DEPRECATED

Going forwards, this repo won't be updated.
The list is instead being maintained on my blog (https://reversing.blog)

About

This document serves as a list of resources, and other things that aid in malware analysis / dev and exploit dev, which will be updated frequently
Feel free to contribute resources

Courses

Paid courses/certificates

  • OSED
  • eCXD
  • SLAE x86
  • OSEE
  • eCMAP
  • Sektor 7 Red Team Operator
  • Zero2Automated: Ultimate Malware Reverse Engineering
  • CREST Certified Malware Reverse Engineer
  • SANS FOR610
  • SANS FOR500
  • FireEye Malware Analysis Master Course
  • RingZerø: Windows Kernel Rootkits: Techniques and Analysis
  • RingZerø: Windows Internals for Reverse Engineers
  • CodeMachine: Windows Kernel Rootkits

Free courses

Offensive Software Exploitation by Ali Hadi

Course taught at Champlain College by Ali Hadi
Topics:

  • PE format
  • Bug hunting and fuzzing
  • Vanilla BoF
  • ROP
  • Egghunters
  • x64 and x86 assembly
  • Reverse engineering

Malwareunicorn RE101 and 102

Great introduction to malware analysis and RE Covers setting up your environmemt, and basic static / dynamic analysis

hasherezade Windows malware analysis vol 1

Focus on Windows malware and internals specifically.
Includes intermediate topics, such as hooking, UAC bypass, persistence, and much more
Requires some knowledge beforehand
Inlcudes exercises and slides

dostackbufferoverflowgood

This course is my go to for anyone new to exploit dev, it is dead simple, and will teach anyone basic buffer overflows in a couple hours
It goes from teaching basic assembly, to finding a vulnerable function, fuzzing it, and performing a basic buffer overflow to obtain remote RCE

RPI modern binary exploitation

Modern binary exploitation
Topics:

  • ASLR
  • DEP
  • ROP
  • Heap exploitation
  • Stack cookies
  • Basic kernel exploitation
  • Reverse engineering
  • Shellcoding

CS6038/CS5138 introduction to malware analysis and reverse engineering

Introduction to malware analysis and reverse engineering
Topics cover a wide range of malware analysis topics, a few samples:

  • Android static analysis
  • Java malware
  • Ghidra reverse engineering
  • Debugging
  • Building malware
  • Yara
  • Malicious PDF analysis
  • Assembly language crash course
  • Virtualbox setup

Intro to x86 32 bit Assembly

Introduction to x86 32 bit Assembly, covers everything needed to get started with x86 Assembly

  • Includes exercises
  • Includes Youtube videos, and powerpoint slides

Intro to x86 64 bit Assembly

Same as the 32 bit, assumes 32 bit knowledge

Intro to Linux binary exploitation

Covers Linux bin exp from basic assembly to heap exploitation

Nightmare: Binary exploitation and reverse engineering course

Binary exploitation course using CTFs as examples

Max Kersten Zero to hero binary analysis course

Assumes little to no low level knowledge
Requires basic understanding of programming
Content:

  • Assembly basics
  • Malware analysis
  • Script analysis
  • Sample collection

Buffer overflow practice

Various applications to practice buffer overflows on.
Includes exploit code.

OpenSecurityTraining introduction to Reverse Engineering

Covers the basics and use cases of RE
Goes over IDA and debugger usage
Helps you identify control flows and Win32 API code
Older course, but worth the time

Intermediate Linux Exploitation

Assumes prior knowledge of x86-64 assembly and familiarity with C and Python.
Comfortable with basic binary exploits, like vanilla buffer overflow.

Books

  • Windows internals 7th edition, part 1 and 2
  • Practical malware analysis
  • Windows Kernel Programming by Pavel Yosifovich
  • Malware Analysts Cookbook
  • The Shellcoders Handbook
  • Rootkits: Subverting the Windows Kernel
  • Rootkits and Bootkits
  • A Guide to Kernel Exploitation
  • Windows 10 System Programming, Part 1 (Pavel Yosifovich)
  • Windows 10 System Programming, Part 2 (Pavel Yosifovich)
  • The IDA Pro book
  • The Ghidra book
  • Sandworm by Andy Greenberg
  • C++ primer 5th edition
  • The Art of Assembly Language 2nd edition
  • The Antivirus Hackers' Handbook
  • The Art of Memory Forensics
  • Inside Windows Debugging
  • Practical Reverse Engineering

Free books

Blogs

Corelan exploit dev

Must read!!

Fuzzysecurity exploit dev

Their Windows exploitation series is gold

Vitali Kremez blog

Lots of awesome malware related content

repnz

Content on Windows internals, malware reversing

Connor Mcgarr

Lots of content about exploit development

Google Project Zero

Shameless self plug - Logicbug

My own blog, mainly content about malware dev

Redbluepurple.io

blog with a couple posts about EDR, Windows internals and malware analysis

Malware Traffic analysis

Talks

Kernel Mode Threats and Practical Defenses
Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
The Life & Death of Kernel Object Abuse
Alex Ionescu - Advancing the State of UEFI Bootkits
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)
Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1
Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2
W32.Duqu: The Precursor to the Next Stuxnet

Youtube channels

KindredSec

Malware and reverse engineering

OAlabs

Great reverse engineering content

Josh Stroschein intro to Assembly

Intro to Assembly

AGDC Services

High quality content with a lot of potential

Whitepapers/articles/posts

Reverse engineering Cisco ASA for EXTRABACON offsets
DoublePulsar SMB backdoor analysis
Kaspersky Shamoon and StoneDrill Report
Eset Turla Outlook backdoor report
Introduction Format String exploits
Writing a custom encoder
MinaliC 2.0.0 buffer overflow
BigAnt server 2.52 buffer overflow
Anatomy of an exploit – inside CVE-2013-3893
Understanding type confusion vulnerabilities
Engineering antivirus evasion
Deep dive into IOS exploit chain
Writing IOS kernel exploits
Analysis of Cyber attack on Ukrainian power grid
Analysis of Project Sauron APT
SWEED: Exposing years of Agent Tesla campaigns WastedLocker analysis
OilRig novel steganography C2
FritzFrog analysis
Rotten Apples: Apple-like domains phishing
Wil it blend? This is the Question, new Macro based Evasions spotted
Lazarus shellcode execution
In-Depth analysis of Racoon stealer
Detailed analysis of Zloader
Interview with LockBit Ransomware operator
BendyBear shellcode malware
Emotet C2 case study
WeSteal Analysis
A Basic Windows DKOM Rootkit
Loading Kernel Shellcode
Windows Kernel Shellcode on Windows 10 – Part 1
Windows Kernel Shellcode on Windows 10 – Part 2
Windows Kernel Shellcode on Windows 10 – Part 3
Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
Introduction to Shellcode Development
Autochk Rootkit Analysis
pierogi backdoor
New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign
Pay2Kitten
STEELCORGI
Lebanese Cedar APT
LazyScripter
Maze deobfuscation
Darkside overview
SunBurst backdoor - FireEye analysis
Code obfuscation techniques
SideCopy APT tooling
Hiding in PEB sight: Custom loader
Zloader: New infection technique
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
Rolf Rolles: Statically unpacking / anazlying FinFisher VM part 1
Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 2
Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 3
Operation SpoofedScholars: A Conversation with TA453
Hooking Candiru - Another spyware vendor comes into focus
A tale of EDR bypass methods

Not really courses, not really articles

Heap exploitation free "book"

Practice

Phoenix, succesor to Protostar

Covers various topics, including:

  • Network programming
  • Stack overflows
  • Heap overflows
  • Format string exploits

ROP practice

HEVD Vulnerable driver

Various exploits to practice on a driver

Network traffic of malware to analyze

Resources/tools

NTAPI undocumented functions
x86/x64 Windows syscall table
Malware Windows API Cheatsheet
Malware evasion / protection techniques
Malware analysis awesome list
Linux rootkits awesome list
Common evasions techniques used by malware
Common anti debugging techniques used by malware
Win32 Programming C++ notes
APT mindmap

Forums

Sample sharing