* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity Canon](https://origin-researchcenter.paloaltonetworks.com/blog/category/canon/)
* The Cybersecurity Canon -...

# The Cybersecurity Canon - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fcybersecurity-canon-practical-malware-analysis-hands-guide-dissecting-malicious-software%2F)  
[](https://twitter.com/share?text=The+Cybersecurity+Canon+-+Practical+Malware+Analysis%3A+The+Hands-On+Guide+to+Dissecting+Malicious+Software&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fcybersecurity-canon-practical-malware-analysis-hands-guide-dissecting-malicious-software%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fcybersecurity-canon-practical-malware-analysis-hands-guide-dissecting-malicious-software%2F&title=The+Cybersecurity+Canon+-+Practical+Malware+Analysis%3A+The+Hands-On+Guide+to+Dissecting+Malicious+Software&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2018/02/cybersecurity-canon-practical-malware-analysis-hands-guide-dissecting-malicious-software/&ts=markdown)  
\[\](mailto:?subject=The Cybersecurity Canon - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software)  
Link copied  
By [Etay Nir](https://www.paloaltonetworks.com/blog/author/etay-nir/?ts=markdown "Posts by Etay Nir")  
Feb 02, 2018  
4 minutes  
[Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Andrew Honig](https://www.paloaltonetworks.com/blog/tag/andrew-honig/?ts=markdown)  
[cybersecurity canon](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon/?ts=markdown)  
[Cybersecurity Canon Review](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon-review/?ts=markdown)  
[Etay Nir](https://www.paloaltonetworks.com/blog/tag/etay-nir/?ts=markdown)  
[Michael Sikorski](https://www.paloaltonetworks.com/blog/tag/michael-sikorski/?ts=markdown)  
[Practical Malware Analysis](https://www.paloaltonetworks.com/blog/tag/practical-malware-analysis/?ts=markdown)

*We modeled the* [*Cybersecurity Canon*](https://cybercanon.paloaltonetworks.com/)*after the Baseball or Rock \& Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.*

*The Cybersecurity Canon is a real thing for our community. We have designed it so that you can* [*directly participate in the process*](https://cybercanon.paloaltonetworks.com/nominate-a-book/)*. Please do so!*

**Executive Summary**

In the dynamic area that is malware analysis, it can be confusing, if not also bewildering, for the newcomer to know where to start. Look no further: *Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software* is a great starting point for those wanting to enter the field, and an ever-useful refresher for anyone looking to polish their skills.

**Review**

The attraction of *Practical Malware Analysis* is that the authors have striven for the book to be self-contained as far as possible. Little prior knowledge is required, yet there is something for everyone here. A logical development of analysis skills is followed throughout the book, with Part 1 introducing basic analysis, covering static analysis (non-executed code), virtual machines, and then dynamic (code executed in a controlled environment).

Part 2 takes on advanced static analysis, developing our skills and knowledge, and introducing X86 Disassembly, IDA-pro, assembly, recognizing C-code constructs in assembly, and finally taking a look at malicious Microsoft Windows programs, looking at the API, the registry, and how to examine malware as it executes in a Windows environment.

Part 3 examines advanced dynamic analysis, looking at debugging, OllyDbg and then kernel debugging with WinDbg.

Having taken us to the foothills of advanced malware analysis, Part 4 of the book then delves into malware functionality, both using and expanding the knowledge gained so far. It guides us through malware behaviour, covert malware launching, data encoding and malware-focused network signatures. This section manages to achieve the fine balance between educating, but not becoming a 'how-to-hack' handbook. This section begins to look at things in great technical detail, including assembly, disassembly, registers and opcodes. Yet because of the approach taken by the authors, this section remains accessible at all times.

Part 5 takes us into deeper technical detail, cover anti-reverse-engineering. This section is critical in gaining insight into the mind of the attacker. The authors expand upon many of the themes from Part 4, but from the perspective of the malware author. Covered topics are: anti-disassembly, anti-debugging, anti-virtual machine techniques, and finally packers and unpacking. Mastering these topics will really let you spread your wings as a threat analyst, and provide you with a wealth of information, particularly if you are interested in threat modelling.

Finally, Part 6, covers the ever-topical shellcode analysis, C++ analysis and 64-bit analysis.

At the rear of the book are two appendices, A: Important Windows Functions and B: Tools for Malware Analysis. Both appendices are very useful taxonomies of their subjects.

One of the many strengths of *Practical Malware Analysis* is that it may both be followed diligently from start to finish as a developmental course (indeed there are lab exercises throughout, and the solutions are provided after the appendices) but also used as a fantastic reference resource. I for one always have it close at hand, either on the shelf if I am in my lab, or with me in PDF format if I am traveling.

**Conclusion**

'It does what it says on the tin' to quote an old advert byline. *Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software* is accessible to the beginner, will help you understand how malware works, and will also help you progress to proficient analysis. Highly recommended -- this is the definitive book on the topic, whether you are an aspiring reverse engineer or a network defender. Malware is not going away anytime soon.

**References**

[https://github.com/mikesiko/PracticalMalwareAnalysis-Labs](https://github.com/mikesiko/PracticalMalwareAnalysis-Labs)

*** ** * ** ***

## Related Blogs

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "InSecurity"](https://origin-researchcenter.paloaltonetworks.com/blog/2020/03/cyber-canon-insecurity/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: How America Lost Its Secrets](https://origin-researchcenter.paloaltonetworks.com/blog/2020/03/book-review-how-america-lost-its-secrets/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "The Perfect Weapon"](https://origin-researchcenter.paloaltonetworks.com/blog/2020/03/cyber-canon-the-perfect-weapon/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "No Place to Hide"](https://origin-researchcenter.paloaltonetworks.com/blog/2020/03/cyber-canon-no-place-to-hide/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "CISO Compass"](https://origin-researchcenter.paloaltonetworks.com/blog/2020/02/cyber-canon-ciso-compass/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "Digital Resilience"](https://origin-researchcenter.paloaltonetworks.com/blog/2020/02/cyber-canon-digital-resilience/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language