Practical Malware Analysis
The Hands-On Guide to Dissecting Malicious Software
Still the gold standard textbook for static and dynamic malware analysis on Windows.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Michael Sikorski,Andrew Honig
- Published
- 2012
- Publisher
- No Starch Press
- Pages
- 800
- Language
- English
Table of contents
21 chapters · 41 sectionsPart I: Basic Analysis
- 1
Basic Static Techniques
- Antivirus scanning
- Hashing: a fingerprint for malware
- Finding strings
- Packed and obfuscated malware
- Portable Executable file format
- Linked libraries and functions
- 2
Malware Analysis in Virtual Machines
- The structure of a virtual machine
- Creating your malware analysis machine
- Using your malware analysis machine
- The risks of using VMware for malware analysis
- 3
Basic Dynamic Analysis
- Sandboxes: the quick-and-dirty approach
- Running malware
- Monitoring with Process Monitor
- Viewing processes with Process Explorer
- Comparing registry snapshots with Regshot
- Faking a network
- Packet sniffing with Wireshark
Part II: Advanced Static Analysis
- 4
A Crash Course in x86 Disassembly
- Levels of abstraction
- Reverse-engineering
- The x86 architecture
- Main memory
- Instructions
- Opcodes and endianness
- Operands
- Registers
- Simple instructions
- The stack
- Conditionals, branching, rep instructions
- 5
IDA Pro
- Loading an executable
- The IDA Pro interface
- Using cross-references
- Analyzing functions
- Using graphing options
- Enhancing disassembly
- Extending IDA with plug-ins
- 6
Recognizing C Code Constructs in Assembly
- 7
Analyzing Malicious Windows Programs
Part III: Advanced Dynamic Analysis
- 8
Debugging
- 9
OllyDbg
- 10
Kernel Debugging with WinDbg
Part IV: Malware Functionality
- 11
Malware Behavior
- Downloaders and launchers
- Backdoors
- Credential stealers
- Persistence mechanisms
- Privilege escalation
- User-mode rootkits
- 12
Covert Malware Launching
- 13
Data Encoding
- 14
Malware-Focused Network Signatures
Part V: Anti-Reverse-Engineering
- 15
Anti-Disassembly
- 16
Anti-Debugging
- 17
Anti-Virtual Machine Techniques
Part VI: Special Topics
- 18
Packers and Unpacking
- 19
Shellcode Analysis
- 20
C++ Analysis
- 21
64-Bit Malware
Prerequisites
Familiarity with x86 assembly basics and Windows internals. Each chapter ends with labs, do them, do not skip them.
Read this if
Aspiring threat researchers, blue-teamers who want to read samples instead of forwarding them to a vendor, anyone preparing for GREM.
Skip this if
Mac/Linux malware, mobile, or modern packed loaders that defeat IDA's autoanalysis. The book is x86 Windows in spirit.
Key takeaways
- Static and dynamic analysis are two halves of one workflow, not alternatives.
- The labs are the book, the chapters are scaffolding to make the labs solvable.
- Anti-analysis techniques deserve more time than newcomers usually give them.
Notes
The labs are what separate this from every other RE book. You read a technique, see it in a real-shaped sample, fight with it for an hour, then read the answer. By the end you have built reflexes, not just knowledge. Dated on .NET malware and modern loader chains, but the diagnostic posture generalizes cleanly.
What to read before
What to read before Practical Malware Analysis →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Beginner · 2014
Countdown to Zero Day
Kim Zetter's investigative reconstruction of Stuxnet, the joint US/Israeli operation that physically damaged Iranian uranium-enrichment centrifuges via a worm, and what its discovery revealed about state-level cyber capability.
What to read next
What to read after Practical Malware Analysis →Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2007
Techniques virales avancées
Specialized follow-up to Filiol's Les virus informatiques. Dives into advanced malicious-code attack techniques and their defensive analysis.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Explore similar books
Alternatives to Practical Malware Analysis →Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2007
Techniques virales avancées
Specialized follow-up to Filiol's Les virus informatiques. Dives into advanced malicious-code attack techniques and their defensive analysis.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.