Reverse Engineering

Overview

Reverse engineering malware involves disassembling and decompiling binaries to understand their internal logic — control flow, algorithms, encryption routines, C2 protocols, and evasion techniques. This is the deepest level of malware analysis, used when static and dynamic analysis alone cannot fully explain a sample's behavior.

Topics in This Section

• Disassembly & Decompilation — using Ghidra, radare2, and other tools to convert machine code back to assembly and pseudocode
• Debugging Techniques — stepping through malware execution with GDB and x64dbg to observe runtime state
• Anti-Analysis Techniques — common evasion techniques malware uses to thwart analysis, and how to defeat them
• .NET & Java Reversing — decompiling managed code with specialized tools (dnSpy, jadx)

General Approach

1. Disassemble — load the binary into a disassembler to view assembly code
2. Identify key functions — find entry points, main logic, and interesting routines (crypto, networking, persistence)
3. Decompile — use decompiler output for higher-level understanding
4. Debug — set breakpoints at key locations and step through execution
5. Defeat anti-analysis — patch or bypass packing, anti-debugging, and environment checks
6. Document — record findings on malware capabilities, IOCs, and C2 protocols