// Comparison

Evasive Malware vs Practical Binary Analysis: Which Should You Read?

Two cybersecurity books on Reverse Engineering, compared honestly: who each is for, what each does best, and which to read first.

Advanced

4/52024

Evasive Malware

A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

Kyle Cucci

Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.

Advanced

5/52018

Practical Binary Analysis

Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly

Dennis Andriesse

Dennis Andriesse on the binary toolchain you can actually script: ELF internals, dynamic taint analysis, symbolic execution and instrumentation with concrete code-along examples.

Read this if

Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.

Reverse engineers ready to stop being IDA clickers and start being programmers who happen to RE. Andriesse covers DBI (Pin), taint analysis (Triton), and symbolic execution (angr) at exactly the level a practitioner needs to weaponize them.

Skip this if

Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.

RE beginners who haven't yet finished Practical Reverse Engineering, or readers without C and Python comfort. The book assumes you can already disassemble; the value is in the automation layer.

Key takeaways

Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.

Modern RE is automated RE; the book is the bridge between hand-driven analysis and the toolchain that scales to large binaries.
Symbolic execution is finally accessible to working RE engineers thanks to angr, and Andriesse's framing is what makes it click for most practitioners.
Custom DBI passes solve a category of problems that no GUI tool can; the book teaches you when to reach for them and how to write them.

How they compare

We rate Practical Binary Analysis higher (5/5 against 4/5 for Evasive Malware). For most readers, that means Practical Binary Analysis is the primary pick and Evasive Malware is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Evasive Malware and Practical Binary Analysis both cover Reverse Engineering, so reading them in sequence reinforces the same material from different angles.

Keep reading