Upon reading “Practical Malware Analysis” book, I researched and read a lot of materials. And I’ve found these resources very helpful. My hope is that it will help you in your journey as well.
Pleas keep in mind that if I tell you about an application or a resource, I don’t imply that you must definitely read or use it. It’s just a suggestion. It’s what it helped and worked for me, and I hope that it works for you too.
Before we get started I just wanted to point out to check the book’s website since some of the tools in their website like FakNet will actually work on Windows XP, unlike the the last version of this application.
- Chapter 1: Basic Static Techniques
Give Detect it Easy (DIE) a shot too when you are using PEiD.
Consider using PE-bear instead of other PE viewers application. It’s free and has more features than other PE viewers application that I have used.
- Chapter 3: Basic Dynamic Analysis
Give Process Hacker a shot too when you are using Process Explorer. I use PH because it has more handy features like listing all the handles of a particular process.
If you can’t afford VMWare just like me, then I would suggest VirtualBox. This is a helpful tutorial on how to create a virtual environment for malware analysis:
Creating a Simple Free Malware Analysis Environment
If you want to set up something like INetSim, then this blog will help you immensely:
Set up your own malware analysis lab with VirtualBox, INetSim and Burp
- Chapter 4: A Crash Course in x86 Disassembly
aldeid website is great, and has lots of resources for malware analysis. Its X86-assembly/Instructions list is really good and also has a link for converting the instruction into its binary representation. It’s pretty handy if you ever want to patch a certain part of a program.
I you want to study Assembly language, I highly recommend Assembly Language Step-by-Step by Jeff Duntemann. I explained more details in my blog: How to become a malware analyst why you need to become familiar with Assembly language.
- Chapter 6: Recognizing C Code Constructs in Assembly
If you want to learn more about C programming I highly recommend CS50 course from Harvard university. In my blog about How to become a malware analyst, I explained in length why you need C knowledge and experience.
- Chapter 7: Analyzing Malicious Windows Programs
If you didn’t find the function that you were looking for in “Appendix A” of Practical Malware Analysis book, you can look into these two links, to see if you can find an explanation for it:
Windows Functions in Malware Analysis — Cheat Sheet — Part 1
Windows Functions in Malware Analysis — Cheat Sheet — Part 2
Or this one:
- Chapter 8: Debugging
Give x64dbg a shot too, when you want to debug malware. It has a better UI, so less headache.
If you want to debug dlls in x64dbg, then this link is very helpful:
- Chapter 10: Kernel Debugging with WinDbg
just one thing to consider from the link that I’ve provided below is to download the “Windows 10 SDK”. It contains WinDbg. Do not dowload “WinDbg Preview” !
WinDbg download link, and installation guide
If you didn’t find the tutorial in the chapter 10 useful for installing a proper environment for kernel debugging, then consider using one of the links below:
One thing to pay attention before doing any of these tutorials is that replace every 1 with 2 after “COM” port:
Example: com_1, COM1, com1 ==> com_2, COM2, com2
Windows Host and VMWare:
Setting up kernel debugging using WinDbg and VMware
Windows Host and VirtualBox:
Setting Up a Windows 7+ Virtualbox VM for Kernel Mode Debugging
Linux Host and VirtualBox: (but it’s really slow):
- Chapter 12: Covert Malware Launching
It’s not 2015 anymore, and there are more methods for process injection:
Consider reading this paper about process injection Windows Process Injection in 2019 by Amit Klein, Itzik Kotler presented in blackhat 2019
- Chapter 14: Malware-Focused Network Signatures
I recommend this short tutorial about regex, to give you a better understanding of how regex works.
Snort basics:
- Chapter 18: Packers and Unpacking
A basic unpacking tutorial to get you started:
Three and a half ways to unpack malware using Ollydbg
Also OALabs has lots of good videos on unpacking malware and other malware analysis topics. I highly recommend them.
- Chapter 19: Shellcode Analysis
For debugging shellcode, use BlobRunner by OALabs or build your own shellcode analysis tool
I also recommend a Windows XP which didn’t get the memory violation exception update, since the shellcodes from lab 19 decode their own code in the binary, and Windows won’t allow code modification.
If you have some suggestion about these resources, I’m all ears. I wish you the best of luck in your journey.
