Getting started with Malware reverse engineering

A member of the Pauldotcom community posted a question to the mailing list  asking for FREE  help on getting started with reverse engineering malware. Since this is also a topic that is dear to my heart; I have decided to link to the discussion and summarize the resources mentioned below and added a few other useful links.

I am sure the are many resources out there both paid and free, however its always best to ask a group of experts to narrow down the overwhelming results you would normally get from  a Google search.

RE Forums and Blogs (Checkout his cheat sheets, and webcasts) (Check out the challenges section)

Reverse Engineering and Malware Research Group (LinkedIn)

Commonly used Tools


Malware: Fighting Malicious Code provides a foundation for understanding malicious software threats (I’m a co-author).

Malware Forensics focuses on incident response that involves malware, but also includes some malware analysis details.

The IDA Pro Book gets pretty deep into IDA Pro, which is a popular disassembler for compiled malicious executable, and is great for people who want to master this tool.

Malware Analyst’s Cookbook and DVD provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.

You can leave your comments below of resources that you have used and found helpful.

Malware Analysis 101

I few months back I did a presentation on the topic of  basic malware analysis, feel free to grab a copy  of  the slides –> Malware Analysis 101, the idea was to get across a few pointers  on how to get started analyzing malware. I am by no means an expert on the subject matter, I only recently started doing some research in the area to try and understand what really happens to a system once its infected with malware. I used materials from several sources, and was also given some good pointers by Tim over at

As a computer repair tech you normally don’t have the luxury or studying an infection since you are always on the clock and time literally  means money. However after seeing a certain trend of injection and having several repeat calls from some of my clients I decided to take a step back and instead of just cleaning the infection, this time I copied the infected sample and start to analyze it.

During my analysis I basically narrowed it down to the following phases:

  • Phase one “System Baseline”
  • Phase two “Simple Execution”
  • Phase three “Review Changes”
  • Phase four “Tweaking/Using your tools”
  • Phase five “Lesson Learn”

I will do a followup post to this one since I didn’t show any of the detail results and from my demo portion in the slides. I am hoping to get some feedback from this post so I can revise my current process.