Introduction #
I have wanted to provide a comprehensive list of good training courses for new reversers for a while now. Hopefully this summary will provide you with a good amount of useful information and evaluation of some of the materials I have used to build my own knowledge and understanding of the industry.
Free Courses #
If you are new to the industry and uncertain about whether you’d like to explore this field, I would highly recommend you start here. Why? Well, because you can evaluate whether you enjoy the process of reversing, without actually financially investing in it straight out of the gate. The following courses will expose you to the entire reversing lifecycle and all you are investing is your time.
| Course | Description |
|---|---|
| Malware Unicorn | This is a fantastic website complete with a bunch of workshops which will expose you to both Windows and MacOS reverse engineering. I would start at Reverse Engineering 101 and work your way through the other content progressively. Truly, its quite a remarkable resource given that it is entirely free and well maintained by its author. |
| The Art of Mac Malware | This is not really a course but a book. I’m placing it here because it is free. Its a good introduction and walkthrough of mac malware and how to analyse samples. It starts with the basics: persistence mechanisms, infection vectors, and capabilities. |
| Android RE | A fantastic introduction to Android malware, don’t discount this course purely because it deals with Android. The skills you will learn in completing this course are highly valuable, and applicable to general reversing. |
| Reverse Engineering iOS Applications | A great course available for free via github that talks you through how to tackle iOS reverse engineering. The focus of this course is largely centred around application security and exploitation as opposed to malware itself, but the techniques leveraged to analyse the applications are absolutely applicable to malware analysis. |
Once you have completed these introductory courses, as a wise mentor once told me, I would strongly recommend starting up your own blog (using Hugo and GitHub pages). This way you can pick some random live samples from the internet and begin putting what you’ve learned into practice - heck, even write a review about what you have learned and the value the course(s) have provided you.
Paid Courses #
Once you’ve decided whether you want to invest a little more financially in reverse engineering, the following courses provide a good start. I have listed them from cheapest to most expensive, and provided some insight as to the value these courses have. Again, this list wont be exhaustive, and is merely based on my own experience with the content they provide.
| Course | Description |
|---|---|
| TCM Practical Malware Analysis and Triage | A fantastic course with a very low cost. This course talks through various Windows samples, from simple backdoors to complex ransomware. It also provides a great malware analysis environment set up for intel systems. The community is great and friendly, and it does have an optional exam that you can take for an additional payment and certification for your resume. |
| Zero2Automated | I think this has been, by far, my most favourite RE course to date. The instructors are exceptionally knowledgable and are continually working to update the course content. They also have a “Zero2Hero” course (that you can purchase access to as part of one of their bundles) which serves as a nice beginners course to complete. Your bundle also contains tickets to complete the examination on completion of the course content. |
| Maldev Academy | This course provides you with additional context, from the malware authors perspective. The course provides you with lessons to build your own malware. There is a heavy focus here on x64 malware development and is fairly comprehensive. There is a lot of Windows stuff included in the course as well. |
Books #
The following section is a list of a good books to compliment the training courses above. Generally speaking, the books below are a good, cheaper entry point than some of the courses I have listed above.
| Book | Description |
|---|---|
| Practical Malware Analysis | Whilst a bit of an old book these days, this book still serves as a fantastic introduction to Windows malware analysis. Each chapter contains labs with a comprehensive list of questions which you need to answer. Just note that some of these samples are quite old and can only run properly on older Windows operating systems (I’m talking as far back as 2K3 |
| Malware Data Science | Again, a bit of an older publication. It introduces you to the application of data science to malware analysis and detection. It’s a good book for broadening your context around malware samples, understanding different methods of discovery, and generally building your knowledge and understanding about python coding. |
| The Ghidra Book | A fantastic and comprehensive guide to using Ghidra effectively and efficiently, this book is written by the same author who wrote the go to volume for IDAPro, The IDAPro Book. |
| The IDAPro Book | And here it is, the IDAPro Book. A fantastic compendium of knowledge related to IDA. |
| Violent Python | A bit of an older publication, this book still provides a fantastic introduction to Python with a Cyber Security twist. The examples are relevant to both blue and red team, and afford a good introduction to various, useful Python libraries. |
Websites #
Finally, I wanted to add a bunch of online resources to assist in your analysis. The following list is more a list of resources to help you understand the context, and perform discovery of malware as and when you perform analysis on samples.
| Website | Use |
|---|---|
| URLScan | Great for analysis. This website will allow you to run various IPs and domain names through it to determine information about them. Note that, If the domain is down, it will not resolve it. The tool will scan the domain, provide you with a subsequent IP address and a list of other domains that resolve to the same IP, amongst other information. This website also has an API key that is free when you sign up. Thus allowing you to tinker with writing a python script to semi-automate your URL discovery efforts. |
| VirusTotal | Perhaps one of the most famous online resources, VirusTotal provides a wealth of information about executables, domain names, IP addresses and file hashes. If you are lucky enough to have a premium account, you can even download samples here and access more threat intel information, that can give you good additional contextual information based off of their wide aperture. |
| MalShare | A fantastic repository of malware. Throw in your file hash and you should (hopefully) be able to retrieve a sample to download and analyse. Whilst it does have an extensive array of malware samples, just remember it is not all inclusive. Sometimes, it does lack malware for certain operating systems. |
| Objective-See Malware Collection | The GitHub link to Objective-See’s malware collection. As the name suggests, it is a collection of MacOS malware samples, gathered by Objective-See over the past few years. |
| VX Underground | Another fantastic repository of samples. VX Undergound also comes complete with report links alongside the samples. You can download an entire year’s worth of malware, or simply peruse the samples by the theme of APT or Crime. |
| CentralOps | Another website that you can check IP addresses and domains on. It serves as a good point of comparison to URLScan, though unfortunately it does not have an API to call upon for scripting purposes. |
| Mac Malware Repository | Brought to you by objective-see.org, this is a handy resource of mac specific malware publicly available and free. The cataloging is quite useful and provides some insight as to the type of malware you would be analysing (such as a keylogger, backdoor, cryptominer etc). The list isnt exhaustive, but its a fantastic base for delving into mac malware. |
| Apple Developer documentation Microsoft Developer Documentation | The developer documentation for any operating system that you are working with should be your very best friend. I have provided links for both Apple and Microsoft operating systems. They should be used in conjunction with your analysis to understand the API calls that malware is leveraging to achieve its goals of persistence, credential stealing, privilege escalation and the like. |
| Dash Apps | This is honestly a fantastic resource. It is a collection of documentation that is available offline on download. It allows you to search through said documentation for API calls, cheat sheets and more. The website’s homepage shows you what documentation sets are supported by this. |
As well as the above, it is worthwhile staying up-to-date with the reverse engineering and malware hashtags on both Mastodon and X. Following these tags will expose you to a broad spectrum of contemporary malware and other reverse engineers analysis, which can serve as a another good resource for collecting malware samples. In addition to this, the discord servers for some of the above-mentioned courses do provide a fantastic community to engage in discussions with other aspiring reverse engineers.