only). GitHub
🔗 Roadmap Placement
- Prerequisites: Solid Linux, Windows internals, and basic programming (C/Python). DFIR knowledge helps contextualize malware in an incident.
- Directly Enables: Malware Analyst, Reverse Engineer, Exploit Developer, Red Team Tool Crafting, or Threat Intelligence (understanding adversary capabilities).
- Next Steps: Specialize further in Mobile Malware Analysis, Firmware Reversing, or Advanced Exploit Development.