ROADMAP MALWARE ANALYST/REVERSE ENGINEER TOÀN DIỆN¤

1. FOUNDATIONS - NỀN TẢNG CƠ BẢN¤

1.1 Computer Architecture¤

CPU architecture (x86, x64, ARM)
Registers (General purpose, Special purpose)
Memory organization (Stack, Heap, Data, Text segments)
Memory addressing modes
Cache hierarchy (L1, L2, L3)
Virtual memory
Paging và segmentation
Instruction pipeline
RISC vs CISC
Endianness (Little-endian, Big-endian)

1.2 Operating Systems Internals¤

Windows Internals¤

Windows architecture overview
Kernel mode vs User mode
Windows API (Win32 API, Native API)
Process và Thread management
Virtual memory management
Handle tables
Object Manager
Registry internals
File system (NTFS internals)
PE (Portable Executable) format deep dive
DLL loading mechanism
Windows security (ACLs, SIDs, Tokens)
Windows services
Driver model (WDM, WDF)
Debugging APIs
Exception handling (SEH, VEH)
Critical sections và synchronization
Hooks (IAT hooks, Inline hooks, SSDT hooks)

Linux Internals¤

Linux kernel architecture
System calls
ELF (Executable and Linkable Format)
Process management
Memory management
File systems (ext4, etc.)
Kernel modules
/proc filesystem
Signals
Inter-process communication
Dynamic linking
ptrace mechanism
LD_PRELOAD hooking

1.3 Networking Fundamentals¤

TCP/IP stack
Socket programming
HTTP/HTTPS protocols
DNS protocol
Common malware protocols
Network traffic analysis
Packet capture và analysis
C2 communication patterns
TOR và anonymity networks
Proxy và tunneling

1.4 File Formats¤

PE format (DOS Header, NT Headers, Sections, Import/Export tables)
ELF format
Mach-O format (macOS)
Office file formats (OOXML, OLE)
PDF format
Archive formats (ZIP, RAR, 7z)
Image formats (JPEG, PNG với steganography)
Executable packers và compression

2. PROGRAMMING LANGUAGES¤

2.1 Assembly Language - CRITICAL¤

x86 Assembly
Instruction set (MOV, ADD, SUB, MUL, DIV, etc.)
Arithmetic operations
Logical operations
Bitwise operations
Control flow (JMP, JE, JNE, JG, JL, CALL, RET)
Stack operations (PUSH, POP)
String operations
Addressing modes
x64 Assembly (x86-64)
64-bit registers (RAX, RBX, RCX, RDX, etc.)
Calling conventions (Microsoft x64, System V AMD64 ABI)
Shadow space
Parameter passing
RIP-relative addressing
ARM Assembly
ARM instruction set
Thumb mode
ARM64/AArch64
NEON instructions
Mobile malware analysis
MIPS Assembly (optional)
IoT device malware

2.2 C/C++ - ESSENTIAL¤

C language mastery
Pointers và memory management
Structures và unions
Function pointers
Bit manipulation
Preprocessor directives
Standard library
C++ specifics
Classes và objects
Virtual functions và vtables
Templates
STL
Exception handling
RTTI (Run-Time Type Information)
Name mangling
Compiler behavior
Optimization levels
Compiler-specific features
Inline assembly
Intrinsics

2.3 Python - AUTOMATION¤

Python for malware analysis
Scripting automation
Binary parsing libraries
pefile (PE analysis)
pyelftools (ELF analysis)
capstone (Disassembly)
unicorn (Emulation)
yara-python
volatility plugins
Network analysis (scapy)
Web scraping (requests, beautifulsoup)
API interaction
Report generation
IOC extraction scripts
Custom tool development

2.4 PowerShell¤

PowerShell malware analysis
Deobfuscation scripts
PowerShell Empire understanding
Obfuscation techniques
Logging và detection
AMSI bypass techniques
PowerShell internals

2.5 Other Languages¤

JavaScript/VBScript (for macro/script-based malware)
Delphi (common in malware)
Visual Basic (legacy malware)
.NET (C#, VB.NET)
Java (Android malware)
Go (emerging in malware)
Rust (emerging in malware)

3. REVERSE ENGINEERING FUNDAMENTALS¤

3.1 Disassemblers & Decompilers¤

IDA Pro - INDUSTRY STANDARD¤

Interface navigation
Graph view vs Text view
Cross-references (Xrefs)
Function analysis
Structure definitions
Enums và constants
IDC scripting
IDAPython scripting
Hex-Rays decompiler
Debugging với IDA
Plugins (FindCrypt, Keypatch, etc.)
Signature generation (FLIRT)
Type libraries
Collaborative RE (IDA Teams)

Ghidra - FREE POWERFUL ALTERNATIVE¤

Project management
CodeBrowser interface
Decompiler usage
Scripting (Java, Python)
Data type manager
Function graphs
Symbol trees
Version tracking
Ghidra plugins
Collaborative features
P-Code analysis
Custom processors

Binary Ninja¤

Linear disassembly
MLIL, LLIL, HLIL views
Python API
Plugin development
Collaborative RE
Custom architectures

Radare2/Rizin¤

Command-line RE
r2pipe scripting
Visual mode
Debugging capabilities
Cutter GUI
ESIL (Evaluable Strings Intermediate Language)

Other Tools¤

Hopper Disassembler (macOS)
Capstone (disassembly framework)
Unicorn (CPU emulator)
Triton (symbolic execution)

3.2 Debuggers - ESSENTIAL¤

x64dbg/x32dbg (Windows)¤

Breakpoints (Software, Hardware, Memory)
Step execution (Step into, Step over, Step out)
Register modification
Memory inspection và modification
Scripting (x64dbgpy)
Plugins (OllyDumpEx, Scylla, etc.)
Conditional breakpoints
Tracing
Call stack analysis
Thread debugging

WinDbg (Windows Kernel/User)¤

Commands mastery (k, u, r, dt, etc.)
Extension commands (!analyze, !peb, !teb)
Symbol resolution
Memory analysis
Kernel debugging
Crash dump analysis
Time Travel Debugging (TTD)
JavaScript scripting

GDB (Linux)¤

GDB commands (break, run, continue, step, next, print)
GEF/PEDA/pwndbg enhancements
Core dump analysis
Remote debugging
Python scripting
Reverse debugging (rr)

OllyDbg (legacy but still useful)¤

Classic debugging
Plugins ecosystem
Script debugging

Immunity Debugger¤

Python API
Exploit development
mona.py plugin

3.3 Dynamic Analysis Tools¤

Sandboxes¤

Cuckoo Sandbox
Setup và configuration
Custom analyzers
Signature creation
Report interpretation
Network analysis
Memory dumps
Any.run (online)
Joe Sandbox
Hybrid Analysis
CAPE Sandbox
Custom sandbox development

Process Monitors¤

Process Monitor (Procmon)
Filtering techniques
Registry monitoring
File system monitoring
Network monitoring
Process/Thread monitoring
Process Explorer
Process tree
Handle analysis
DLL view
String analysis
VirusTotal integration
API Monitor
API hooking
Call stack capture
Parameter monitoring
Filter configuration

System Monitoring¤

Sysmon
Configuration
Event log analysis
IOC detection
Autoruns
RegShot (registry snapshot comparison)
ProcDOT (visual analysis)

3.4 Static Analysis Techniques¤

String analysis (strings, FLOSS)
Import/Export table analysis
Resource analysis
Entropy analysis (detect packed/encrypted sections)
Header analysis
Section analysis
Signature scanning (YARA)
Hashing (MD5, SHA-256, ssdeep, imphash)
Certificate analysis
Metadata extraction
Pattern matching

4. MALWARE ANALYSIS METHODOLOGY¤

4.1 Basic Static Analysis¤

File identification (file command, TrID)
Hash calculation và lookup (VirusTotal, MalwareBazaar)
Packer detection (PEiD, Detect It Easy, Exeinfo PE)
String extraction (strings, FLOSS - FLARE Obfuscated String Solver)
PE analysis (PEStudio, PE-bear, pestudio)
Import/Export analysis
Resource extraction
Signature creation (YARA rules)
Metadata analysis
Digital signature verification

4.2 Basic Dynamic Analysis¤

Safe execution environment setup
Virtual machine configuration
Snapshot management
Behavioral monitoring
Process creation monitoring
File system changes
Registry modifications
Network connections
Mutex creation
Service installation
Persistence mechanisms
Screenshot capture
Behavioral signatures

4.3 Advanced Static Analysis¤

Disassembly
Code flow analysis
Control flow graphs
Data flow analysis
Function identification
Algorithm recognition
Cryptography identification
Anti-analysis technique detection
Code optimization recognition
Compiler artifact identification

4.4 Advanced Dynamic Analysis¤

Debugging malware
Breakpoint strategies
Memory dumping
Unpacking trong runtime
API hooking
Function tracing
Kernel debugging
Rootkit analysis
Memory forensics
Decryption trong memory
Code injection analysis

5. MALWARE TYPES & FAMILIES¤

5.1 Malware Categories¤

Viruses¤

File infectors
Boot sector viruses
Macro viruses
Polymorphic viruses
Metamorphic viruses
Cavity viruses
Companion viruses

Worms¤

Network worms
Email worms
IM worms
USB worms
Self-replication mechanisms
Propagation techniques

Trojans¤

Backdoor trojans
Downloader trojans
Dropper trojans
RATs (Remote Access Trojans)
Banking trojans
Infostealer trojans
Proxy trojans

Ransomware¤

Crypto-ransomware
Locker-ransomware
Master Boot Record (MBR) ransomware
Encryption algorithms analysis
Ransom note analysis
Payment mechanisms
Decryption possibilities
Notable families (WannaCry, Ryuk, REvil, LockBit)

Spyware¤

Keyloggers
Screen capture malware
Credential stealers
Session hijackers
Form grabbers
Clipboard monitors

Rootkits¤

User-mode rootkits
Kernel-mode rootkits
Bootkit/Bootkits
Firmware rootkits
Hypervisor rootkits
Direct Kernel Object Manipulation (DKOM)
SSDT hooking
IRP hooking
IDT hooking

Botnets¤

Bot architecture
C2 communication
DDoS capabilities
Spam engines
Credential stuffing
Cryptomining
Notable botnets (Mirai, Emotet, TrickBot)

APT Malware¤

Nation-state malware
Zero-day exploits
Fileless malware
Living-off-the-land binaries
Advanced persistence
Lateral movement tools
Data exfiltration
Notable APT groups malware

Mobile Malware¤

Android malware
iOS malware
Mobile banking trojans
SMS trojans
Premium SMS fraud
Repackaged apps
Adware

IoT Malware¤

Router malware
Camera malware
Smart device malware
Firmware implants

5.2 Notable Malware Families (Study Cases)¤

Stuxnet (ICS/SCADA worm)
WannaCry (Ransomware worm)
NotPetya (Destructive wiper)
Emotet (Botnet/Downloader)
TrickBot (Banking trojan)
Ryuk (Ransomware)
Zeus/Zbot (Banking trojan)
Carbanak (APT banking malware)
PlugX (APT RAT)
Cobalt Strike (Legitimate tool misused)
Mimikatz (Credential dumper)
Gh0st RAT
DarkComet RAT
njRAT
Poison Ivy
BlackEnergy
Industroyer/CrashOverride
Lazarus group malware
APT28/Fancy Bear malware
APT29/Cozy Bear malware

6. ANTI-ANALYSIS TECHNIQUES¤

6.1 Anti-Debugging¤

IsDebuggerPresent API
CheckRemoteDebuggerPresent
NtQueryInformationProcess
PEB BeingDebugged flag
PEB NtGlobalFlag
Heap flags
INT 3 detection
INT 2D detection
Software breakpoint detection
Hardware breakpoint detection
Timing checks (RDTSC, GetTickCount, QueryPerformanceCounter)
Exception-based anti-debugging
TLS callbacks
Self-debugging
Parent process check
SeDebugPrivilege check

6.2 Anti-VM/Anti-Sandbox¤

VMware detection (VMware Tools, registry keys, files)
VirtualBox detection
QEMU detection
Hyper-V detection
CPUID checks
MAC address checks
Hardware checks (disk size, RAM)
Timing attacks
User interaction checks (mouse movement, clicks)
Sleep acceleration detection
Artifact checks (specific files, processes)
Number of processes check
Temperature sensors
USB devices count

6.3 Anti-Disassembly¤

Junk code insertion
Opaque predicates
Control flow flattening
Dead code insertion
Impossible disassembly
Function pointer obfuscation
Overlapping instructions
Self-modifying code
Polymorphic code
Metamorphic code

6.4 Code Obfuscation¤

String encryption
API obfuscation (API hashing, dynamic API resolution)
Control flow obfuscation
Data obfuscation
Instruction substitution
Code virtualization
Packing/Crypting
Garbage code insertion
Dead code insertion

6.5 Packing & Crypting¤

UPX
ASPack
PECompact
Themida
VMProtect
Enigma Protector
Code virtualizers
Custom packers
Unpacking techniques
Manual unpacking
Automated unpacking (OEP finding)

6.6 Bypassing Anti-Analysis¤

Patching anti-debug checks
Environment manipulation
Timing manipulation
Emulation vs virtualization
Bare metal analysis
Kernel debugging
Hardware-assisted virtualization detection bypass
ScyllaHide plugin
TitanHide driver
Pafish (test environment detection)

7. MEMORY FORENSICS¤

7.1 Memory Acquisition¤

Live memory acquisition
DumpIt
FTK Imager
WinPmem
LiME (Linux Memory Extractor)
Memory dump formats (raw, crash dump, hibernation file)

7.2 Volatility Framework - ESSENTIAL¤

Volatility 2 vs Volatility 3
Profile selection/creation
Process analysis (pslist, psscan, pstree)
Network connections (netscan, connections, connscan)
DLL analysis (dlllist, ldrmodules)
Handle analysis (handles)
Registry analysis (hivelist, printkey)
File extraction (dumpfiles, memdump)
Malware detection (malfind, ldrmodules)
Rootkit detection (psxview, modscan)
Timeline creation (timeliner)
Plugin development
Custom plugins for specific malware

7.3 Memory Analysis Techniques¤

Process hiding detection
Code injection detection
Hollowing detection
Hooking detection
Hidden network connections
Orphan threads
Suspicious memory regions
Encrypted/encoded data in memory
Credential extraction
Decrypted strings
Unpacked code
Configuration extraction

7.4 Other Memory Tools¤

Rekall
Redline (FireEye)
MANDIANT Memoryze
WinDbg (kernel debugging và crash dumps)
GDB (Linux memory)

8. CRYPTOGRAPHY IN MALWARE¤

8.1 Cryptographic Concepts¤

Symmetric encryption (AES, DES, 3DES, RC4, Blowfish, ChaCha20)
Asymmetric encryption (RSA, ECC, ElGamal)
Hashing (MD5, SHA-1, SHA-256, SHA-512)
Digital signatures
Key derivation functions
Block cipher modes (ECB, CBC, CFB, OFB, CTR, GCM)
Stream ciphers
Custom encryption algorithms

8.2 Identifying Cryptography¤

FindCrypt plugin
Entropy analysis
Constant recognition
Algorithm fingerprinting
S-box identification
Cryptographic API usage

8.3 Cryptanalysis Basics¤

Known plaintext attacks
Chosen plaintext/ciphertext attacks
Implementation flaws
Weak keys
Key reuse
Poor random number generation
ECB mode weaknesses
Custom crypto weaknesses

8.4 Decryption Techniques¤

Static key extraction
Dynamic key extraction
Memory dump analysis
Traffic capture analysis
Ransomware decryption (when possible)
Configuration decryption

9. ADVANCED MALWARE TECHNIQUES¤

9.1 Code Injection¤

DLL Injection (CreateRemoteThread, QueueUserAPC, SetWindowsHookEx)
Process Hollowing (RunPE)
Atom Bombing
Process Doppelgänging
Thread Execution Hijacking
Reflective DLL Injection
PE Injection
APC Injection
Extra Window Memory Injection
NTDLL Injection
Early Bird Injection
TLS Callback Injection

9.2 Persistence Mechanisms¤

Registry Run keys
Scheduled tasks
Services
WMI event subscriptions
COM object hijacking
AppInit_DLLs
AppCertDLLs
Image File Execution Options
Netsh helper DLLs
LSA authentication packages
Security Support Providers
Bootkit persistence
UEFI persistence
Shortcut modification (LNK)
Office addins

9.3 Privilege Escalation¤

Token manipulation
Token impersonation
UAC bypass techniques
Kernel exploits
Local privilege escalation exploits
DLL hijacking
Unquoted service paths
AlwaysInstallElevated
Weak service permissions

9.4 Defense Evasion¤

AMSI bypass
ETW patching
Disabling Windows Defender
Timestomping
Log deletion
Process masquerading
DLL side-loading
DLL search order hijacking
Signed binary proxy execution
Living-off-the-land binaries
Fileless malware
PowerShell obfuscation
.NET obfuscation

9.5 Lateral Movement¤

PsExec
WMI
WinRM
DCOM
RDP
SMB exploitation
Pass-the-Hash
Pass-the-Ticket
Overpass-the-Hash
Golden Ticket
Silver Ticket

9.6 C2 Communication¤

HTTP/HTTPS C2
DNS tunneling
ICMP tunneling
Social media C2 (Twitter, Telegram)
Cloud storage C2 (Dropbox, Google Drive)
Peer-to-peer C2
Domain generation algorithms (DGA)
Fast flux
Dead drop resolvers
Encrypted channels
Covert channels
Steganography

9.7 Data Exfiltration¤

HTTP/HTTPS exfiltration
DNS exfiltration
Email exfiltration
FTP/SFTP
Cloud storage upload
Steganography
Compressed archives
Encrypted archives

10. EXPLOIT ANALYSIS¤

10.1 Vulnerability Types¤

Buffer overflows (Stack, Heap)
Use-after-free
Double-free
Integer overflows
Format string bugs
Race conditions
Logic bugs
Type confusion

10.2 Exploit Techniques¤

Return-to-libc
ROP (Return-Oriented Programming)
JOP (Jump-Oriented Programming)
Heap spraying
JIT spraying
ASLR bypass
DEP/NX bypass
Stack canary bypass
Control-flow integrity bypass

10.3 Exploit Frameworks in Malware¤

Metasploit modules
Exploit kits (Angler, RIG, Neutrino, Magnitude)
Browser exploits
Office exploits
PDF exploits
Java exploits
Flash exploits
Zero-day exploits

10.4 Shellcode Analysis¤

Shellcode structure
Shellcode encoding
Polymorphic shellcode
Alphanumeric shellcode
Egg hunters
Staged vs stageless
Reverse shell
Bind shell
Meterpreter payloads

11. MOBILE MALWARE ANALYSIS¤

11.1 Android Malware Analysis¤

APK structure (AndroidManifest.xml, classes.dex, resources)
Static analysis tools (apktool, jadx, dex2jar, JD-GUI)
Dynamic analysis (Android emulator, real device)
ADB (Android Debug Bridge)
Logcat
Frida (dynamic instrumentation)
Objection
Xposed framework
Drozer
MobSF (Mobile Security Framework)
Android malware techniques
Obfuscation techniques
Native code analysis (ARM)
Root detection
Emulator detection
SSL pinning

11.2 iOS Malware Analysis¤

IPA structure
Jailbreak tools
Static analysis (class-dump, Hopper, IDA Pro)
Dynamic analysis (Frida, Cycript)
SSL Kill Switch
Objection
iOS internals
Objective-C/Swift reverse engineering
Keychain analysis

12. THREAT INTELLIGENCE & IOC¤

12.1 Indicator of Compromise (IOC)¤

File hashes (MD5, SHA-1, SHA-256)
IP addresses
Domain names
URLs
Email addresses
Mutexes
Registry keys
File paths
Network signatures
YARA rules
Suricata rules
Snort rules

12.2 IOC Extraction¤

Automated extraction
Manual extraction
Configuration extraction
Network IOC từ PCAP
Memory IOC từ dumps
Static IOC từ binaries

12.3 Threat Intelligence Platforms¤

MISP (Malware Information Sharing Platform)
OpenCTI
AlienVault OTX
ThreatConnect
VirusTotal Intelligence
Hybrid Analysis
Any.run
MalwareBazaar
URLhaus
Abuse.ch feeds

12.4 Frameworks¤

MITRE ATT&CK
Cyber Kill Chain
Diamond Model
STIX/TAXII
OpenIOC

12.5 Malware Families & Attribution¤

Malware taxonomy
Family identification
Variant tracking
Threat actor attribution
APT tracking
Campaign analysis
TTPs (Tactics, Techniques, Procedures)

13. YARA RULES¤

13.1 YARA Basics¤

YARA syntax
String patterns
Hex patterns
Regular expressions
Wildcards
Conditions
Meta information
Rule structure

13.2 Advanced YARA¤

PE module
ELF module
Math module
Hash module
Time module
Cuckoo module
Performance optimization
Private rules
Global rules
Include statements
External variables

13.3 YARA in Practice¤

Malware hunting
Incident response
Sandbox integration
Memory scanning
Live system scanning
Rule testing
False positive reduction
Rule sharing
yarGen (rule generation)
Valhalla (rule feed)

14. REPORTING & DOCUMENTATION¤

14.1 Analysis Report Structure¤

Executive summary
Malware overview
Technical analysis
Static analysis findings
Dynamic analysis findings
Network analysis
Memory analysis
IOCs
MITRE ATT&CK mapping
Remediation recommendations
Appendices

14.2 Documentation Best Practices¤

Clear and concise writing
Technical accuracy
Evidence preservation
Screenshots và annotations
Code snippets
Network diagrams
Timeline creation
Chain of custody
Reproducibility

14.3 Tools for Documentation¤

Markdown
Jupyter notebooks (for Python analysis)
CherryTree
OneNote
Notion
Obsidian
LaTeX (for formal reports)
Diagram tools (draw.io, Visio)

Malware reports
Blog posts
Conference presentations
Research papers
Twitter threads
GitHub repositories
Malware samples (hashed)
YARA rules
IDA/Ghidra databases

15. SPECIALIZED TOPICS¤

15.1 Firmware Analysis¤

Firmware extraction
Firmware unpacking (binwalk, firmware-mod-kit)
Filesystem analysis
Binary analysis in firmware
Embedded device malware
Router malware
IoT malware
UEFI/BIOS malware

15.2 Fileless Malware¤

PowerShell-based malware
WMI-based malware
Registry-only malware
Memory-only malware
Living-off-the-land techniques
Detection challenges
Analysis techniques

15.3 Ransomware Analysis¤

Encryption algorithm identification
Key generation analysis
Ransom note analysis
Payment tracking (Bitcoin analysis)
Decryption possibilities
Master key extraction
Backup deletion techniques
Volume Shadow Copy deletion

15.4 Banking Trojan Analysis¤

Web injection techniques
Man-in-the-browser attacks
Form grabbing
HTML injection
Proxy configuration
Certificate pinning bypass
Configuration files
Target lists

15.5 APT Malware Analysis¤

Multi-stage payloads
Custom protocols
Stealthy persistence
Anti-forensics
Data staging
Exfiltration techniques
Living-off-the-land
Zero-day exploitation
Attribution challenges

15.6 macOS Malware Analysis¤

Mach-O format
Gatekeeper bypass
SIP bypass
TCC bypass
Keychain access
Objective-C runtime
Swift analysis
macOS internals
Sandbox escapes

15.7 .NET Malware Analysis¤

.NET architecture
CIL (Common Intermediate Language)
dnSpy
ILSpy
de4dot (deobfuscator)
.NET Reactor unpacking
ConfuserEx unpacking
Obfuscation techniques
Native compilation (NGen)

15.8 Document-based Malware¤

Office malware (macros, DDE, OLE)
PDF malware (JavaScript, embedded EXE)
RTF exploits
CHM files
HTA files
Macro analysis (olevba)
VBA stomping
Encrypted macros
Template injection

16. AUTOMATION & TOOLING¤

16.1 Automated Analysis Platforms¤

Cuckoo Sandbox setup và customization
CAPE Sandbox
Joe Sandbox
Any.run
Hybrid Analysis
VirusTotal Intelligence
Custom sandbox development

16.2 Analysis Automation¤

Python scripting for automation
IDA Pro scripting (IDAPython)
Ghidra scripting
r2pipe (Radare2)
Binary analysis frameworks
angr (symbolic execution)
Triton
Manticore
KLEE
Automated unpacking scripts
IOC extraction automation
Report generation automation

16.3 Custom Tool Development¤

Binary parsers
Unpacking tools
Configuration extractors
Decryption tools
YARA rule generators
Network protocol analyzers
Memory scanners
Emulators for specific malware

16.4 Integration¤

SIEM integration
Threat intelligence platform integration
Ticketing system integration
API development
Webhook integration

17. ADVANCED TECHNIQUES¤

17.1 Symbolic Execution¤

angr framework
Constraint solving (Z3)
Path exploration
State management
Binary analysis với angr
Vulnerability discovery

17.2 Taint Analysis¤

Dynamic taint analysis
Static taint analysis
Information flow tracking
Input validation analysis

17.3 Emulation¤

Unicorn engine
QEMU
Full system emulation
CPU emulation
Unpacking via emulation
API emulation

17.4 Binary Diffing¤

BinDiff
Diaphora
Patch analysis
Variant analysis
Code reuse detection

17.5 Machine Learning in Malware Analysis¤

Feature extraction
Classification models
Clustering malware families
Anomaly detection
Automated analysis
Deep learning for malware detection
Adversarial ML attacks

18. INDUSTRY TOOLS & PLATFORMS¤

18.1 Commercial Tools¤

IDA Pro
Hex-Rays Decompiler
Binary Ninja
Hopper Disassembler
JEB Decompiler (Android/Native)
Relyze
PE Explorer
CFF Explorer

18.2 Free/Open Source Tools¤

Ghidra
Radare2/Rizin/Cutter
x64dbg/x32dbg
OllyDbg
GDB
Volatility
YARA
ClamAV
REMnux distribution
FLARE VM
Santoku (mobile)

18.3 Online Services¤

VirusTotal
Hybrid Analysis
Joe Sandbox
Any.run
MalwareBazaar
URLhaus
ThreatMiner
AlienVault OTX
Shodan
Censys

19. LAB SETUP & ENVIRONMENT¤

19.1 Malware Analysis Lab¤

Isolated network
Virtual machines (VirtualBox, VMware, Hyper-V)
Snapshots
REMnux (Linux analysis)
FLARE VM (Windows analysis)
INetSim (service simulation)
FakeNet-NG
Malware sample storage
Air-gapped analysis
Physical isolation

19.2 Safe Handling¤

Encrypted sample storage
Password protection (standard: infected)
Zip với password
Secure transfer
Legal considerations
Ethics
Sample sharing protocols

19.3 Infrastructure¤

Analysis VMs
Monitoring VMs
C2 simulation infrastructure
Network traffic capture
Log collection
Backup solutions

20. CERTIFICATIONS¤

20.1 Foundational¤

CompTIA Security+
CEH (Certified Ethical Hacker)
GIAC GSEC (Security Essentials)

20.2 Malware Analysis Specific¤

GREM (GIAC Reverse Engineering Malware) - HIGHLY RECOMMENDED
GDAT (GIAC Defending Advanced Threats)
eLearnSecurity eMAPT (Malware Analysis Professional)
Practical Malware Analysis & Triage (PMAT) - TCM Security

20.3 Reverse Engineering¤

GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
Offensive Security OSED (Exploit Developer)
Offensive Security OSWE (Web Expert)
eLearnSecurity eCXD (Exploit Development)

20.4 Specialized¤

GCFA (GIAC Certified Forensic Analyst)
GNFA (GIAC Network Forensic Analyst)
GCIA (GIAC Certified Intrusion Analyst)
CCFE (Certified Computer Forensics Examiner)
EnCE (EnCase Certified Examiner)

20.5 Vendor Certifications¤

Microsoft Certified: Security Operations Analyst
Cisco CyberOps Associate/Professional
SANS certifications (FOR610, FOR710, SEC760)

21. RESOURCES & CONTINUOUS LEARNING¤

21.1 Books - ESSENTIAL READING¤

"Practical Malware Analysis" by Michael Sikorski, Andrew Honig (Bible)
"The Art of Memory Forensics" by Michael Hale Ligh et al.
"Malware Analyst's Cookbook" by Michael Ligh et al.
"Rootkits and Bootkits" by Alex Matrosov et al.
"The IDA Pro Book" by Chris Eagle
"Practical Binary Analysis" by Dennis Andriesse
"Reversing: Secrets of Reverse Engineering" by Eldad Eilam
"Learning Malware Analysis" by Monnappa K A
"Windows Internals" by Mark Russinovich (Parts 1 & 2)
"x86 Disassembly" by Wikibooks
"Hacking: The Art of Exploitation" by Jon Erickson
"Gray Hat C#" by Brandon Perry
"Android Hacker's Handbook"
"iOS Hacker's Handbook"

21.2 Online Courses¤

SANS FOR610 (Reverse-Engineering Malware)
SANS FOR710 (Reverse-Engineering Malware Advanced)
SANS SEC760 (Advanced Exploit Development)
Malware Analysis Bootcamp (Pluralsight)
Malware Analysis and Reverse Engineering (Cybrary)
Practical Malware Analysis & Triage (TCM Security)
MalwareTech tutorials
OpenSecurityTraining

21.3 Practice Platforms¤

Malware samples:
MalwareBazaar (https://bazaar.abuse.ch/)
VirusShare
theZoo (GitHub - caution!)
Contagio
VX Underground (research only)
CTF platforms:
FlareOn Challenge (FireEye/Mandiant)
Reversing.kr
Crackmes.one
root-me.org
HackTheBox (reversing challenges)
Tutorials:
MalwareTech blog
hasherezade's blog
OALabs (YouTube)
0xRick blog

21.4 Communities¤

Malware analysis forums
Reddit (r/Malware, r/ReverseEngineering)
Discord servers (Malware Analysis, RE)
Twitter infosec community (#malware, #RE)
OALABS Discord
MalwareMustDie

21.5 Blogs & News¤

Malwarebytes Labs
Kaspersky Securelist
Bleeping Computer
Krebs on Security
TrendMicro Research
Cisco Talos
FireEye/Mandiant blog
hasherezade's blog
0ffset's blog
OALabs blog

21.6 Conferences¤

DEF CON (Reverse Engineering Village)
Black Hat (malware/RE talks)
REcon (Reverse Engineering Conference)
Virus Bulletin
Botconf
Malcon
BSides events
Hack in the Box

21.7 Tools Collections¤

FLARE team tools (GitHub)
REMnux toolkit
SANS SIFT Workstation
Hybrid Analysis community tools
Awesome Malware Analysis (GitHub)

21.8 YouTube Channels¤

OALabs
MalwareAnalysisForHedgehogs
LiveOverflow
John Hammond
IppSec
13Cubed
Colin Hardy

22. CAREER PATH¤

22.1 Entry Level¤

Malware Analyst (Junior)
Sample triage
Basic static/dynamic analysis
IOC extraction
Report writing
Salary: \(60k-\)80k
SOC Analyst with malware focus
Alert triage
Malware identification
Basic analysis
Salary: \(50k-\)70k

22.2 Mid Level¤

Malware Analyst
Advanced analysis
Reverse engineering
Custom tool development
Threat intelligence
Salary: \(90k-\)120k
Reverse Engineer
Binary analysis
Vulnerability research
Exploit analysis
Salary: \(100k-\)130k

22.3 Senior Level¤

Senior Malware Analyst
Complex malware families
APT analysis
Team lead
Training junior analysts
Salary: \(130k-\)160k
Principal Reverse Engineer
Advanced RE projects
Zero-day analysis
Tool development
Research
Salary: \(140k-\)180k

22.4 Expert/Specialist¤

Malware Researcher
Original research
Conference speaking
CVE discoveries
Advanced techniques
Salary: \(150k-\)200k+
Threat Intelligence Lead
Team management
Strategic analysis
Threat actor tracking
Salary: \(160k-\)200k+

22.5 Industry Sectors¤

Antivirus companies (Kaspersky, Bitdefender, ESET, etc.)
Security vendors (CrowdStrike, FireEye/Mandiant, Palo Alto)
Government agencies (NSA, FBI, CISA)
Defense contractors
Financial institutions
Big tech (Google, Microsoft, Apple)
Consulting firms
MSSPs
Independent consulting/freelance

Threat Hunter
Incident Responder (DFIR)
Exploit Developer
Security Researcher
Vulnerability Researcher
APT Analyst
Threat Intelligence Analyst

23. SOFT SKILLS¤

23.1 Analytical Skills¤

Critical thinking
Problem-solving
Pattern recognition
Attention to detail
Logical reasoning
Hypothesis testing

23.2 Communication¤

Technical writing
Report writing
Presentation skills
Teaching/mentoring
Cross-team collaboration
Stakeholder communication

23.3 Research Skills¤

Literature review
Experimentation
Documentation
Tool evaluation
Staying current
Continuous learning

23.4 Mindset¤

Patience (analysis can take days/weeks)
Curiosity
Persistence
Adaptability
Attention to detail
Systematic approach
Creative thinking

LỘ TRÌNH HỌC ĐỀ XUẤT (24-36 THÁNG)¤

Tháng 1-3: Foundations¤

Computer architecture
OS internals (Windows/Linux)
C/C++ programming
Assembly basics (x86)
Python scripting

Tháng 4-6: Reverse Engineering Basics¤

IDA Pro/Ghidra basics
x64dbg/GDB
Static analysis techniques
Dynamic analysis techniques
PE format mastery

Tháng 7-9: Malware Analysis Fundamentals¤

Basic static/dynamic analysis
Sandboxing
Behavioral analysis
String analysis
Packer identification

Tháng 10-12: Advanced RE & Analysis¤

Advanced debugging
Unpacking techniques
Anti-analysis bypass
Code obfuscation
Memory forensics (Volatility)

Tháng 13-15: Specialized Malware¤

Ransomware analysis
Banking trojans
RATs
Rootkits
Mobile malware (Android)

Tháng 16-18: Advanced Topics¤

Exploit analysis
Shellcode analysis
Kernel malware
APT malware
Cryptography in malware

Tháng 19-21: Automation & Tooling¤

Python automation
IDA/Ghidra scripting
Custom tool development
Sandbox customization
YARA mastery

Tháng 22-24: Threat Intelligence¤

IOC extraction
MITRE ATT&CK
Threat intelligence platforms
Report writing
Attribution techniques

Tháng 25-30: Specialization¤

Choose specialization (APT, ransomware, mobile, etc.)
Advanced research
Conference talks
Blog writing
Open source contributions

Tháng 31-36: Mastery¤

Original research
0-day hunting
Advanced tool development
Mentoring others
Industry recognition

TIPS ĐỂ MASTER MALWARE ANALYSIS¤

Daily Practice¤

Analyze 1 malware sample mỗi ngày
Document everything
Write YARA rules
Share findings

Build Portfolio¤

GitHub repository với tools
Blog write-ups (malware analysis)
YARA rules repository
Conference presentations
CVE discoveries

Networking¤

Twitter malware analysis community
Discord servers
Conference attendance
Mentorship
Collaborate on analysis

Stay Current¤

Daily malware news
Follow researchers
New techniques
Tool updates
Threat actor campaigns

Contribute¤

Open source tools
YARA rules sharing
Write-ups
Help community
Mentor beginners

Build Lab¤

Proper isolation
Multiple VMs
Tool collection
Sample repository
Documentation system

Read Code¤

Read malware source code (when available)
Read analysis tool source
Understand techniques
Learn from others

Challenge Yourself¤

FlareOn Challenge annual
Analyze APT samples
Reverse unfamiliar architectures
Learn new techniques
Research 0-days

KẾT LUẬN¤

Malware Analysis/Reverse Engineering là một trong những lĩnh vực KHÓ NHẤT nhưng cũng THÚ VỊ NHẤT trong cybersecurity.

Yêu cầu: - Kiên nhẫn cực cao (1 sample có thể mất hàng tuần) - Kỹ thuật sâu (assembly, OS internals, cryptography) - Continuous learning (malware luôn tiến hóa) - Passion thực sự (không phải vì tiền)

Phần thưởng: - Lương CỰC CAO (\(150k-\)250k+ cho senior) - Intellectually stimulating - High respect trong community - Job security (demand > supply) - Work on cutting-edge threats

Nếu bạn thích DEEP TECHNICAL, PUZZLE-SOLVING, và DETECTIVE WORK thì đây là con đường dành cho bạn! 🔍🦠