ROADMAP MALWARE ANALYST/REVERSE ENGINEER TOÀN DIỆN

1. FOUNDATIONS - NỀN TẢNG CƠ BẢN

1.1 Computer Architecture

CPU architecture (x86, x64, ARM)
Registers (General purpose, Special purpose)
Memory organization (Stack, Heap, Data, Text segments)
Memory addressing modes
Cache hierarchy (L1, L2, L3)
Virtual memory
Paging và segmentation
Instruction pipeline
RISC vs CISC
Endianness (Little-endian, Big-endian)

1.2 Operating Systems Internals

Windows Internals

Windows architecture overview
Kernel mode vs User mode
Windows API (Win32 API, Native API)
Process và Thread management
Virtual memory management
Handle tables
Object Manager
Registry internals
File system (NTFS internals)
PE (Portable Executable) format deep dive
DLL loading mechanism
Windows security (ACLs, SIDs, Tokens)
Windows services
Driver model (WDM, WDF)
Debugging APIs
Exception handling (SEH, VEH)
Critical sections và synchronization
Hooks (IAT hooks, Inline hooks, SSDT hooks)

Linux Internals

Linux kernel architecture
System calls
ELF (Executable and Linkable Format)
Process management
Memory management
File systems (ext4, etc.)
Kernel modules
/proc filesystem
Signals
Inter-process communication
Dynamic linking
ptrace mechanism
LD_PRELOAD hooking

1.3 Networking Fundamentals

TCP/IP stack
Socket programming
HTTP/HTTPS protocols
DNS protocol
Common malware protocols
Network traffic analysis
Packet capture và analysis
C2 communication patterns
TOR và anonymity networks
Proxy và tunneling

1.4 File Formats

PE format (DOS Header, NT Headers, Sections, Import/Export tables)
ELF format
Mach-O format (macOS)
Office file formats (OOXML, OLE)
PDF format
Archive formats (ZIP, RAR, 7z)
Image formats (JPEG, PNG với steganography)
Executable packers và compression

2. PROGRAMMING LANGUAGES

2.1 Assembly Language - CRITICAL

x86 Assembly
- Instruction set (MOV, ADD, SUB, MUL, DIV, etc.)
- Arithmetic operations
- Logical operations
- Bitwise operations
- Control flow (JMP, JE, JNE, JG, JL, CALL, RET)
- Stack operations (PUSH, POP)
- String operations
- Addressing modes
x64 Assembly (x86-64)
- 64-bit registers (RAX, RBX, RCX, RDX, etc.)
- Calling conventions (Microsoft x64, System V AMD64 ABI)
- Shadow space
- Parameter passing
- RIP-relative addressing
ARM Assembly
- ARM instruction set
- Thumb mode
- ARM64/AArch64
- NEON instructions
- Mobile malware analysis
MIPS Assembly (optional)
- IoT device malware

2.2 C/C++ - ESSENTIAL

C language mastery
- Pointers và memory management
- Structures và unions
- Function pointers
- Bit manipulation
- Preprocessor directives
- Standard library
C++ specifics
- Classes và objects
- Virtual functions và vtables
- Templates
- STL
- Exception handling
- RTTI (Run-Time Type Information)
- Name mangling
Compiler behavior
- Optimization levels
- Compiler-specific features
- Inline assembly
- Intrinsics

2.3 Python - AUTOMATION

Python for malware analysis
Scripting automation
Binary parsing libraries
- pefile (PE analysis)
- pyelftools (ELF analysis)
- capstone (Disassembly)
- unicorn (Emulation)
- yara-python
- volatility plugins
Network analysis (scapy)
Web scraping (requests, beautifulsoup)
API interaction
Report generation
IOC extraction scripts
Custom tool development

2.4 PowerShell

PowerShell malware analysis
Deobfuscation scripts
PowerShell Empire understanding
Obfuscation techniques
Logging và detection
AMSI bypass techniques
PowerShell internals

2.5 Other Languages

JavaScript/VBScript (for macro/script-based malware)
Delphi (common in malware)
Visual Basic (legacy malware)
.NET (C#, VB.NET)
Java (Android malware)
Go (emerging in malware)
Rust (emerging in malware)

3. REVERSE ENGINEERING FUNDAMENTALS

3.1 Disassemblers & Decompilers

IDA Pro - INDUSTRY STANDARD

Interface navigation
Graph view vs Text view
Cross-references (Xrefs)
Function analysis
Structure definitions
Enums và constants
IDC scripting
IDAPython scripting
Hex-Rays decompiler
Debugging với IDA
Plugins (FindCrypt, Keypatch, etc.)
Signature generation (FLIRT)
Type libraries
Collaborative RE (IDA Teams)

Ghidra - FREE POWERFUL ALTERNATIVE

Project management
CodeBrowser interface
Decompiler usage
Scripting (Java, Python)
Data type manager
Function graphs
Symbol trees
Version tracking
Ghidra plugins
Collaborative features
P-Code analysis
Custom processors

Binary Ninja

Linear disassembly
MLIL, LLIL, HLIL views
Python API
Plugin development
Collaborative RE
Custom architectures

Radare2/Rizin

Command-line RE
r2pipe scripting
Visual mode
Debugging capabilities
Cutter GUI
ESIL (Evaluable Strings Intermediate Language)

Other Tools

Hopper Disassembler (macOS)
Capstone (disassembly framework)
Unicorn (CPU emulator)
Triton (symbolic execution)

3.2 Debuggers - ESSENTIAL

x64dbg/x32dbg (Windows)

Breakpoints (Software, Hardware, Memory)
Step execution (Step into, Step over, Step out)
Register modification
Memory inspection và modification
Scripting (x64dbgpy)
Plugins (OllyDumpEx, Scylla, etc.)
Conditional breakpoints
Tracing
Call stack analysis
Thread debugging

WinDbg (Windows Kernel/User)

Commands mastery (k, u, r, dt, etc.)
Extension commands (!analyze, !peb, !teb)
Symbol resolution
Memory analysis
Kernel debugging
Crash dump analysis
Time Travel Debugging (TTD)
JavaScript scripting

GDB (Linux)

GDB commands (break, run, continue, step, next, print)
GEF/PEDA/pwndbg enhancements
Core dump analysis
Remote debugging
Python scripting
Reverse debugging (rr)

OllyDbg (legacy but still useful)

Classic debugging
Plugins ecosystem
Script debugging

Immunity Debugger

Python API
Exploit development
mona.py plugin

3.3 Dynamic Analysis Tools

Sandboxes

Cuckoo Sandbox
- Setup và configuration
- Custom analyzers
- Signature creation
- Report interpretation
- Network analysis
- Memory dumps
Any.run (online)
Joe Sandbox
Hybrid Analysis
CAPE Sandbox
Custom sandbox development

Process Monitors

Process Monitor (Procmon)
- Filtering techniques
- Registry monitoring
- File system monitoring
- Network monitoring
- Process/Thread monitoring
Process Explorer
- Process tree
- Handle analysis
- DLL view
- String analysis
- VirusTotal integration
API Monitor
- API hooking
- Call stack capture
- Parameter monitoring
- Filter configuration

Network Analysis

Wireshark
- Protocol analysis
- Filter expressions
- Follow streams
- Statistics
- Custom dissectors
Fiddler
Burp Suite
tcpdump
NetworkMiner
FakeNet-NG (malware network simulation)
INetSim (Internet service simulation)

System Monitoring

Sysmon
- Configuration
- Event log analysis
- IOC detection
Autoruns
RegShot (registry snapshot comparison)
ProcDOT (visual analysis)

3.4 Static Analysis Techniques

String analysis (strings, FLOSS)
Import/Export table analysis
Resource analysis
Entropy analysis (detect packed/encrypted sections)
Header analysis
Section analysis
Signature scanning (YARA)
Hashing (MD5, SHA-256, ssdeep, imphash)
Certificate analysis
Metadata extraction
Pattern matching

4. MALWARE ANALYSIS METHODOLOGY

4.1 Basic Static Analysis

File identification (file command, TrID)
Hash calculation và lookup (VirusTotal, MalwareBazaar)
Packer detection (PEiD, Detect It Easy, Exeinfo PE)
String extraction (strings, FLOSS - FLARE Obfuscated String Solver)
PE analysis (PEStudio, PE-bear, pestudio)
Import/Export analysis
Resource extraction
Signature creation (YARA rules)
Metadata analysis
Digital signature verification

4.2 Basic Dynamic Analysis

Safe execution environment setup
Virtual machine configuration
Snapshot management
Behavioral monitoring
Process creation monitoring
File system changes
Registry modifications
Network connections
Mutex creation
Service installation
Persistence mechanisms
Screenshot capture
Behavioral signatures

4.3 Advanced Static Analysis

Disassembly
Code flow analysis
Control flow graphs
Data flow analysis
Function identification
Algorithm recognition
Cryptography identification
Anti-analysis technique detection
Code optimization recognition
Compiler artifact identification

4.4 Advanced Dynamic Analysis

Debugging malware
Breakpoint strategies
Memory dumping
Unpacking trong runtime
API hooking
Function tracing
Kernel debugging
Rootkit analysis
Memory forensics
Decryption trong memory
Code injection analysis

5. MALWARE TYPES & FAMILIES

5.1 Malware Categories

Viruses

File infectors
Boot sector viruses
Macro viruses
Polymorphic viruses
Metamorphic viruses
Cavity viruses
Companion viruses

Worms

Network worms
Email worms
IM worms
USB worms
Self-replication mechanisms
Propagation techniques

Trojans

Backdoor trojans
Downloader trojans
Dropper trojans
RATs (Remote Access Trojans)
Banking trojans
Infostealer trojans
Proxy trojans

Ransomware

Crypto-ransomware
Locker-ransomware
Master Boot Record (MBR) ransomware
Encryption algorithms analysis
Ransom note analysis
Payment mechanisms
Decryption possibilities
Notable families (WannaCry, Ryuk, REvil, LockBit)

Spyware

Keyloggers
Screen capture malware
Credential stealers
Session hijackers
Form grabbers
Clipboard monitors

Rootkits

User-mode rootkits
Kernel-mode rootkits
Bootkit/Bootkits
Firmware rootkits
Hypervisor rootkits
Direct Kernel Object Manipulation (DKOM)
SSDT hooking
IRP hooking
IDT hooking

Botnets

Bot architecture
C2 communication
DDoS capabilities
Spam engines
Credential stuffing
Cryptomining
Notable botnets (Mirai, Emotet, TrickBot)

APT Malware

Nation-state malware
Zero-day exploits
Fileless malware
Living-off-the-land binaries
Advanced persistence
Lateral movement tools
Data exfiltration
Notable APT groups malware

Mobile Malware

Android malware
iOS malware
Mobile banking trojans
SMS trojans
Premium SMS fraud
Repackaged apps
Adware

IoT Malware

Router malware
Camera malware
Smart device malware
Firmware implants

5.2 Notable Malware Families (Study Cases)

Stuxnet (ICS/SCADA worm)
WannaCry (Ransomware worm)
NotPetya (Destructive wiper)
Emotet (Botnet/Downloader)
TrickBot (Banking trojan)
Ryuk (Ransomware)
Zeus/Zbot (Banking trojan)
Carbanak (APT banking malware)
PlugX (APT RAT)
Cobalt Strike (Legitimate tool misused)
Mimikatz (Credential dumper)
Gh0st RAT
DarkComet RAT
njRAT
Poison Ivy
BlackEnergy
Industroyer/CrashOverride
Lazarus group malware
APT28/Fancy Bear malware
APT29/Cozy Bear malware

6. ANTI-ANALYSIS TECHNIQUES

6.1 Anti-Debugging

IsDebuggerPresent API
CheckRemoteDebuggerPresent
NtQueryInformationProcess
PEB BeingDebugged flag
PEB NtGlobalFlag
Heap flags
INT 3 detection
INT 2D detection
Software breakpoint detection
Hardware breakpoint detection
Timing checks (RDTSC, GetTickCount, QueryPerformanceCounter)
Exception-based anti-debugging
TLS callbacks
Self-debugging
Parent process check
SeDebugPrivilege check

6.2 Anti-VM/Anti-Sandbox

VMware detection (VMware Tools, registry keys, files)
VirtualBox detection
QEMU detection
Hyper-V detection
CPUID checks
MAC address checks
Hardware checks (disk size, RAM)
Timing attacks
User interaction checks (mouse movement, clicks)
Sleep acceleration detection
Artifact checks (specific files, processes)
Number of processes check
Temperature sensors
USB devices count

6.3 Anti-Disassembly

Junk code insertion
Opaque predicates
Control flow flattening
Dead code insertion
Impossible disassembly
Function pointer obfuscation
Overlapping instructions
Self-modifying code
Polymorphic code
Metamorphic code

6.4 Code Obfuscation

String encryption
API obfuscation (API hashing, dynamic API resolution)
Control flow obfuscation
Data obfuscation
Instruction substitution
Code virtualization
Packing/Crypting
Garbage code insertion
Dead code insertion

6.5 Packing & Crypting

UPX
ASPack
PECompact
Themida
VMProtect
Enigma Protector
Code virtualizers
Custom packers
Unpacking techniques
Manual unpacking
Automated unpacking (OEP finding)

6.6 Bypassing Anti-Analysis

Patching anti-debug checks
Environment manipulation
Timing manipulation
Emulation vs virtualization
Bare metal analysis
Kernel debugging
Hardware-assisted virtualization detection bypass
ScyllaHide plugin
TitanHide driver
Pafish (test environment detection)

7. MEMORY FORENSICS

7.1 Memory Acquisition

Live memory acquisition
DumpIt
FTK Imager
WinPmem
LiME (Linux Memory Extractor)
Memory dump formats (raw, crash dump, hibernation file)

7.2 Volatility Framework - ESSENTIAL

Volatility 2 vs Volatility 3
Profile selection/creation
Process analysis (pslist, psscan, pstree)
Network connections (netscan, connections, connscan)
DLL analysis (dlllist, ldrmodules)
Handle analysis (handles)
Registry analysis (hivelist, printkey)
File extraction (dumpfiles, memdump)
Malware detection (malfind, ldrmodules)
Rootkit detection (psxview, modscan)
Timeline creation (timeliner)
Plugin development
Custom plugins for specific malware

7.3 Memory Analysis Techniques

Process hiding detection
Code injection detection
Hollowing detection
Hooking detection
Hidden network connections
Orphan threads
Suspicious memory regions
Encrypted/encoded data in memory
Credential extraction
Decrypted strings
Unpacked code
Configuration extraction

7.4 Other Memory Tools

Rekall
Redline (FireEye)
MANDIANT Memoryze
WinDbg (kernel debugging và crash dumps)
GDB (Linux memory)

8. CRYPTOGRAPHY IN MALWARE

8.1 Cryptographic Concepts

Symmetric encryption (AES, DES, 3DES, RC4, Blowfish, ChaCha20)
Asymmetric encryption (RSA, ECC, ElGamal)
Hashing (MD5, SHA-1, SHA-256, SHA-512)
Digital signatures
Key derivation functions
Block cipher modes (ECB, CBC, CFB, OFB, CTR, GCM)
Stream ciphers
Custom encryption algorithms

8.2 Identifying Cryptography

FindCrypt plugin
Entropy analysis
Constant recognition
Algorithm fingerprinting
S-box identification
Cryptographic API usage

8.3 Cryptanalysis Basics

Known plaintext attacks
Chosen plaintext/ciphertext attacks
Implementation flaws
Weak keys
Key reuse
Poor random number generation
ECB mode weaknesses
Custom crypto weaknesses

8.4 Decryption Techniques

Static key extraction
Dynamic key extraction
Memory dump analysis
Traffic capture analysis
Ransomware decryption (when possible)
Configuration decryption

9. ADVANCED MALWARE TECHNIQUES

9.1 Code Injection

DLL Injection (CreateRemoteThread, QueueUserAPC, SetWindowsHookEx)
Process Hollowing (RunPE)
Atom Bombing
Process Doppelgänging
Thread Execution Hijacking
Reflective DLL Injection
PE Injection
APC Injection
Extra Window Memory Injection
NTDLL Injection
Early Bird Injection
TLS Callback Injection

9.2 Persistence Mechanisms

Registry Run keys
Scheduled tasks
Services
WMI event subscriptions
COM object hijacking
AppInit_DLLs
AppCertDLLs
Image File Execution Options
Netsh helper DLLs
LSA authentication packages
Security Support Providers
Bootkit persistence
UEFI persistence
Shortcut modification (LNK)
Office addins

9.3 Privilege Escalation

Token manipulation
Token impersonation
UAC bypass techniques
Kernel exploits
Local privilege escalation exploits
DLL hijacking
Unquoted service paths
AlwaysInstallElevated
Weak service permissions

9.4 Defense Evasion

AMSI bypass
ETW patching
Disabling Windows Defender
Timestomping
Log deletion
Process masquerading
DLL side-loading
DLL search order hijacking
Signed binary proxy execution
Living-off-the-land binaries
Fileless malware
PowerShell obfuscation
.NET obfuscation

9.5 Lateral Movement

PsExec
WMI
WinRM
DCOM
RDP
SMB exploitation
Pass-the-Hash
Pass-the-Ticket
Overpass-the-Hash
Golden Ticket
Silver Ticket

9.6 C2 Communication

HTTP/HTTPS C2
DNS tunneling
ICMP tunneling
Social media C2 (Twitter, Telegram)
Cloud storage C2 (Dropbox, Google Drive)
Peer-to-peer C2
Domain generation algorithms (DGA)
Fast flux
Dead drop resolvers
Encrypted channels
Covert channels
Steganography

9.7 Data Exfiltration

HTTP/HTTPS exfiltration
DNS exfiltration
Email exfiltration
FTP/SFTP
Cloud storage upload
Steganography
Compressed archives
Encrypted archives

10. EXPLOIT ANALYSIS

10.1 Vulnerability Types

Buffer overflows (Stack, Heap)
Use-after-free
Double-free
Integer overflows
Format string bugs
Race conditions
Logic bugs
Type confusion

10.2 Exploit Techniques

Return-to-libc
ROP (Return-Oriented Programming)
JOP (Jump-Oriented Programming)
Heap spraying
JIT spraying
ASLR bypass
DEP/NX bypass
Stack canary bypass
Control-flow integrity bypass

10.3 Exploit Frameworks in Malware

Metasploit modules
Exploit kits (Angler, RIG, Neutrino, Magnitude)
Browser exploits
Office exploits
PDF exploits
Java exploits
Flash exploits
Zero-day exploits

10.4 Shellcode Analysis

Shellcode structure
Shellcode encoding
Polymorphic shellcode
Alphanumeric shellcode
Egg hunters
Staged vs stageless
Reverse shell
Bind shell
Meterpreter payloads

11. MOBILE MALWARE ANALYSIS

11.1 Android Malware Analysis

APK structure (AndroidManifest.xml, classes.dex, resources)
Static analysis tools (apktool, jadx, dex2jar, JD-GUI)
Dynamic analysis (Android emulator, real device)
ADB (Android Debug Bridge)
Logcat
Frida (dynamic instrumentation)
Objection
Xposed framework
Drozer
MobSF (Mobile Security Framework)
Android malware techniques
Obfuscation techniques
Native code analysis (ARM)
Root detection
Emulator detection
SSL pinning

11.2 iOS Malware Analysis

IPA structure
Jailbreak tools
Static analysis (class-dump, Hopper, IDA Pro)
Dynamic analysis (Frida, Cycript)
SSL Kill Switch
Objection
iOS internals
Objective-C/Swift reverse engineering
Keychain analysis

12. THREAT INTELLIGENCE & IOC

12.1 Indicator of Compromise (IOC)

File hashes (MD5, SHA-1, SHA-256)
IP addresses
Domain names
URLs
Email addresses
Mutexes
Registry keys
File paths
Network signatures
YARA rules
Suricata rules
Snort rules

12.2 IOC Extraction

Automated extraction
Manual extraction
Configuration extraction
Network IOC từ PCAP
Memory IOC từ dumps
Static IOC từ binaries

12.3 Threat Intelligence Platforms

MISP (Malware Information Sharing Platform)
OpenCTI
AlienVault OTX
ThreatConnect
VirusTotal Intelligence
Hybrid Analysis
Any.run
MalwareBazaar
URLhaus
Abuse.ch feeds

12.4 Frameworks

MITRE ATT&CK
Cyber Kill Chain
Diamond Model
STIX/TAXII
OpenIOC

12.5 Malware Families & Attribution

Malware taxonomy
Family identification
Variant tracking
Threat actor attribution
APT tracking
Campaign analysis
TTPs (Tactics, Techniques, Procedures)

13. YARA RULES

13.1 YARA Basics

YARA syntax
String patterns
Hex patterns
Regular expressions
Wildcards
Conditions
Meta information
Rule structure

13.2 Advanced YARA

PE module
ELF module
Math module
Hash module
Time module
Cuckoo module
Performance optimization
Private rules
Global rules
Include statements
External variables

13.3 YARA in Practice

Malware hunting
Incident response
Sandbox integration
Memory scanning
Live system scanning
Rule testing
False positive reduction
Rule sharing
yarGen (rule generation)
Valhalla (rule feed)

14. REPORTING & DOCUMENTATION

14.1 Analysis Report Structure

Executive summary
Malware overview
Technical analysis
- Static analysis findings
- Dynamic analysis findings
- Network analysis
- Memory analysis
IOCs
MITRE ATT&CK mapping
Remediation recommendations
Appendices

14.2 Documentation Best Practices

Clear and concise writing
Technical accuracy
Evidence preservation
Screenshots và annotations
Code snippets
Network diagrams
Timeline creation
Chain of custody
Reproducibility

14.3 Tools for Documentation

Markdown
Jupyter notebooks (for Python analysis)
CherryTree
OneNote
Notion
Obsidian
LaTeX (for formal reports)
Diagram tools (draw.io, Visio)

Malware reports
Blog posts
Conference presentations
Research papers
Twitter threads
GitHub repositories
Malware samples (hashed)
YARA rules
IDA/Ghidra databases

15. SPECIALIZED TOPICS

15.1 Firmware Analysis

Firmware extraction
Firmware unpacking (binwalk, firmware-mod-kit)
Filesystem analysis
Binary analysis in firmware
Embedded device malware
Router malware
IoT malware
UEFI/BIOS malware

15.2 Fileless Malware

PowerShell-based malware
WMI-based malware
Registry-only malware
Memory-only malware
Living-off-the-land techniques
Detection challenges
Analysis techniques

15.3 Ransomware Analysis

Encryption algorithm identification
Key generation analysis
Ransom note analysis
Payment tracking (Bitcoin analysis)
Decryption possibilities
Master key extraction
Backup deletion techniques
Volume Shadow Copy deletion

15.4 Banking Trojan Analysis

Web injection techniques
Man-in-the-browser attacks
Form grabbing
HTML injection
Proxy configuration
Certificate pinning bypass
Configuration files
Target lists

15.5 APT Malware Analysis

Multi-stage payloads
Custom protocols
Stealthy persistence
Anti-forensics
Data staging
Exfiltration techniques
Living-off-the-land
Zero-day exploitation
Attribution challenges

15.6 macOS Malware Analysis

Mach-O format
Gatekeeper bypass
SIP bypass
TCC bypass
Keychain access
Objective-C runtime
Swift analysis
macOS internals
Sandbox escapes

15.7 .NET Malware Analysis

.NET architecture
CIL (Common Intermediate Language)
dnSpy
ILSpy
de4dot (deobfuscator)
.NET Reactor unpacking
ConfuserEx unpacking
Obfuscation techniques
Native compilation (NGen)

15.8 Document-based Malware

Office malware (macros, DDE, OLE)
PDF malware (JavaScript, embedded EXE)
RTF exploits
CHM files
HTA files
Macro analysis (olevba)
VBA stomping
Encrypted macros
Template injection

16. AUTOMATION & TOOLING

16.1 Automated Analysis Platforms

Cuckoo Sandbox setup và customization
CAPE Sandbox
Joe Sandbox
Any.run
Hybrid Analysis
VirusTotal Intelligence
Custom sandbox development

16.2 Analysis Automation

Python scripting for automation
IDA Pro scripting (IDAPython)
Ghidra scripting
r2pipe (Radare2)
Binary analysis frameworks
- angr (symbolic execution)
- Triton
- Manticore
- KLEE
Automated unpacking scripts
IOC extraction automation
Report generation automation

16.3 Custom Tool Development

Binary parsers
Unpacking tools
Configuration extractors
Decryption tools
YARA rule generators
Network protocol analyzers
Memory scanners
Emulators for specific malware

16.4 Integration

SIEM integration
Threat intelligence platform integration
Ticketing system integration
API development
Webhook integration

17. ADVANCED TECHNIQUES

17.1 Symbolic Execution

angr framework
Constraint solving (Z3)
Path exploration
State management
Binary analysis với angr
Vulnerability discovery

17.2 Taint Analysis

Dynamic taint analysis
Static taint analysis
Information flow tracking
Input validation analysis

17.3 Emulation

Unicorn engine
QEMU
Full system emulation
CPU emulation
Unpacking via emulation
API emulation

17.4 Binary Diffing

BinDiff
Diaphora
Patch analysis
Variant analysis
Code reuse detection

17.5 Machine Learning in Malware Analysis

Feature extraction
Classification models
Clustering malware families
Anomaly detection
Automated analysis
Deep learning for malware detection
Adversarial ML attacks

18. INDUSTRY TOOLS & PLATFORMS

18.1 Commercial Tools

IDA Pro
Hex-Rays Decompiler
Binary Ninja
Hopper Disassembler
JEB Decompiler (Android/Native)
Relyze
PE Explorer
CFF Explorer

18.2 Free/Open Source Tools

Ghidra
Radare2/Rizin/Cutter
x64dbg/x32dbg
OllyDbg
GDB
Volatility
YARA
ClamAV
REMnux distribution
FLARE VM
Santoku (mobile)

18.3 Online Services

VirusTotal
Hybrid Analysis
Joe Sandbox
Any.run
MalwareBazaar
URLhaus
ThreatMiner
AlienVault OTX
Shodan
Censys

19. LAB SETUP & ENVIRONMENT

19.1 Malware Analysis Lab

Isolated network
Virtual machines (VirtualBox, VMware, Hyper-V)
Snapshots
REMnux (Linux analysis)
FLARE VM (Windows analysis)
INetSim (service simulation)
FakeNet-NG
Malware sample storage
Air-gapped analysis
Physical isolation

19.2 Safe Handling

Encrypted sample storage
Password protection (standard: infected)
Zip với password
Secure transfer
Legal considerations
Ethics
Sample sharing protocols

19.3 Infrastructure

Analysis VMs
Monitoring VMs
C2 simulation infrastructure
Network traffic capture
Log collection
Backup solutions

20. CERTIFICATIONS

20.1 Foundational

CompTIA Security+
CEH (Certified Ethical Hacker)
GIAC GSEC (Security Essentials)

20.2 Malware Analysis Specific

GREM (GIAC Reverse Engineering Malware) - HIGHLY RECOMMENDED
GDAT (GIAC Defending Advanced Threats)
eLearnSecurity eMAPT (Malware Analysis Professional)
Practical Malware Analysis & Triage (PMAT) - TCM Security

20.3 Reverse Engineering

GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
Offensive Security OSED (Exploit Developer)
Offensive Security OSWE (Web Expert)
eLearnSecurity eCXD (Exploit Development)

20.4 Specialized

GCFA (GIAC Certified Forensic Analyst)
GNFA (GIAC Network Forensic Analyst)
GCIA (GIAC Certified Intrusion Analyst)
CCFE (Certified Computer Forensics Examiner)
EnCE (EnCase Certified Examiner)

20.5 Vendor Certifications

Microsoft Certified: Security Operations Analyst
Cisco CyberOps Associate/Professional
SANS certifications (FOR610, FOR710, SEC760)

21. RESOURCES & CONTINUOUS LEARNING

21.1 Books - ESSENTIAL READING

“Practical Malware Analysis” by Michael Sikorski, Andrew Honig (Bible)
“The Art of Memory Forensics” by Michael Hale Ligh et al.
“Malware Analyst’s Cookbook” by Michael Ligh et al.
“Rootkits and Bootkits” by Alex Matrosov et al.
“The IDA Pro Book” by Chris Eagle
“Practical Binary Analysis” by Dennis Andriesse
“Reversing: Secrets of Reverse Engineering” by Eldad Eilam
“Learning Malware Analysis” by Monnappa K A
“Windows Internals” by Mark Russinovich (Parts 1 & 2)
“x86 Disassembly” by Wikibooks
“Hacking: The Art of Exploitation” by Jon Erickson
“Gray Hat C#” by Brandon Perry
“Android Hacker’s Handbook”
“iOS Hacker’s Handbook”

21.2 Online Courses

SANS FOR610 (Reverse-Engineering Malware)
SANS FOR710 (Reverse-Engineering Malware Advanced)
SANS SEC760 (Advanced Exploit Development)
Malware Analysis Bootcamp (Pluralsight)
Malware Analysis and Reverse Engineering (Cybrary)
Practical Malware Analysis & Triage (TCM Security)
MalwareTech tutorials
OpenSecurityTraining

21.3 Practice Platforms

Malware samples:
- MalwareBazaar (https://bazaar.abuse.ch/)
- VirusShare
- theZoo (GitHub - caution!)
- Contagio
- VX Underground (research only)
CTF platforms:
- FlareOn Challenge (FireEye/Mandiant)
- Reversing.kr
- Crackmes.one
- root-me.org
- HackTheBox (reversing challenges)
Tutorials:
- MalwareTech blog
- hasherezade’s blog
- OALabs (YouTube)
- 0xRick blog

21.4 Communities

Malware analysis forums
Reddit (r/Malware, r/ReverseEngineering)
Discord servers (Malware Analysis, RE)
Twitter infosec community (#malware, #RE)
OALABS Discord
MalwareMustDie

21.5 Blogs & News

Malwarebytes Labs
Kaspersky Securelist
Bleeping Computer
Krebs on Security
TrendMicro Research
Cisco Talos
FireEye/Mandiant blog
hasherezade’s blog
0ffset’s blog
OALabs blog

21.6 Conferences

DEF CON (Reverse Engineering Village)
Black Hat (malware/RE talks)
REcon (Reverse Engineering Conference)
Virus Bulletin
Botconf
Malcon
BSides events
Hack in the Box

21.7 Tools Collections

FLARE team tools (GitHub)
REMnux toolkit
SANS SIFT Workstation
Hybrid Analysis community tools
Awesome Malware Analysis (GitHub)

21.8 YouTube Channels

OALabs
MalwareAnalysisForHedgehogs
LiveOverflow
John Hammond
IppSec
13Cubed
Colin Hardy

22. CAREER PATH

22.1 Entry Level

Malware Analyst (Junior)
- Sample triage
- Basic static/dynamic analysis
- IOC extraction
- Report writing
- Salary: $60k-$80k
SOC Analyst with malware focus
- Alert triage
- Malware identification
- Basic analysis
- Salary: $50k-$70k

22.2 Mid Level

Malware Analyst
- Advanced analysis
- Reverse engineering
- Custom tool development
- Threat intelligence
- Salary: $90k-$120k
Reverse Engineer
- Binary analysis
- Vulnerability research
- Exploit analysis
- Salary: $100k-$130k

22.3 Senior Level

Senior Malware Analyst
- Complex malware families
- APT analysis
- Team lead
- Training junior analysts
- Salary: $130k-$160k
Principal Reverse Engineer
- Advanced RE projects
- Zero-day analysis
- Tool development
- Research
- Salary: $140k-$180k

22.4 Expert/Specialist

Malware Researcher
- Original research
- Conference speaking
- CVE discoveries
- Advanced techniques
- Salary: $150k-$200k+
Threat Intelligence Lead
- Team management
- Strategic analysis
- Threat actor tracking
- Salary: $160k-$200k+

22.5 Industry Sectors

Antivirus companies (Kaspersky, Bitdefender, ESET, etc.)
Security vendors (CrowdStrike, FireEye/Mandiant, Palo Alto)
Government agencies (NSA, FBI, CISA)
Defense contractors
Financial institutions
Big tech (Google, Microsoft, Apple)
Consulting firms
MSSPs
Independent consulting/freelance

Threat Hunter
Incident Responder (DFIR)
Exploit Developer
Security Researcher
Vulnerability Researcher
APT Analyst
Threat Intelligence Analyst

23. SOFT SKILLS

23.1 Analytical Skills

Critical thinking
Problem-solving
Pattern recognition
Attention to detail
Logical reasoning
Hypothesis testing

23.2 Communication

Technical writing
Report writing
Presentation skills
Teaching/mentoring
Cross-team collaboration
Stakeholder communication

23.3 Research Skills

Literature review
Experimentation
Documentation
Tool evaluation
Staying current
Continuous learning

23.4 Mindset

Patience (analysis can take days/weeks)
Curiosity
Persistence
Adaptability
Attention to detail
Systematic approach
Creative thinking

LỘ TRÌNH HỌC ĐỀ XUẤT (24-36 THÁNG)

Tháng 1-3: Foundations

Computer architecture
OS internals (Windows/Linux)
C/C++ programming
Assembly basics (x86)
Python scripting

Tháng 4-6: Reverse Engineering Basics

IDA Pro/Ghidra basics
x64dbg/GDB
Static analysis techniques
Dynamic analysis techniques
PE format mastery

Tháng 7-9: Malware Analysis Fundamentals

Basic static/dynamic analysis
Sandboxing
Behavioral analysis
String analysis
Packer identification

Tháng 10-12: Advanced RE & Analysis

Advanced debugging
Unpacking techniques
Anti-analysis bypass
Code obfuscation
Memory forensics (Volatility)

Tháng 13-15: Specialized Malware

Ransomware analysis
Banking trojans
RATs
Rootkits
Mobile malware (Android)

Tháng 16-18: Advanced Topics

Exploit analysis
Shellcode analysis
Kernel malware
APT malware
Cryptography in malware

Tháng 19-21: Automation & Tooling

Python automation
IDA/Ghidra scripting
Custom tool development
Sandbox customization
YARA mastery

Tháng 22-24: Threat Intelligence

IOC extraction
MITRE ATT&CK
Threat intelligence platforms
Report writing
Attribution techniques

Tháng 25-30: Specialization

Choose specialization (APT, ransomware, mobile, etc.)
Advanced research
Conference talks
Blog writing
Open source contributions

Tháng 31-36: Mastery

Original research
0-day hunting
Advanced tool development
Mentoring others
Industry recognition

TIPS ĐỂ MASTER MALWARE ANALYSIS

Daily Practice

Analyze 1 malware sample mỗi ngày
Document everything
Write YARA rules
Share findings

Build Portfolio

GitHub repository với tools
Blog write-ups (malware analysis)
YARA rules repository
Conference presentations
CVE discoveries

Networking

Twitter malware analysis community
Discord servers
Conference attendance
Mentorship
Collaborate on analysis

Stay Current

Daily malware news
Follow researchers
New techniques
Tool updates
Threat actor campaigns

Contribute

Open source tools
YARA rules sharing
Write-ups
Help community
Mentor beginners

Build Lab

Proper isolation
Multiple VMs
Tool collection
Sample repository
Documentation system

Read Code

Read malware source code (when available)
Read analysis tool source
Understand techniques
Learn from others

Challenge Yourself

FlareOn Challenge annual
Analyze APT samples
Reverse unfamiliar architectures
Learn new techniques
Research 0-days

KẾT LUẬN

Malware Analysis/Reverse Engineering là một trong những lĩnh vực KHÓ NHẤT nhưng cũng THÚ VỊ NHẤT trong cybersecurity.

Yêu cầu:

Kiên nhẫn cực cao (1 sample có thể mất hàng tuần)
Kỹ thuật sâu (assembly, OS internals, cryptography)
Continuous learning (malware luôn tiến hóa)
Passion thực sự (không phải vì tiền)

Phần thưởng:

Lương CỰC CAO ($150k-$250k+ cho senior)
Intellectually stimulating
High respect trong community
Job security (demand > supply)
Work on cutting-edge threats

Nếu bạn thích DEEP TECHNICAL, PUZZLE-SOLVING, và DETECTIVE WORK thì đây là con đường dành cho bạn! 🔍🦠