#65 in Computers & technology books
Use arrows to jump to the previous/next product
Reddit mentions of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Sentiment score: 24
Reddit mentions: 41
We found 41 Reddit mentions of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. Here are the top ones.
Buying options
View on Amazon.comor
- No Starch Press
Features:
Specs:
Color | Burgundy/maroon |
Height | 9.31 Inches |
Length | 7.06 Inches |
Number of items | 1 |
Release date | February 2012 |
Weight | 2.85 Pounds |
Width | 1.88 Inches |
In my opinion; every book in this bundle is a bag of shit.
Here's a list of reputable books, again in my opinion (All links are Non-Affiliate Links):
Web Hacking:
The Web Hackers Handbook (Link)
Infrastructure:
Network Security Assessment (Link)
Please Note: The examples in the book are dated (even though it's been updated to v3), but this book is the best for learning Infrastructure Testing Methodology.
General:
Hacking: The Art of Exploitation (Link)
Grey Hat Hacking (Link)
Linux:
Hacking Exposed: Linux (I don't have a link to a specific book as there are many editions / revisions for this book. Please read the reviews for the edition you want to purchase)
Metasploit:
I recommend the online course "Metaspliot Unleashed" (Link) as opposed to buying the book (Link).
Nmap:
The man pages. The book (Link) is a great reference and looks great on the bookshelf. The reality is, using Nmap is like baking a cake. There are too many variables involved in running the perfect portscan, every environment is different and as such will require tweaking to run efficiently.
Malware Analysis:
Practical Malware Analysis (Link)
The book is old, but the methodology is rock solid.
Programming / Scripting:
Python: Automate the Boring Stuff (Link)
Hope that helps.
What do you want to do? "Security" is a nonsense term that doesn't mean anything to employers.
I'd pass on certs, as most of them are worthless and don't teach you anything relevant in the security field. OSCP is good and the SANS FOR 610 is good, but LOL at paying $6,000 for a certification.
Build a lab. For Malware Analysis learn REMnux, IDA Pro, Ollydbg, and look at C++ and C.
For Penetration Testing learn TCP/IP, play with Backbox and Kali when you have a soild understanding of TCP/IP and networking in general. Learn Python, Bash, and PowerShell.
Practical Malware Analysis
Practical Forensic Imaging
Those books are solid for learning IR and Malware Analysis.
Check out /r/netsecstudents
For fucks sake, stay off this sub-reddit for anything Security related. Just lmao at the responses in here. Too many people have read that shit book Phoenix Project and think Security is just policy and process.
Here is a "curriculum" of sorts I would suggest, as it's fairly close to how I learned:
Generally you'll probably want to look into IA-32 and the best starting point is the Intel Architecture manual itself, the .pdf can be found here (pdf link).
Because of the depth of that .pdf I would suggest using it mainly as a reference guide while studying "Computer Systems: A Programmers Perspective" and "Secrets of Reverse Engineering".
Of course if you just want to do "pentesting/vuln assessment" in which you rely more on toolsets (for example, Nmap>Nessus>Metasploit) structured around a methodology/framework than you may want to look into one of the PACKT books on Kali or backtrack, get familiar with the tools you will use such as Nmap and Wireshark, and learn basic Networking (a simple CompTIA Networking+ book will be a good enough start). I personally did not go this route nor would I recommend it as it generally shys away from the foundations and seems to me to be settling for becoming comfortable with tools that abstract you from the real "meat" of exploitation and all the things that make NetSec great, fun and challenging in the first place. But everyone is different and it's really more of a personal choice. (By the way, I'm not suggesting this is "lame" or anything, it was just not for me.)
*edited a name out
This book covers rootkit development, not analysis, on Windows 7 and x86/IA32. It's a must read, if you're interested in rootkits.
While not yet released, it looks very promising. Over the years, Microsoft has continually introduced better protections against rootkits and malware in Windows. Among other things, the book will cover how some of the rootkits/bootkits seen in the wild have bypassed protections such as Secure Boot, kernel-mode signing, Patch Guard and Device Guard.
I'd also recommend having a look at the following books:
Also, Windows Internals for both Windows 7 and Windows 10 is a great reference to have laying around.
Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.
Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.
Practical Malware Analysis
Wireshark Network Analysis
Copy paste from a post I made earlier
Malware RE isn't really all that much voodoo as it seems, you take the executable and break it down into steps.
First check out the PE headers and find what strings you can, characteristics. Figure out if the malware is packed or not.
A quick and dirty way to get an idea of what it does it run it with certain tools on the system and a linux box to intercept all network communications. This is called behavioral analysis.
After that you can load it into a disassembler like IDA Pro and start looking for interesting functions or windows API calls. Things like WriteFile, VirtualAllocEx, ReadFile then figure out that they are doing.
After that you can take it into your debugger (I like OllyDbg) and set some breakpoints at interesting functions to see what the malware is doing in the stack. Like I said, its not voodoo once you look into it further.
Creating the malware is a whole different story and outside my skill set. In fact I hate programming and know only high level programming, basically I can interpret code and what it wants to do. But I have an easier time reading Assembly (lol) than something like C++. But coding malware is just like coding anything else, design it for what you want it to do and get to work. Stuff like Stuxnet had probably at a minimum 10 extremely talented coders behind it.
Here is a great list of learning sources.
Cybrary.it Malware Analysis Course - Free
Opensource Malware Analysis Course - Free
Dr. Fu's Malware Analysis Course - Free
OpenSecurityTraining.info - Free
SANS FOR610 Reverse Engineering and Malware Analysis - Expensive
Practical Malware Analysis
Practical Reverse Engineering
Malware Analyst's Cookbook
For reverse engineering:
For malware analysis and malware techniques
For programming
This should be enough for you to get started.
I'd suggest you first take an ASM course.
This would be a great start
http://opensecuritytraining.info/Training.html
Next, you have two options.
You can get this awesome book
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
or you can start with this course
https://samsclass.info/126/126_S16.shtml
which is a reduced version of the book.
After you're done, I think the best thing to do is to find someone who can sponsor you to attend SANS 610 course.
Some physical book recommendations:
List of free ebooks: https://github.com/EbookFoundation/free-programming-books/blob/master/free-programming-books.md#c
I highly recommend reading up on assembly as well, since understanding assembly is invaluable for understanding C. You might also enjoy reverse engineering as a topic, especially since it teaches a lot about lower-level architecture.
Physical books:
Some more (free) e-books:
Other resources: (will add more when I remember/find them)
This really isn't as ridiculous as people are making it out to be. Encryption is commonly employed in malware as an anti-reverse-engineering measure. When you're a malware author and you want to make it harder for a malware analysis lab to figure out what it is that you did with a piece of malware (say you're targeting this malware at stealing credit card information, navigating a corporate network, compromising admin accounts within a company, etc.) you can encrypt your actual program code and include a snippet of code that runs on execution to decrypt the code by reading, decrypting, and writing back the region of memory where the encrypted code lives. This makes it a bit more annoying for a malware analyst to disassemble your malware and figure out what it's doing.
Python 6 is a bit silly though. Python 2.7 will be in use until the end of time.
For anyone curious about reading further, Practical Malware Analysis is a good resource.
Best place to start is: http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901 ;)
Additionally, I study Computer Science & Systems Engineering, that helps a lot ;)
Learn to write simple C programs. Then debug your own C programs, preferably in OS X or Linux using gcc/gdb. Then disassemble your own C code (learn how to disable optimization in the compiler; try it with no optimizaiton and then with increasing levels). Then look at C++ and (gasp) Visual BASIC and such. Turns out a ton of malware is written in these languages, and the snarl of garbage that you'll uncover that is just part of the auto-generated message handling stuff for VB will astound you, so don't start there...but it's important to understand those structures when you see them.
Then follow tutorials about reversing other programs. There are great books on this.
It helps a lot to know assembly language, but you'll tend to pick it up as you go.
You'll want better tools than just command-line disassemblers. I prefer IDA Pro.
There's a great book that uses IDA Pro with many examples to address precisely your questions.
Here's another great book on malware analysis that covers all kinds of tricks you might bump into when working on real targets.
I see all this as a long-term iterative exercise. It's fascinating.
If you are debugging you can manipulate the execution path. For example, the IsDebuggerPresent function call returns a nonzero value when the program is running in the context of a debugger. In intel x86 asm, return values are generally stored in EAX. Next there will be a comparison between EAX and zero. If they don't match, the malware will typically terminate.
When using a debugger you can set EAX to 0 before the comparison takes place. This way even though you are debugging, the malware will not know it is running in the context of a debugger.
There are also ways where you can patch the executable to change sections of code. This way you won't have to manually change the register values each time. Instead everytime IsDebuggerPresent is called, it will take the execution path you want everytime.
Sorry if this is confusing, I'm not sure the best way to explain this. This is more advanced analysis techniques / reverse engineering, so if you don't know assembly then it might be over your head.
There are some good resources out there to learn though. Practical Malware Analysis is the go-to book. I've heard good things about the Leena tutorials on tuts4you. There was also a blogger called The Legend of Random (might be down) who made some cracking tutorials. I personally think a good way to learn is to write a simple windows program (using a higher level language) and reverse the binary. This way you know what the source code is and see what it looks like in ASM. (Make sure to do these in VMs or another isolated environment).
This site contains a list of sites providing collections of malware samples : https://zeltser.com/malware-sample-sources/. If you haven't read any book about malware analysis yet I would recommend you to start with https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901 since you could get yourself easily infected as a beginner
Some resources which will indirectly help you for GREM
https://amzn.com/1593272901
https://amzn.com/1118787315
https://amzn.com/1593272898
Practical Malware Analysis talks about how to set up a relatively secure analysis environment.
Cant help with college aspect but check this out
https://securedorg.github.io/RE101/
https://www.cybrary.it/course/malware-analysis/
https://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/ref=sr_1_3?ie=UTF8&qid=1524247164&sr=8-3&keywords=malware
The biggest thing is making sure when you start doing this, that you dont infect any of your local machines while you are playing around with things
Reversing: Secrets of Reverse Engineering - Is probably the most common book recommendation. Its an older book (2005) but its about as gentle as it gets in terms of the core concepts but its missing a bit due to its age (32bit RE only). I'd liken it to something like Hacking: The Art of Exploitation for exploit developers. Its a solid book, it covers the fundamentals but it'll take a bit more work to get up to speed.
Practical Reverse Engineering - This one is a newer book (2014) while it doesn't cover as many topics as the above book, its less dated in what it does cover, and it does cast a wider net covering things you'll see today like ARM and x64 instead of just x86. I tend to recommend starting with this book, using Reversing and the next book as a reference if there is a chapter of interest.
Practical Malware Analysis - While this one has more traditional RE introduction, where it excels is in dynamic analysis and dealing with software that doesn't want to be analyzed. Now, its from 2012 and malware has changed since then, so its age certainly shows, but again fundamentals remain even if technical details change or are expanded upon.
Practical Binary Analysis - This is the newest book of the list (December 2018). It wouldn't use it alone, but after you've gone through any of the above books, consider this an add-on. Its focus is on dynamic analysis and its modern. I'll admit I haven't read the entire thing yet, but I've been pleased with what I have read.
Edit: s/.ca/.com/g
Are you talking about this book ?
this book has a good chapter on some of the anti RE techniques http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901/ref=sr_1_2?ie=UTF8&qid=1372962928&sr=8-2&keywords=malware+reverse+engineering
also check out http://opensecuritytraining.info/ReverseEngineeringMalware.html
the wiki file has some info that might help
regarding your legal question http://en.wikipedia.org/wiki/Reverse_engineering#United_States
In case you're talking about reverse engineering, malware analysis etc.:
Not a course, but a book. Practical Malware Analysis I have not read this book, yet, but it seems to be highly recommended in the field.
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
Sec+ and a drive to grow and learn are pretty good. Network Security degrees are still in their infancy and I haven't interviewed anyone who has one that can differentiate themselves from people with certs. SANS certs like GCIH are nice but they're expensive as hell and probably not within the means of someone who can't leverage corporate education funding. Depending on what you want to do people can point you in the right direction. For example, if malware analysis/reverse-engineering are your thing, Practical Malware Analysis will give you a lot of knowledge that will help you. It's pretty overwhelming at first but just having touched on the concepts in the book will make you a more attractive hire.
Oh you wanted books. For some reason I thought you wanted things to learn about, like you didn't think it was that easy or something.
The Art of Deception.
Pretty much anything by this guy.
This book gives you an insight to how the good guys go about fixing things once they go bad.
Metasploit is the novice's wet dream, as it's pretty easy to get started with and opens up a world of sophisticated exploits which wouldn't normally be available to someone new to the world of hacking.
Those are some books that might not get listed elsewhere, simply because they don't all literally tell you how to hack, as much as give you some idea as to what hacking means from different perspectives.
Edit: Reposting some of the other guy's books as he seems to think linking to publicly available materials is going to make some person on Reddit the next LulzSec 'mastermind' or something.
Hacking Exposed, Anti-Hacker Toolkit, Practical Malware Analysis, The Rootkit Arsenal, Steal This Computer Book.
You're not going to be a l33t h4x0r just by reading a few books, but you won't not be, either. :D
There are a ton of different things you can do on the defensive side. The path here is a bit less defined because you can specialize in each of these areas with out ever really touching the other ones. But I think these are the most important skills as a defender, so I’ll break it up into three smaller chunks. For the most part, defender/Blue-team concepts draw from these skills, I’ve setup the courses in order, as some of these skills may feed into other areas.
IR:
Forensics:
Reverse Engineering (Dynamic and Static):
I know there’s not a lot of certs here, and unfortunately, that’s how it is across the blue team. Certs here are usually very vendor-specific, and not applicable to defense as a whole. Those certifications exist, but I’m not listing them here.
If people are interested, I can also do a similar write-up on Mobile Forensics and Cloud Forensics (which is my direct background).
Lastly, here are some of my favorite news sources across the InfoSec community -
News Sources
For challenges you might want to check out the book Practical Malware Analysis
As mentioned by /u/pepe_le_shoe you could always research real malware using a Honeypot to grab some. Or set up a bait email account.
Sure thing! I don't do a whole lot of Malware RE, but where I started was with the book:
Of course, knowing assembly is very valuable for Malware Analysis as well, so it would be useful to still know most, if not all, of the stuff I listed in the other comment.
Other good places to start would be:
Definitely would start with the book, Practical Malware Analysis and get your feet wet a little bit. Then browse through the other stuff or if you're a visual person, watch some videos on youtube of how other people dissect Malware, just so you can see the bigger picture.
Hope that helps!
Analyzing malware takes some learning, but fortunately there are books on this exact topic. For instance:
http://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
Cybrary also has a course on it:
https://www.cybrary.it/course/malware-analysis/
Okay so there are a couple of good places to start with malware. The first is Malware Analyst's Cookbook. It is a pretty decent beginner level resource.
From there, Practical Malware Analysis is excellent and goes a lot deeper.
For free resources I've heard good things about Dr. Fu's Malware Analysis Tutorials.
You will need to have a strong understanding of reverse engineering. I like Practical Reverse Engineering or Reverse Engineering for Beginners. The latter is free.
With RE comes assembly. I learned from the free book PC Assembly Language. The RE books should have some info on assembly as well.
You should also know the systems programming API and OS internals for whatever OS you're interested in. This is most likely Windows, so I recommend Windows System Programming and Windows Internals. You can find similar books for Linux and macOS too. Having a good understanding of C and C++ is helpful for this. Also get comfortable using your assembly level debugger on your OS of choice. WinDBG, x64dbg, and OllyDBG are all good on Windows. GDB is pretty much the default on Linux, and LLDB on macOS.
I also highly recommend some scripting language, whether it's Python, Ruby, Powershell or whatever for hacking up your own tools.
Lastly, there is a list on GitHub with a ton of helpful links.
I think that's enough for now.
As far as demand it's hard to say and probably depends a lot on where you're from. It's certainly not like the demand for webdevs but there's also not nearly as many people with the skillset. I'm not a malware analyst myself, I'm more focused on security research and embedded development.
I know those skills are especially high in demand around the Washington, DC area with defense contractors and government agencies. Especially if you can get a security clearance. Most other security firms I know of are always looking for good people with strong reversing and OS internals knowledge.
Let me know if you have any questions and I will try to answer.
Like qaisjp said, do a lot of CTFs.
Cyber security is a vast field with many potential sub-categories you can delve into: software reverse engineering, hardware reverse engineering, pentesting, cryptography, steganography etc. - The list is long.
For more info about ctf's and which ones are hosted:
CTF's are usually separated into different subcategories and many people specialize in a few of them (not necessarily all), so I'd recommend you take a look around and see what you find interesting.
Useful sites to visit:
Reading CTF write-ups is also very useful, taking a look at how challenges are structured and how people solved them will give you insight into different ways of thinking about various problems. Reading a few might be a good idea, and perhaps you fill find a few categories that might be interesting: https://ctftime.org/writeups (Other write-ups may be found just by googling, a lot of blogs and github's out there)
Personally, I am very reverse engineering focused so I will mostly be able to help you with resources in that area.
RE links to take a look at:
If you do RE, coding is also vital (people tend to do C++ and/or C together with x86/x64 ASM, the latter which is essential for RE in the first place), but it is not exclusive to RE, coding is crucial in many if not all CTF categories and I think having a start as a programmer is a good way to enter parts of cyber security.
There is also a reverse engineering discord, which I think you could benefit from, a lot of information can be found on there about various kinds of reversing:
https://www.reddit.com/r/ReverseEngineering/comments/9n2qcb/join_the_reverse_engineering_discord_active/
I think a lot also boils down to reading books, blogs etc. and having good knowledge of how various things work, the links above should be of help, and should lead you to other useful resources as well. You do not necessarily have to switch majors, good computer knowledge is very helpful, and most cyber sec people I know do either compsci, math + compsci, or just math. In the end it just boils to doing things however, and ctf's are a great way to do that.
PS. With reversing you can also delve into game hacking which is super interesting and a lot of people do really funky shit with things like the windows kernel!
If you have any questions about anything, feel free to ask.
Your welcome. :) If you are truly interested there is a pretty comprehensive book on practical malware analysis, I have never read it but I assume it demands a solid knowledge of the above mentioned topics.
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/ref=sr_1_2?ie=UTF8&qid=1480495126&sr=8-2&keywords=malware
This is a pretty solid resource Practical Malware Analysis - Amazon
I'm not too sure if this is the sort of answer you're looking for because it appears that you are pretty new to all this but...
If you read these books, then you will know everything you need (ranked by reward to required effort ratio):
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189
However, the books might be pretty difficult to understand with how much you currently know.
My recommendations then for self study:
Read all those and you will be in good shape ;)
EDIT: I hate trying to get reddit to do what I want.
Only have a few minutes to elaborate, but I'd recommend familiarizing yourself with the in and outs of the OSI networking stack like you plan to, and also study Operating Systems. A traditional OS class would be nice, but if you can complement that with a forensics class you will be balling.
It's also a good idea to figure out what subfield(s) of security you would like to pursue. Security is becoming so big and technical that it is almost impossible to be an expert in all aspects of security, so try them all and stick with 2-3 that you like - if the subfields complement each other you will make yourself an even stronger professional.
There's a ton of good resources online; if you make it a habit of browsing the links /u/eooe provided, you will learn about a lot more resources that will help. I would recommend the Life of Binaries class on http://opensecuritytraining.info/, and to add to the fun, Practical Malware Analysis by Sikorski is an amazing book on malware analysis that comes with exercises and labs that you can run with a pretty simple VM setup. The book describes how to set that up as well.
Check this out. Goes from really beginner levels stuff to more experienced by the end of the first section. This book will answer all your question about tool during all phases of forensics analysis. Hope it helps.
http://www.amazon.com/Practical-Malware-Analysis-Hands--Dissecting/dp/1593272901/ref=sr_1_2?ie=UTF8&qid=1314292697&sr=8-2
sorry, wrong title
If you really want to learn about Windows malware then you need to understand Windows Internals, reverse engineering, x86 assembly, C++ at the very least.
Here are some books that cover some of this material:
https://www.amazon.com/Practical-Malware-Analysis-Hands--Dissecting/dp/1593272901/ref=sr_1_1?ie=UTF8&qid=1468521904&sr=8-1&keywords=practical+malware+analysis
https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735648735/ref=sr_1_2?ie=UTF8&qid=1468522022&sr=8-2&keywords=Windows+Internals
https://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X/ref=sr_1_3?ie=UTF8&qid=1468522149&sr=8-3&keywords=Rootkits
The books are old and somewhat outdated, but still relevant.
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
I rarely just recommend one source, since often authors have a specific take (say, a book might be targetted towards the academics, people who use a specific tool, or people who are doing some specific task) - but https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901 is absolutely incredible from every angle.
Follow that with learning kernel syscall/monitoring tools [procexp,procmon,the sysinternals suite], disassembly tools[IDA/radare/whatever], and a debugger[WinDBG] + Mark's book on Windows Internals 6th edition both volumes (it's long but its worth it). And youre well on your way.
For Linux/BSD, look at kernelnewbies for Linux and the online handbook for at least FreeBSD, ktrace/ptrace/truss/strace for the syscall analysis type stuff, IDA/radare/hopper all are cross platform so you're golden there, and perhaps calling conventions (cdecl vs what-not).
Which book is better for very begginers?
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/
or
https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
For anyone interested a good book to pick up is Practical Malware Analysis: https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901