Learning Malware Analysis

This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware or causing real damage to any system. The type of program is organized by concept it is focused on, you can see this through the root folder structure.

I discuss many of these programs through online videos and courses and you may find the following helpful:

• Various topics in malware analysis - YouTube Playlist

• Getting Started with Reverse Engineering - YouTube Playlist and full courses on Pluralsight

• Essential Malware Analysis on Pluralsight:

  • Initial File Triage
  • Initial Access Techniques
  • Basics of IDA Pro
  • Basics of Ghidra

• Yara for Malware Research - YouTube playlist

• Essential Elements of the Portable Executable (PE) file - YouTube playlist

Other Tools You May Find Helpful

• Learning Reverse Engineering Github repo: A similar repository with source code and resources for learning reverse engineering.
• sclauncher: A shellcode launcher and debugging tool

Compiling the Source Code

These programs are intended to be compiled with the C/C++ compiler from Microsoft. You can use the Developer Command Prompt after installing the free/community version to compile using cl. An example of this command would be:

cl <path/to/source_code>

This should produce two files: .obj and .exe using the name of the input file. You can typically ignore the .obj file, the .exe is what you will analyze. Please note, occassionally specific compiler flags are used to obtain desired affects in the resulting binary. These compiler flags will be identified in the related videos or noted in the README in the specific folder.

If you're looking for real world malware or other interesting artifacts, please check out my repo malware-samples.