Introduction
In my workshops that focus on software reverse engineering (SRE) and low-level programming, I recommend books that, in my opinion, are very high quality for self-study and reference. Here, I’ll try to collect together all of those recommendations for future workshop attendees, and anyone trying to self-study. The focus is on having a bookshelf (real and virtual) of good primary sources. You may prefer printed books, but I recommend also getting PDF copies as well so that you can search within them and have them on-the-go.
There’s a focus here on learning to analyze code designed for Windows on 32 and 64-bit Intel systems. I think that malware is a good starting point for learning SRE, but the same skills are prerequisite to vulnerability research, exploit development, and a variety of other offensive and defensive computer security disciplines. Once you are comfortable reading disassembled listings of Intel code, other architectures, such as ARM or MIPS, shouldn’t give you much trouble. You’ll want to add instruction set reference manuals for those architectures to your collection as well.
You will notice that most of the books on this list are more focused on programming (the forward process of software engineering), rather than SRE. While you don’t need to know much about programming to get started in reverse engineering, you will never become comfortable or adept at doing it without at least picking it up as you go. It can be very instructive, even as an experienced programmer, to work through a book on programming while reverse engineering the compiled code as you go. This gets you used to seeing how a compiler represents common programming constructs in assembly language.
The Bookshelf
General SRE
- Practical Malware Analysis, Sikorski, Honig, ISBN-13 978-1593272906
- This is where you should start. It comes with a set of easy-to-reverse malware samples, questions at the ends of chapters that reference them, and detailed answers at the end of the book that you can use to check your work. It has chapters that very briefly introduce 32-bit Intel assembly and C programming language constructs as they might look in assembly code. It’s enough to get you started in a self-contained book. Where this book uses IDA Pro, I’d recommend instead having The Ghidra Book on-hand to figure out the equivalent there. Where it uses OllyDbg, substitute x32dbg (comes with x64dbg), which is very similar in practical use and has good documentation.
- The Ghidra Book: The Definitive Guide, Nance, Eagle, ISBN-13 978-1718501027
- This is the book to get on the Ghidra disassembler. Also, Ghidra has an unusually nice help file for this kind of software. In the
docs/Ghidraclassfolder of your Ghidra installation, there are slides and notes for training classes on using Ghidra.
- This is the book to get on the Ghidra disassembler. Also, Ghidra has an unusually nice help file for this kind of software. In the
Windows
- Windows Internals, Seventh Edition, Parts 1 & 2, Yosifovich, Russinovich, et al, ISBN-13 978-0735684188 and 978-01354624090
- Programming Windows, Fifth Edition, Petzold, 978-1572319950
- Yes, the Fifth Edition. Yes, the one from 1998. This edition focuses on using C/C++ to access the Windows API, which is what a lot of the malware you’ll be looking at is doing. There’s no better book on the subject since then, to the best of my knowledge. The newer edition of the book focuses on using C# to write Windows Store applications, which is probably not what you want.
- Windows 10 System Programming, Parts 1 & 2, Yosifovich
- Windows Kernel Programming, Second Edition, Yosifovich
- Microsoft Learn (MSDN) Windows API Reference
- There is no good reference to the Windows API in book form (that I’m aware of). You’re best off focusing a google search with
site:learn.microsoft.comalong with the API call in question. If you need an offline reference, you may be able to track down an ISO of the Visual Studio 2008 MSDN Library. - Also, don’t be afraid to read the Windows header files that come with Visual Studio and the Windows Kits.
- There is no good reference to the Windows API in book form (that I’m aware of). You’re best off focusing a google search with
Assembly Language
- The Art of 64-Bit Assembly, Volume 1: x86-64 Machine Organization and Programming, Hyde, ISBN-13 978-1718501089
- Excellent way to learn 64-bit Intel assembly on Windows.
- PC Assembly Language, Carter
- This is a good free book for 32-bit Intel assembly. Some malware is going to be 64-bit, some will be 32-bit, and there are enough differences that you’ll want a couple of different books.
- x64 Assembly Language Step-by-Step: Programming with Linux, Duntemann, ISBN-13 978-1394155248
- Another good 64-bit Intel book. If you like it and need 32-bit or even 16-bit help, just go back to previous editions.
- Computer Systems: A Programmer’s Perspective, 3rd Edition, Bryant, O’Hallaron, ISBN-13 978-0134092669
- This is a great systems programming book.
- It’s so expensive. Used copies of the 2nd edition are much more affordable, and use 32-bit Intel instead of 64-bit. Might be an OK trade-off.
- AVOID THE INTERNATIONAL EDITION. It’s VERY inexpensive, but introduces many errors. Not an OK trade-off.
- Processor Manual PDFs (especially the instruction set references, but the architecture information is excellent to have as well)
C/C++
- C Programming: A Modern Approach, King, 2nd Edition ISBN-13 978-0393979503
- C++ Primer, Lippman, ISBN-13 978-0321714114