Gary McGraw, Greg Hoglund, Malware, Malware Analysis, Malware Analysis Sources, Microsoft Windows, OllyDbg, Reverse Engineering, Static program analysis
I am often asked by those wishing to pursue a career as a malware analysit, what references are useful in learning, or the continued learning of the art and craft of malware analysis? Here is a list of resources that I find useful:
1. The Art of Computer Virus Research and Defense by Peter Szor (TAOCVRD). This is the book that introduced me to malware research. It could use some updating, but sadly, the author recently passed away. On the other hand, with the popularity of Android malware, what is old is new again. Many Android malware samples are doing what the old Windows malware used to do in the early days.
TAOCVRD covers different malware types, and the armoring, self-protection strategies they employ, the common detection techniques, and the last chapter is a useful guide in setting up your own malware analysis lab. Again, a bit outdated because many of the tools we use today were not widely available back when this book was originally published. However, many of the analysis techniques are still relevant today.
2. Practical Malware Analysis by Michael Sikorski and Andrew Honig (PMA). An introductory tour of malware analysis and reverse engineering techniques. The hands-on labs reinforce the skills covered in each chapter. Each lab has a set of “malware” like samples (download from the book’s website). Introductory chapters cover x86 assembly and the common instructions you will encounter, as well as how to use common tools, such as OllyDbg, and IDA Pro.
3. One of the most powerful tool for static analysis, that I mentioned in (2), is IDA Pro. But it has a steep learning curve. The IDA Pro Book by Chris Eagle is about the only practical users guide available. Whenever I need to learn something new in IDA, or how to write a plugin, I consult this book.
4. Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw. This book shows the common software programming errors and exploitation patterns. Usually, I will start looking for these patterns in the malware samples I am analyzing to help guide my investigations; knowing these patterns can reveal what the malware may be targeting.
5. Reversing: Secrets of Reverse Engineering by Eldad Eilam. This too is a little outdated, but it is the best introduction into the art of RE that I have found so far. It covers the common tools used, the basics of assembly and x86 architecture, basic Windows internals, and even has a chapter on reversing malware.
This list is by no means exhaustive. I am sure I am overlooking other good sources and would be happy to hear what other analysts routinely consult. I am always looking to expand my library.