Malware Reverse Engineering for Beginners

by

Every malware sample tells a story. Static strings reveal its purpose. Imported functions show its capabilities. Dynamic behavior exposes its network infrastructure. Malware reverse engineering is the discipline of reading that story — understanding what malicious code does, how it does it, and what artifacts it leaves behind. This guide covers the fundamentals with Ghidra and other free tools, with concrete examples you can run yourself.

Setting Up a Safe Analysis Environment

Never analyze malware on your host machine. Always use an isolated virtual machine with no network access or a dedicated host on an air-gapped network. Malware analysis sandboxes exist precisely for this reason.

# Analysis environment: Windows 10 VM in VirtualBox or VMware
# Settings before starting:
# - Network: Host-only adapter (no internet access)
# - Shared clipboard: DISABLED
# - Shared folders: DISABLED
# - Take a snapshot BEFORE opening any malware

# Essential tools to install in the analysis VM:
# - PEview, CFF Explorer, Detect-It-Easy (static PE analysis)
# - Ghidra (free NSA disassembler/decompiler)
# - x64dbg (dynamic debugger)
# - Wireshark (network traffic capture)
# - Process Monitor, Process Hacker (behavior monitoring)
# - FLOSS (Mandiant - extracts obfuscated strings)
# - Cutter (free GUI for radare2)

Phase 1: Static Analysis — Before Running Anything

# Step 1: Get file hash (never analyze without documenting this)
md5sum malware.exe
sha256sum malware.exe
# Submit hash to VirusTotal: https://virustotal.com/

# Step 2: Identify file type (never trust extension)
file malware.exe
# Result: PE32 executable (GUI) Intel 80386, for MS Windows

# Step 3: Check entropy (high entropy = packed/encrypted)
# Use Detect-It-Easy (DIE): drag and drop file
# Entropy > 7.0 suggests packing (UPX, custom packers, encrypted sections)

# Step 4: Extract printable strings
strings malware.exe | head -100
strings -n 8 malware.exe | grep -E "http|.exe|cmd|powershell|registry"

# Step 5: Check PE imports (what functions does it use?)
# Use CFF Explorer or dumpbin:
dumpbin /IMPORTS malware.exe | grep -E "CreateRemoteThread|VirtualAlloc|WriteProcessMemory|RegSetValue|InternetOpen"
# These imports suggest: process injection, network communication, persistence

Decoding Obfuscated Strings with FLOSS

# FLOSS finds strings that are decoded at runtime (evades simple strings command)
floss malware.exe

# Example output revealing hidden C2 server:
# FLOSS decoded 1 string from function 0x00401234
# 192.168.1.100:4444
# FLOSS decoded 1 string from function 0x00401567
# /api/beacon
# FLOSS decoded 1 string from function 0x004017ab
# cmd.exe /c whoami

Phase 2: Ghidra — Disassembly and Decompilation

Ghidra is the NSA’s open source reverse engineering framework, released publicly in 2019. It disassembles binary code and — most powerfully — decompiles it back to readable C-like pseudocode. This turns thousands of lines of assembly into something you can understand.

# Install Ghidra
wget https://github.com/NationalSecurityAgency/ghidra/releases/latest/download/ghidra_11.0_PUBLIC.zip
unzip ghidra_11.0_PUBLIC.zip
cd ghidra_11.0_PUBLIC/
./ghidraRun  # Requires Java 17+

# In Ghidra:
# 1. File > New Project > Create new project
# 2. File > Import File > select malware.exe
# 3. Double-click to open in CodeBrowser
# 4. Yes to analyze with default options
# 5. Wait for analysis (2-5 minutes for typical malware)

# Navigation tips:
# - Symbol Tree (left panel): functions, labels, namespaces
# - Decompiler (right panel): pseudocode for selected function
# - Functions starting with "FUN_" are unnamed -- rename them as you understand them
# - Search > For Strings: find all string references in code
# - Window > Function Call Trees: see what calls what

Reading the Decompiler Output

# Example: Ghidra decompiled this assembly into:
void FUN_00401234(void) {
  HANDLE hProcess;
  LPVOID lpRemoteBuffer;
  
  // CreateRemoteThread injection pattern:
  hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, target_pid);
  lpRemoteBuffer = VirtualAllocEx(hProcess, NULL, shellcode_size, 
                                   MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, lpRemoteBuffer, shellcode, shellcode_size, NULL);
  CreateRemoteThread(hProcess, NULL, 0, lpRemoteBuffer, NULL, 0, NULL);
}
# This is CLASSIC process injection -- injecting shellcode into another process
# Rename function to: inject_shellcode_into_process

Phase 3: Dynamic Analysis — Watch It Run

# Before running: take VM snapshot, start monitoring tools

# Process Monitor (Procmon) - monitor all file/registry/network activity
# Filter: Process Name contains "malware"
# Now run the sample

# What to watch for in Procmon:
# RegSetValue in HKCUSoftwareMicrosoftWindowsCurrentVersionRun = persistence
# CreateFile in C:WindowsSystem32 = dropping files
# TCP Connect to external IP = C2 communication

# Process Hacker: watch for process injection
# Malware process should appear, then disappear
# Another legitimate process (explorer.exe, svchost.exe) may show new threads

# Wireshark: capture all network traffic
# Filters:
# dns -- see what domains it resolves
# http -- see HTTP C2 beacons
# tcp.port == 4444 -- classic Metasploit reverse shell port

Online Sandboxes for Quick Analysis

When you need results fast, or cannot run a local analysis environment, online sandboxes run malware in isolated VMs and produce detailed behavioral reports:

  • any.run (app.any.run) — Interactive, free tier available. Watch the malware run in real time in your browser
  • Hybrid Analysis (hybrid-analysis.com) — Free, comprehensive reports, large sample database
  • Joe Sandbox — Very detailed Windows analysis reports
  • Triage (tria.ge) — Fast, multi-sample support, excellent for quick triage

Practice Samples for Beginners

  • MalwareBazaar (bazaar.abuse.ch) — Real malware samples shared by the community. Use a VM!
  • theZoo (GitHub) — Historical malware samples for education
  • Crackmes.one — Reverse engineering challenges that teach the skills without actual malware
  • PWN.college — Free interactive reverse engineering and binary exploitation course

Malware reverse engineering is one of the most intellectually rewarding specializations in cybersecurity. Each sample is a puzzle left by the attacker, and your job is to read their code, understand their intent, extract their infrastructure, and ultimately help defenders stop them.