Evasive Malware
A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Kyle Cucci
- Published
- 2024
- Publisher
- No Starch Press
- Pages
- 488
- Language
- English
Read this if
Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.
Skip this if
Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.
Key takeaways
- Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
- Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
- Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.
Notes
Pair with Practical Malware Analysis (Sikorski/Honig) for the foundation and Practical Reverse Engineering (Dang/Gazet/Bachaalany) for the architecture depth. Cucci's prior work on Securosophy and the SANS FOR610 / FOR710 courses are the natural complements. The 2024 publication date keeps the book current with modern packer ecosystems.
What to read before
What to read before Evasive Malware →Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
Advanced · 2007
Techniques virales avancées
Specialized follow-up to Filiol's Les virus informatiques. Dives into advanced malicious-code attack techniques and their defensive analysis.
Intermediate · 2011
The IDA Pro Book
Chris Eagle's deep manual on IDA Pro, the disassembler that defined a generation of reverse engineering. Useful even with Ghidra in the picture, since most malware-analysis literature still assumes IDA.
What to read next
What to read after Evasive Malware →Advanced · 2007
Techniques virales avancées
Specialized follow-up to Filiol's Les virus informatiques. Dives into advanced malicious-code attack techniques and their defensive analysis.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Explore similar books
Alternatives to Evasive Malware →Advanced · 2007
Techniques virales avancées
Specialized follow-up to Filiol's Les virus informatiques. Dives into advanced malicious-code attack techniques and their defensive analysis.
Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.