You are also free to include older reversing tools such as HIEW and W32DAsm if you so wish.

Most of the tools listed are for free and you can skip some of the commercial tools if you do not have them yet. The alternatives are already discussed in the previous chapter.

Set the %PATH% environment variable by copying the full image paths of the binary folder for the Sysinternals folder and the installed tool directories of OllyDbg, IDA Pro, Buster Sandbox, and the editors. This is so that CMD.EXE can be invoked and the executable names can be typed in to launch the applications. You can also create Windows shortcuts on the desktop or pin them to Start menu items.

You will be using OllyDbg 1.10 for this session, though much of the above can be done in IDA Pro using Windbg or Bochs debuggers as the tools of choice. Using these debuggers can be chosen from the Debug | Switch Debugger menu items in IDA Pro. IDA Pro will automatically find Bochs and Windbg. Only the x86 version of Windbg and older version of Bochs work with latest versions of IDA Pro. We will explore emulation and other techniques in later chapters. BSA Sandbox can be configured as per the help file in the BSA installation and will consist of appending a few lines regarding the location of BSA files and other options into the Sandboxie config file. Please read the friggin' manual (RTFM) for each of the tools, which, for some reason, is one of the most violated principles with any new tool installation.

A general rule of thumb in malware analysis—be skeptical of everything just as in a real life investigation, everybody is a suspect until proven otherwise and keep testing hypotheses and draw inferences. The process of elimination and due diligence always pays in the end.

To paraphrase Mark Twain:

As a prerequisite, get acquainted with underground cracking concepts such as code caves, serial fishing, imports table reconstruction, PE header rebuilding, memory dumps, patching, memory trainers, basic encryption analysis and decryption, keygenning, keyfiles construction, writing binary format parsers, basic debuggers, developing tools/utilities, and other basic reverse engineering concepts, so that malware analysis will not stump you. Hardware dongles and other DRM-based protectors are fine specimens to push your skills to the limit and most malware (In The Wild (ITW)) does not employ such commercial tactics (yet ... but, of course, bootkits and other manufactured in-hardware malware by agencies in question sort of come creepily close). But that leaves other things to focus on such as signature creation, packet trace analysis, high-level analysis tools, and detection research and development (development of custom disassembler engines, unpacker frameworks, decompilers, sandboxes, and visualization tools among others), which can be very demanding and interesting at the same time. Another tip regarding analyses using tools is to be judicious of their use (especially first timers). While learning the ropes, you are free to experiment with everything and even after for that matter, but there is no rule that says you have to use every tool in the arsenal at every analysis just to feel complete about it (everything and the proverbial kitchen sink). If you have done an end-to-end analysis and you feel that a specific tool can help evaluate something better, then by all means go for it, but not just for the sake of it (like a doctor prescribing every medicine available for a particular disease—"let's see which one works!"). There is a difference, and as time passes with study and experience, you will learn to streamline your toolkit and implement them as required. There is no step-by-step guide to malware analysis as every case is different though the overall approach and the tools can be learnt very effectively.