Practical Malware Analysis

Welcome! Today we’ll be reviewing Practical Malware Analysis by Michael Sikorski and Andrew Honig.

What more is there to say? If you’ve found any useful information about malware analysis on this website its likely come from this book! From a beginners perspective, this book is an amazing introduction to not only malware analysis, but also x86 assembly and all things related to software reverse engineering. The authors (Michael and Andrew) experience and passion for this topic is so abundantly clear in this book that it almost jumps off the page, and its also clear (from the near-perfect way they manage to explain even the most complicated concepts in an easily digestible fashion) that both authors likely have experience teaching others about this topic outside of this book.

In this book you’ll learn about disassemblers, decompilers, DNS redirection tools, entropy evaluation tools, packet analysis tools, network emulation tools, and much, much more. You’ll learn about the fundamentals of static analysis, dynamic analysis, and everything in-between; and, (incase it wasn’t obvious from the book title) you’ll learn a lot about malware. Not just one type of malware either, you’ll dive deep into the wonderful world of process injection techniques, keyloggers, encryption, encoding, anti-debugging and anti-disassembly techniques that malware employ to hinder analysis efforts. Finally, this book will get you very comfortable with your favorite decompiler (due to this books age, which we’ll discuss next, the book opts to use IDA Pro in all of its examples) and disassembler (the book uses OllyDbg). It’s also worth mentioning that one of the primary reasons this book is considered to be one of the best books for learning malware analysis techniques is that it has lots of post-chapter labs which gives you vital hands-on experience for learning everything discussed in each chapter. These labs not only reinforce your knowledge of topics like DLL process injection, they force you to analyze them in real time! With over 50+ labs in this book, this book provides much more than just a “primer for malware analysis” – it gives you hands-on experience with all the tools you’ll need to tackle any project requiring a decompiler, disassembler, debugger, and more!

With as many glowing remarks that I’ve made about this book there are a few caveats. Namely – this book is old. How old? The copy that’s currently available on Amazon and within my possession was last published in 2012. That means all the examples you’ll find in this book use Windows XP; reading that, you might be greatly dissuaded to purchase this book – but you shouldn’t be. Despite its age, this book is still “the book” for learning malware analysis, and maybe because of its age this book acts as a very basic filter to distinguish those who are “vaguely interested” in working in this field from those who are truly passionate about the topic. Do the books malware samples not work on your Windows 10 machine? Use a Windows XP VM. Does the lab you’re working on require you to find an old version of some software? Use the Wayback Machine. From someone who’s read this book cover-to-cover and completed every lab, I can assure you that with enough elbow grease you can successfully attempt and solve every lab in this book!

In closing – I cannot recommend this book enough! If you’re interested in learning the fundamentals of x86 assembly, software reverse engineering, or malware analysis I don’t think you could ask for a better primer, and despite its age it’s still the best book for learning any of these skillsets. Fingers crossed that Michael and Andrew release an updated version!