// Comparison

Evasive Malware vs Practical Malware Analysis: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced

4/52024

A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

Kyle Cucci

Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.

Intermediate

5/52012

Practical Malware Analysis

The Hands-On Guide to Dissecting Malicious Software

Michael Sikorski, Andrew Honig

Still the gold standard textbook for static and dynamic malware analysis on Windows.

Read this if

Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.

Aspiring threat researchers, blue-teamers who want to read samples instead of forwarding them to a vendor, anyone preparing for GREM.

Skip this if

Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.

Mac/Linux malware, mobile, or modern packed loaders that defeat IDA's autoanalysis. The book is x86 Windows in spirit.

Key takeaways

Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.

Static and dynamic analysis are two halves of one workflow, not alternatives.
The labs are the book, the chapters are scaffolding to make the labs solvable.
Anti-analysis techniques deserve more time than newcomers usually give them.

How they compare

We rate Practical Malware Analysis higher (5/5 against 4/5 for Evasive Malware). For most readers, that means Practical Malware Analysis is the primary pick and Evasive Malware is a useful follow-up.

Evasive Malware is pitched at advanced level. Practical Malware Analysis is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

Evasive Malware and Practical Malware Analysis both cover Malware, Reverse Engineering, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Evasive Malware

→ Alternatives to Evasive Malware → What to read after Evasive Malware