Discover / Reverse engineering / Reading path

The Best Books to Learn Reverse Engineering, In Order

@codesherpaBeginner → Expert
12
Books
158
Hours
5
Stages
Not yet rated

Since the learner starts at an expert level, this curriculum skips hand-holding and dives straight into the architecture of binaries, low-level internals, and professional-grade reverse engineering tradecraft. Each stage builds ruthlessly on the last — from binary anatomy and disassembly mechanics, through vulnerability research and malware analysis, to the bleeding edge of anti-analysis, kernel internals, and custom tooling.

1

Binary Anatomy & Disassembly Foundations

Beginner

Establish a rigorous mental model of executable formats, assembly semantics, and the disassembly pipeline — the vocabulary every later stage assumes.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (mix of dense technical content and practical labs)

Key concepts
  • CPU architecture fundamentals: registers, memory hierarchy, instruction execution cycles, and how data flows through the processor
  • Assembly language syntax and semantics: instruction types (arithmetic, logic, memory, control flow), operands, and calling conventions across x86/x64 architectures
  • Executable file formats: ELF/PE structure, sections (.text, .data, .bss), headers, symbols, and relocation information
  • The disassembly pipeline: how compiled binaries are parsed, decoded into mnemonics, and how to read disassembler output accurately
  • Stack and function prologue/epilogue: frame pointers, return addresses, parameter passing, and local variable layout
  • Memory protection and segmentation: virtual memory, paging, privilege levels, and how the OS isolates processes
  • Control flow analysis: jumps, branches, loops, and how to trace execution paths through disassembled code
  • Linking and loading: static vs. dynamic linking, symbol resolution, and how the loader prepares a binary for execution
You should be able to answer
  • Explain the fetch-decode-execute cycle and how a CPU executes a single instruction from memory.
  • What are the key differences between x86 and x64 calling conventions, and why does the stack layout differ?
  • Describe the structure of an ELF executable: what are the major sections, and what does each contain?
  • Given a disassembled function, how would you identify the prologue, body, and epilogue, and what does each do?
  • What is the role of the loader in preparing a binary for execution, and how does dynamic linking differ from static linking?
  • How would you manually trace the execution of a simple loop in assembly, tracking register and memory changes?
Practice
  • Work through Computer Organization's CPU simulation exercises (Chapters 4–5) to internalize the fetch-decode-execute cycle and register operations.
  • Assemble and disassemble simple C functions (e.g., arithmetic, loops, function calls) using gcc and objdump; compare source to disassembly to map high-level constructs to assembly.
  • Write 5–10 small x86/x64 assembly programs (add, subtract, loop, conditional branch) in Professional Assembly Language's lab sections; assemble and run them.
  • Use readelf or objdump to inspect the ELF headers, section table, and symbol table of a compiled binary; document what each section contains.
  • Disassemble a real binary (e.g., a simple utility like /bin/ls or a compiled C program) and identify function prologues, epilogues, and stack frames.
  • Trace through a recursive function (e.g., factorial) in assembly, manually tracking the stack pointer, return addresses, and local variables across calls.
  • Read and annotate the disassembly of a small vulnerable program from Hacking (Chapter 0–1 examples); identify buffer boundaries and stack layout.
  • Create a cheat sheet mapping x86/x64 instruction mnemonics to their semantics (mov, add, call, ret, jmp, etc.) with operand encoding rules.

Next up: Mastery of binary anatomy and disassembly foundations equips you to recognize code patterns, understand control flow, and identify data structures in compiled binaries—essential prerequisites for the next stage, which will focus on vulnerability analysis and exploitation techniques.

Computer Organization and Design
John L. Hennessy · 1994 · 909 pp

Grounds the learner in how hardware executes instructions, giving physical intuition for what disassemblers expose. Reading this first prevents treating assembly as magic.

Professional assembly language
Richard Blum · 2005 · 546 pp

Bridges high-level thinking to x86 assembly syntax and calling conventions — the lingua franca of reverse engineering — before tackling compiled binaries.

Hacking
Jon Erickson · 2003 · 384 pp

Introduces binary layout, stack mechanics, and exploitation primitives hands-on; builds the adversarial mindset needed for all subsequent RE work.

2

Core Reverse Engineering Practice

Intermediate

Develop fluency with industry-standard RE tools (IDA, Ghidra, x64dbg) and systematic methodologies for reconstructing program logic from stripped binaries.

Reversing
Eldad Eilam · 2005 · 624 pp

The canonical RE textbook — covers disassembly theory, compiler artifacts, and structured analysis workflows. Must be read before tool-specific deep dives.

The IDA Pro book
Chris Eagle · 2008 · 651 pp

The definitive guide to the industry's most powerful disassembler; teaches scripting, FLIRT signatures, and navigating large codebases — read immediately after Eilam to apply concepts in a real tool.

Practical Binary Analysis
Dennis Andriesse · 2018 · 456 pp

Covers ELF internals, binary instrumentation, and symbolic execution with hands-on labs; extends tool knowledge into programmatic binary analysis and custom tooling.

3

Malware Analysis & Dynamic Techniques

Intermediate

Apply RE skills to real-world malware: behavioral analysis, unpacking, anti-analysis bypass, and reconstructing attacker intent from hostile binaries.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (Practical Malware Analysis: 5–6 weeks; The Art of Memory Forensics: 3–4 weeks)

Key concepts
  • Static vs. dynamic malware analysis: when to use each approach and their complementary strengths
  • Behavioral analysis techniques: monitoring system calls, file I/O, registry changes, and network traffic to understand malware intent
  • Unpacking and code injection: identifying packed binaries, extracting original code, and analyzing injected payloads
  • Anti-analysis evasion: recognizing debugger detection, VM detection, timing checks, and techniques to bypass them
  • Memory forensics fundamentals: volatile memory acquisition, process memory layout, and reconstructing runtime behavior from memory dumps
  • Reconstructing attacker intent: connecting behavioral artifacts to malware functionality and determining C2 communication, data exfiltration, and persistence mechanisms
  • Practical tools and automation: using IDA Pro, debuggers, Wireshark, and memory analysis frameworks to scale analysis
  • Incident response integration: how malware analysis findings feed into containment, remediation, and threat intelligence
You should be able to answer
  • What are the key differences between static and dynamic analysis, and when would you choose one over the other for a suspicious binary?
  • How do you identify and unpack a packed executable, and what challenges arise when analyzing injected code?
  • Describe three common anti-analysis techniques and explain how you would bypass or work around each one.
  • Walk through a behavioral analysis workflow: what system artifacts would you monitor, and how would you correlate them to reconstruct malware intent?
  • What is the relationship between process memory layout and malware behavior, and how can memory forensics reveal activity that dynamic monitoring might miss?
  • Given a memory dump from an infected system, how would you identify malicious processes, extract their code, and determine their C2 infrastructure?
Practice
  • Analyze 3–5 samples from Practical Malware Analysis labs: perform static analysis first, then dynamic analysis in a sandbox, and document behavioral differences.
  • Unpack a real packed malware sample using tools like UPX, manual unpacking in a debugger, or process dumping; compare the packed vs. unpacked code in IDA Pro.
  • Set up a controlled lab environment (VM, isolated network) and execute a malware sample while monitoring system calls (Procmon), file system changes, registry modifications, and network traffic (Wireshark); create a behavioral profile.
  • Identify and bypass anti-analysis checks in a sample: patch debugger detection, disable VM detection, or modify timing checks; document your approach and re-execute to confirm.
  • Acquire a memory dump from an infected system (or use provided forensic images from The Art of Memory Forensics labs); use Volatility to extract process lists, DLLs, network connections, and injected code; correlate findings with behavioral analysis.
  • Reconstruct attacker intent from a complete analysis: combine static findings, behavioral logs, and memory forensics to produce a detailed report identifying C2 domains, persistence mechanisms, and data exfiltration targets.

Next up: This stage equips you with the ability to analyze real-world threats and reconstruct attacker behavior from hostile binaries, preparing you to advance into threat intelligence, advanced evasion techniques, or specialized domains like rootkit analysis and kernel-level malware.

Practical Malware Analysis
Michael Sikorski · 2012 · 800 pp

The gold-standard malware RE textbook — static + dynamic analysis, lab-driven, covering packers, obfuscation, and network indicators. Reads naturally after mastering disassembly tools.

The Art of Memory Forensics
Andrew Case · 2014 · 886 pp

Extends malware analysis into volatile memory — process injection, rootkit hiding, and artifact recovery — skills that complement static RE with runtime truth.

4

Vulnerability Research & Exploitation Internals

Expert

Reason about binaries as an offensive researcher: find memory corruption bugs, understand modern mitigations, and trace vulnerabilities from RE artifact to working exploit.

Study plan for this stage

Pace: 12–14 weeks, ~40–50 pages/day (accounting for dense technical content, code analysis, and lab setup)

Key concepts
  • Memory corruption vulnerability classes: buffer overflows, format strings, heap exploitation, use-after-free, and integer overflows
  • Stack-based exploitation: return-oriented programming (ROP), stack canaries, ASLR bypass techniques, and shellcode construction
  • Heap exploitation mechanics: heap metadata manipulation, chunk coalescing, and bypassing heap protections (safe-unlink, etc.)
  • Modern userland mitigations: DEP/NX, ASLR, stack canaries, and practical bypass techniques for each
  • Kernel vulnerability classes: race conditions, information disclosure, privilege escalation vectors, and kernel-specific protections
  • Kernel exploitation internals: kernel memory layout, syscall interfaces, privilege boundary crossing, and post-exploitation persistence
  • Vulnerability discovery workflow: identifying exploitable conditions in disassembly, tracing data flow from input to crash, and proof-of-concept development
  • Exploit development methodology: from vulnerability artifact to reliable, weaponized exploit with mitigation evasion
You should be able to answer
  • Explain the difference between stack-based and heap-based buffer overflows, and describe why heap exploitation is more complex
  • How do ASLR and DEP/NX mitigations work, and what are 2–3 practical techniques to bypass each?
  • Walk through the process of identifying a format string vulnerability in disassembly and constructing an exploit to leak or write memory
  • Describe the kernel memory layout, the role of syscalls, and how a userland process can escalate privileges via kernel exploitation
  • Given a vulnerable binary with a known memory corruption bug, outline the steps to develop a reliable exploit that bypasses modern protections
  • What is ROP, why is it necessary in the presence of DEP/NX, and how do you construct a functional ROP chain?
Practice
  • Exploit a stack-based buffer overflow in a provided vulnerable binary: craft shellcode, bypass a stack canary, and achieve code execution
  • Analyze a format string vulnerability in a real or synthetic binary using a debugger; leak stack memory and overwrite a function pointer
  • Develop a heap exploitation exploit targeting a use-after-free or heap overflow; demonstrate heap metadata manipulation and arbitrary code execution
  • Build a ROP chain by hand: identify gadgets in a binary, chain them together, and execute arbitrary syscalls or functions without injected code
  • Reverse-engineer a kernel module or syscall handler; identify a race condition or integer overflow; develop a kernel exploit that achieves privilege escalation
  • Construct an end-to-end exploit for a realistic vulnerability: from binary analysis and vulnerability discovery to a working, mitigation-aware exploit with shellcode or payload delivery

Next up: This stage transforms you from a defensive reverse engineer into an offensive researcher who can reason about exploitability and build working attacks—preparing you to either specialize in advanced exploit development (0-day research, mitigation evasion) or apply these skills to security assessment and threat modeling in real-world engagements.

The shellcoder's handbook
Chris Anley · 2007 · 731 pp

Comprehensive treatment of vulnerability classes (stack, heap, format strings, kernel) with the RE perspective baked in — the bridge between analysis and exploitation.

A Guide to Kernel Exploitation
Enrico Perla · 2010

Pushes RE into kernel space — driver analysis, privilege escalation, and OS internals — the frontier where advanced vulnerability research lives.

5

Advanced Internals, Anti-Analysis & Custom Tooling

Expert

Master the deepest layer: obfuscation, virtualization-based protectors, binary diffing, and building bespoke RE infrastructure — the level of a professional researcher or tool author.

Study plan for this stage

Pace: 12–14 weeks, ~40–50 pages/day (Windows Internals Part 2: 6–7 weeks; Rootkits: 5–6 weeks). Allocate 1–2 weeks for integration projects between books.

Key concepts
  • Kernel architecture, memory management, and process/thread internals as the foundation for understanding protection mechanisms and evasion techniques
  • Virtualization-based security (VBS), hypervisor-level protection, and how rootkits operate below the OS abstraction layer
  • Code obfuscation patterns, control-flow flattening, and anti-disassembly techniques used by modern protectors and malware
  • Binary diffing and patch analysis: identifying changes across versions to detect obfuscation, virtualization, or protection updates
  • Rootkit detection evasion: syscall hooking, kernel-mode code injection, and maintaining stealth while operating at ring-0
  • Custom tooling for RE: building kernel drivers, debuggers, and analysis frameworks that operate at or below the protection layer
  • Practical integration: combining kernel knowledge with reverse engineering to defeat real-world protectors and analyze sophisticated malware
You should be able to answer
  • How do virtual memory, paging, and kernel-mode execution enable rootkits to hide from user-mode detection, and what are the detection blind spots?
  • What are the key differences between hypervisor-based protection (e.g., VBS) and traditional kernel-mode rootkits, and how does each affect RE methodology?
  • How do obfuscation techniques like control-flow flattening and opaque predicates complicate static and dynamic analysis, and what strategies defeat them?
  • What is the workflow for binary diffing to identify protection updates or malware variants, and how do you extract meaningful RE insights from patch analysis?
  • How do you design and implement a custom kernel driver or analysis tool to bypass or introspect protected binaries?
  • What are the ethical, legal, and operational boundaries of rootkit research, and how do you conduct advanced RE responsibly?
Practice
  • Map the Windows kernel data structures (PEB, TEB, VAD trees) from Windows Internals Part 2 by writing a kernel driver that enumerates and modifies them; compare your results against a commercial anti-cheat or protection mechanism.
  • Implement a simple syscall hook using techniques from Rootkits; test it against user-mode detection tools (e.g., kernel callback monitoring) and document evasion strategies.
  • Perform binary diffing on two versions of a protected binary (e.g., different versions of a game anti-cheat or commercial packer) using tools like BinDiff or Diaphora; identify obfuscation changes and protection updates.
  • Reverse engineer and document the control-flow flattening or virtualization scheme in a real-world obfuscated sample; build a custom IDA/Ghidra plugin or script to partially deobfuscate it.
  • Design and prototype a custom analysis tool (kernel driver, user-mode hook framework, or hypervisor introspection tool) that defeats or introspects a specific protection mechanism; document the design and limitations.
  • Conduct a full-stack analysis of a rootkit or advanced malware sample: trace its kernel-mode operations using Windows Internals concepts, identify anti-analysis techniques from Rootkits, and propose detection/mitigation strategies.

Next up: This stage equips you with the kernel-level knowledge, obfuscation expertise, and custom tooling skills to operate at the frontier of reverse engineering—preparing you to tackle emerging protection schemes, contribute to security research, or develop advanced analysis infrastructure in specialized domains (e.g., firmware, hypervisors, or zero-day malware analysis).

Windows Internals, Part 2
Mark E. Russinovich · 2012

Authoritative source on NT kernel structures, object manager, and memory management — essential for reversing Windows binaries, drivers, and rootkits at the source-of-truth level.

Rootkits
Greg Hoglund · 2006 · 352 pp

Examines the most sophisticated anti-detection and hooking techniques; reading this teaches you to think like the authors of the hardest targets you will ever reverse.

Discussion

Keep reading

Paths that share books, cover the same subject, or open a related topic.

Shares 7 books

The Best Books to Learn Malware Analysis, In Order

Beginner10books119 hrs5 stages
Shares 5 books

The Best Books to Learn Assembly Language, In Order

Beginner9books133 hrs4 stages
Shares 1 book

How to learn Cybersecurity

Beginner11books116 hrs4 stages
More on MATLAB

The Best Books to Learn MATLAB, In Order

Beginner10books121 hrs5 stages

More on reverse engineering