This resource will provide you theory around learning malware analysis and reverse engineering malware. We keep the links up to date as the infosec community creates new and interesting tools and tips.
Let me know if you have comments or additions please.
1. Starting Point - some theory for malware analysis and malware reverse engineering
The free book for reverse engineering beginners: http://beginners.re/
A methodology from Zeltser.com: https://zeltser.com/reverse-engineering-malware-methodology/
A 2005 paid book: secrets of reverse engineering, suggested by twitter Pinkflawd/Marion:
http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817
Some NICE thoughts on What Reverse engineering really is https://medium.com/@againsthimself/in-defense-of-reverse-engineering-e07fe19b26c#.bzfh3xfkg by Alex Gantman on Medium
An overview of RE / malware analysis skills chart (source unknown)
____________________________
2. Practical Guides
Reverse Engineering Malware 101 - a complete 101 class by Amanda Rousseau and it looks excellent!
The R00tbsd cheat sheet: http://r00ted.com/cheat%20sheet%20reverse%20v5.png
The perfect beginners rootkit: No obfuscation, no packers, no advanced or undocumented tricks, a really small less than 100 functions rootkit and it contains all the usual tricks plus developer comments to help you. Analysis of the rootkit and how you can do it yourself via SEKOIA CERT: http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf
Setting up a malware sandbox in seconds using Noriben
http://www.ghettoforensics.com/2016/01/creating-malware-sandbox-in-seconds.html
Windows malware analysis for the incident responder http://blogs.cisco.com/security/malware-analysis-for-the-incident-responder via Mohamed Ashik
Via InfosecTDK http://www.howtogeek.com/school/sysinternals-pro/lesson1/ - Sysinternals starter Via @
Via InfosecTDK https://www.rsaconference.com/writable/presentations/file_upload/hta-t07r-license-to-kill-malware-hunting-with-the-sysinternals-tools_final.pdf
Via Zeltser.com: The reversing malware Cheat Sheet: https://zeltser.com/reverse-malware-cheat-sheet/
Via Malwarebytes : https://blog.malwarebytes.org/intelligence/2012/09/so-you-want-to-be-a-malware-analyst/
Via Windowsecurity.com
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Reverse-Engineering-Malware-Part1.html
Via Fumalwareanalysis: http://fumalwareanalysis.blogspot.lu/p/malware-analysis-tutorials-reverse.html
Via Arunpreet Singh / Reverse2learn: https://www.exploit-db.com/docs/18810.pdf
Via Infosecinstitute.com on Zeroaccess:
The reverse engineering blogspot: http://reverseengineeringtips.blogspot.lu/2016/01/bypassing-protections-reversing-and.html
And a video:
Malware analysis course materials: Malware Analysis - CSCI 4976 (no videos) thanks Amir.H Shahin
Mac OSX malware analysis https://www.sans.org/reading-room/whitepapers/forensics/mac-os-malware-analysis-33178
A Soft-ish Introduction to malware analysis for incident responders by Red|blue team:
http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html
Reverse Engineering by Crayon: Game Changing hypervisor Based Malware Analysis and Visualization from blackhat usa 2009
A practical reversing example: Sekoia.fr reverses an obfuscated dropper and payload and finds a rop chain & more
Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide via AlienVault
____________________________
2A Malware network traffic analysis basics
A site dedicated to teaching malware network traffic analysis: http://malware-traffic-analysis.net/about.html
____________________________
2B Youtube channels featuring a lot of malware analysis
https://www.youtube.com/channel/UCNWVswPNgn5kutPNa5sprkg
https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A
____________________________
3. Some Tools
OllyDbg, IDA Pro, radare2 are the core , but check out binary ninja here! This description of using binaryninja is impressive:
2000 cuts with Binary Ninja
Using Vector35's Binary Ninja, a promising new interactive static analysis and reverse engineering platform, I wrote a script that generated "exploits" for 2,000 unique binaries in this year's DEFCONCTF qualifying round. If you're wondering how to remain competitive in a post-DARPA DEFCON CTF, I highly recommend you take a look at Binary Ninja.
The practical malware analysis starter kit:A collection of tools you need.
Remnux, a linuxtoolkit: https://remnux.org/
Flare debugger: http://blog.hackersonlineclub.com/2015/12/flare-dbg-to-aid-malware-reverse.html
Cross platform reversing with FRIDA:
1. - Video: https://t.co/MWXUFs68sX
2. - Slides via Twitter Oleavr https://t.co/C8etXAxq64
A dynamic malware analysis tool list via HackingTutorials
Free reverse engineering tools list https://wiremask.eu/articles/free-reverse-engineering-tools/
F-Secure has create a new tool: https://github.com/F-Secure/see
FireEye flare-foss: FireEye labs Obfuscated String Solver
fireeye/flare-floss
flare-floss - FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
SEE:
Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
Remnux docker images & accompanying blog https://remnux.org/docs/containers/malware-analysis/:
SysAnalyzer: Automated malcode analysis aldeid.com/wiki/SysAnalyz…
SSMA - Simple Static Malware Analyzer https://secrary.com/SSMA
You also need to be able to deobfuscate code, here is a collection of tools to help deobfuscation: https://www.peerlyst.com/posts/deobfuscation-resources-for-various-types-of-files-and-obfuscation-methods-susan-parker thanks to susan parker
IRMA: Incident Response Malware Analysis. IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.
ph0neutria ph0neutria is a malware zoo builder that sources samples from MalShare and the wild (via the Malc0de database). All fetched samples are stored in Viper for ease of access.
Joe Sandbox I - an automated malware analysis sandbox for iOS apps, windows, OSX and android that combined statis and dynamic analysis.
New tool (rather untested): malboxes -Builds malware analysis windows VMs so that you don't have to.
____________________________
4. Professional Training & Certification
Free training
Cybrary.it: https://www.cybrary.it/course/malware-analysis/
Opensecuritytraining.info: http://opensecuritytraining.info/ReverseEngineeringMalware.html
Opensecuritytraining.info: http://opensecuritytraining.info/MalwareDynamicAnalysis.html
________________
Paid + certification:
https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques
https://www.giac.org/certification/reverse-engineering-malware-grem
____________________________
5. Malware Samples Resources
- Malwaria (in beta) http://108.59.83.152/malware/ - non-stagnant malware live-updated
- https://virusshare.com/ posts large sets of malware regularly that registered users can download
- ph0neutria. ph0neutria is a malware zoo builder that sources samples from MalShare and the wild (via the Malc0de database). All fetched samples are stored in Viper for ease of access.
- Realtime database of malware and malicious domains -> Clean MX http://support.clean-mx.de/clean-mx/viruses.php
- A collection of recent malware samples and analyses on Contagio http://contagiodump.blogspot.com/
- exploit and shellcode samples on exploit-db database https://www.exploit-db.com/
- Large repository of malware actively scrapped from malicious sites Malshare http://malshare.com
- Retrieve malware samples directly from a number of online sources with maltrievehttps://github.com/krmaxwell/maltrieve
- Malware samples repository MalwareDB http://malwaredb.malekal.com/
- Live malware samples for analysts theZoo https://github.com/ytisf/theZoo
- Malware database that detected by many anti malware programs except ClamAV ViruSignhttp://www.virusign.com/
- Malware repository, registration virusshare http://virusshare.com/
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltserhttps://zeltser.com/malware-sample-sources/
- Zeus source code https://github.com/Visgean/Zeus
- 1 to 11 is a little selection from https://github.com/rshipp/awesome-malware-analysis added by Imad
malware detection
Admin edit: Find more awesome Peerlyst community-contributed resources in the resource catalogue here
