BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Reverse Engineering and Malware Analysis/Dynamic Analysis and Safe Malware Handling
45 minAdvanced

Dynamic Analysis and Safe Malware Handling

After this lesson, you will be able to: Run a sample safely in an isolated VM with no network access, use x64dbg (Windows) and strace/ltrace (Linux) to observe behavior, and understand how dynamic analysis complements static analysis.

Dynamic analysis runs a sample and watches what it does. This lesson covers building a safe analysis environment, debugging with x64dbg on Windows and strace/ltrace on Linux, and what behavior to observe, always on benign samples.

Prerequisites:Disassembly and Decompilation with Ghidra

💡 Safety: isolated, no network, benign samples only

Dynamic analysis means executing the binary, so the environment matters enormously. For real malware (beyond this subtrack), you use a dedicated, isolated VM with no network and snapshots to revert. Here we run only benign educational samples, but you should still practice the safe-environment habits: a disposable VM, snapshots, and no access to anything you care about.

Why dynamic analysis

Static analysis shows what code exists; dynamic analysis shows what it actually does when run, including behavior that is hidden, packed, or only triggered at runtime. You watch which files it touches, which network connections it attempts, which registry keys or processes it manipulates, and how it unpacks itself in memory. Static and dynamic analysis together give a complete picture; either alone has blind spots.

Debugging on Windows and Linux

On Windows, x64dbg is the standard free debugger: set breakpoints, step through execution, inspect memory and registers, and watch a packed sample unpack itself in memory (where the real code becomes visible). On Linux, strace traces system calls (file opens, network, process actions) and ltrace traces library calls, giving a fast behavioral summary without a full debugger. These tools let you observe rather than guess.

Lab: observe a benign binary's behavior

Use a benign sample in a disposable VM.

  1. 1

    1. In a disposable VM (snapshot taken), prepare to run the benign sample.

  2. 2

    2. On Linux: run strace ./sample and ltrace ./sample; note the files it opens and any network or library calls.

  3. 3

    3. On Windows: load the sample in x64dbg, set a breakpoint at the entry point, and step through key calls.

  4. 4

    4. Compare the observed behavior to your static-analysis hypothesis from earlier lessons.

  5. 5

    5. Revert the VM snapshot when done. Note how behavior you could not see statically becomes obvious at runtime.

Quick Check

Why is dynamic analysis run in an isolated VM with snapshots?

Pick the best reason.

Common mistakes only experienced analysts catch

Running a sample outside isolation 'just once.' Forgetting to snapshot before execution. Giving the analysis VM network or shared folders to the host (escape and spread risk). Relying only on dynamic analysis and missing dormant code paths. Not correlating dynamic findings with the static view. Analyzing real malware without the training and infrastructure this subtrack deliberately avoids.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Disassembly and Decompilation with Ghidra
Back to Reverse Engineering and Malware Analysis
Malware Categories, Sandboxes, and YARA→