Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software Praise for Practical Malware Analysis Warning About the Authors
About the Technical Reviewer About the Contributing Authors
Foreword Acknowledgments
Individual Thanks
Introduction
What Is Malware Analysis? Prerequisites Practical, Hands-On Learning What’s in the Book?
0. Malware Analysis Primer
The Goals of Malware Analysis Malware Analysis Techniques
Basic Static Analysis Basic Dynamic Analysis Advanced Static Analysis Advanced Dynamic Analysis
Types of Malware General Rules for Malware Analysis
I. Basic Analysis
1. Basic Static Techniques
Antivirus Scanning: A Useful First Step Hashing: A Fingerprint for Malware Finding Strings Packed and Obfuscated Malware
Packing Files Detecting Packers with PEiD
Portable Executable File Format Linked Libraries and Functions
Static, Runtime, and Dynamic Linking Exploring Dynamically Linked Functions with Dependency Walker Imported Functions Exported Functions
Static Analysis in Practice
PotentialKeylogger.exe: An Unpacked Executable PackedProgram.exe: A Dead End
The PE File Headers and Sections
Examining PE Files with PEview Viewing the Resource Section with Resource Hacker Using Other PE File Tools PE Header Summary
Conclusion Labs
Lab 1-1
Questions
Lab 1-2
Questions
Lab 1-3
Questions
Lab 1-4
Questions
2. Malware Analysis in Virtual Machines
The Structure of a Virtual Machine Creating Your Malware Analysis Machine
Configuring VMware
Disconnecting the Network Setting Up Host-Only Networking Using Multiple Virtual Machines
Using Your Malware Analysis Machine
Connecting Malware to the Internet Connecting and Disconnecting Peripheral Devices Taking Snapshots Transferring Files from a Virtual Machine
The Risks of Using VMware for Malware Analysis Record/Replay: Running Your Computer in Reverse Conclusion
3. Basic Dynamic Analysis
Sandboxes: The Quick-and-Dirty Approach
Using a Malware Sandbox Sandbox Drawbacks
Running Malware Monitoring with Process Monitor
The Procmon Display Filtering in Procmon
Viewing Processes with Process Explorer
The Process Explorer Display Using the Verify Option Comparing Strings Using Dependency Walker Analyzing Malicious Documents
Comparing Registry Snapshots with Regshot Faking a Network
Using ApateDNS Monitoring with Netcat
Packet Sniffing with Wireshark Using INetSim Basic Dynamic Tools in Practice Conclusion Labs
Lab 3-1
Questions
Lab 3-2
Questions
Lab 3-3
Questions
Lab 3-4
Questions
II. Advanced Static Analysis
4. A Crash Course in x86 Disassembly
Levels of Abstraction Reverse-Engineering The x86 Architecture
Main Memory Instructions Opcodes and Endianness Operands Registers
General Registers Flags EIP, the Instruction Pointer
Simple Instructions
Arithmetic NOP
The Stack
Function Calls Stack Layout
Conditionals Branching Rep Instructions C Main Method and Offsets More Information: Intel x86 Architecture Manuals
Conclusion
5. IDA Pro
Loading an Executable The IDA Pro Interface
Disassembly Window Modes
Graph Mode Text Mode
Useful Windows for Analysis Returning to the Default View Navigating IDA Pro
Using Links and Cross-References Exploring Your History Navigation Band Jump to Location
Searching
Using Cross-References
Code Cross-References Data Cross-References
Analyzing Functions Using Graphing Options Enhancing Disassembly
Renaming Locations Comments Formatting Operands Using Named Constants Redefining Code and Data
Extending IDA with Plug-ins
Using IDC Scripts Using IDAPython Using Commercial Plug-ins
Conclusion Labs
Lab 5-1
Questions
6. Recognizing C Code Constructs in Assembly
Global vs. Local Variables Disassembling Arithmetic Operations Recognizing if Statements
Analyzing Functions Graphically with IDA Pro Recognizing Nested if Statements
Recognizing Loops
Finding for Loops Finding while Loops
Understanding Function Call Conventions
cdecl stdcall fastcall Push vs. Move
Analyzing switch Statements
If Style Jump Table
Disassembling Arrays Identifying Structs Analyzing Linked List Traversal Conclusion Labs
Lab 6-1
Questions
Lab 6-2
Questions
Lab 6-3
Questions
Lab 6-4
Questions
7. Analyzing Malicious Windows Programs
The Windows API
Types and Hungarian Notation Handles File System Functions Special Files
Shared Files Files Accessible via Namespaces Alternate Data Streams
The Windows Registry
Registry Root Keys Regedit Programs that Run Automatically Common Registry Functions Analyzing Registry Code in Practice Registry Scripting with .reg Files
Networking APIs
Berkeley Compatible Sockets The Server and Client Sides of Networking The WinINet API
Following Running Malware
DLLs
How Malware Authors Use DLLs Basic DLL Structure
Processes
Creating a New Process
Threads
Thread Context Creating a Thread
Interprocess Coordination with Mutexes Services The Component Object Model
CLSIDs, IIDs, and the Use of COM Objects COM Server Malware
Exceptions: When Things Go Wrong
Kernel vs. User Mode The Native API Conclusion Labs
Lab 7-1
Questions
Lab 7-2
Questions
Lab 7-3
Questions
III. Advanced Dynamic Analysis
8. Debugging
Source-Level vs. Assembly-Level Debuggers Kernel vs. User-Mode Debugging Using a Debugger
Single-Stepping Stepping-Over vs. Stepping-Into Pausing Execution with Breakpoints
Software Execution Breakpoints Hardware Execution Breakpoints Conditional Breakpoints
Exceptions
First- and Second-Chance Exceptions Common Exceptions
Modifying Execution with a Debugger Modifying Program Execution in Practice Conclusion
9. OllyDbg
Loading Malware
Opening an Executable Attaching to a Running Process
The OllyDbg Interface Memory Map
Rebasing
Base Addresses Absolute vs. Relative Addresses
Viewing Threads and Stacks Executing Code Breakpoints
Software Breakpoints Conditional Breakpoints Hardware Breakpoints Memory Breakpoints
Loading DLLs Tracing
Standard Back Trace Call Stack Run Trace Tracing Poison Ivy
Exception Handling Patching Analyzing Shellcode Assistance Features Plug-ins
OllyDump Hide Debugger Command Line Bookmarks
Scriptable Debugging Conclusion Labs
Lab 9-1
Questions
Lab 9-2
Questions
Lab 9-3
Questions
10. Kernel Debugging with WinDbg
Drivers and Kernel Code Setting Up Kernel Debugging Using WinDbg
Reading from Memory Using Arithmetic Operators Setting Breakpoints Listing Modules
Microsoft Symbols
Searching for Symbols Viewing Structure Information Configuring Windows Symbols
Kernel Debugging in Practice
Looking at the User-Space Code Looking at the Kernel-Mode Code Finding Driver Objects
Rootkits
Rootkit Analysis in Practice Interrupts
Loading Drivers Kernel Issues for Windows Vista, Windows 7, and x64 Versions Conclusion Labs
Lab 10-1
Questions
Lab 10-2
Questions
Lab 10-3
Questions
IV. Malware Functionality
11. Malware Behavior
Downloaders and Launchers Backdoors
Reverse Shell
Netcat Reverse Shells Windows Reverse Shells
RATs Botnets RATs and Botnets Compared
Credential Stealers
GINA Interception Hash Dumping Keystroke Logging
Kernel-Based Keyloggers User-Space Keyloggers Identifying Keyloggers in Strings Listings
Persistence Mechanisms
The Windows Registry
AppInit_DLLs Winlogon Notify SvcHost DLLs
Trojanized System Binaries DLL Load-Order Hijacking
Privilege Escalation
Using SeDebugPrivilege
Covering Its Tracks—User-Mode Rootkits
IAT Hooking Inline Hooking
Conclusion Labs
Lab 11-1
Questions
Lab 11-2
Questions
Lab 11-3
Questions
12. Covert Malware Launching
Launchers Process Injection
DLL Injection Direct Injection
Process Replacement Hook Injection
Local and Remote Hooks Keyloggers Using Hooks Using SetWindowsHookEx Thread Targeting
Detours APC Injection
APC Injection from User Space APC Injection from Kernel Space
Conclusion Labs
Lab 12-1
Questions
Lab 12-2
Questions
Lab 12-3
Questions
Lab 12-4
Questions
13. Data Encoding
The Goal of Analyzing Encoding Algorithms Simple Ciphers
Caesar Cipher XOR
Brute-Forcing XOR Encoding Brute-Forcing Many Files NULL-Preserving Single-Byte XOR Encoding Identifying XOR Loops in IDA Pro
Other Simple Encoding Schemes Base64
Transforming Data to Base64 Identifying and Decoding Base64
Common Cryptographic Algorithms
Recognizing Strings and Imports Searching for Cryptographic Constants
Using FindCrypt2 Using Krypto ANALyzer
Searching for High-Entropy Content
Custom Encoding
Identifying Custom Encoding Advantages of Custom Encoding to the Attacker
Decoding
Self-Decoding Manual Programming of Decoding Functions Using Instrumentation for Generic Decryption
Conclusion Labs
Lab 13-1
Questions
Lab 13-2
Questions
Lab 13-3
Questions
14. Malware-Focused Network Signatures
Network Countermeasures
Observing the Malware in Its Natural Habitat Indications of Malicious Activity OPSEC = Operations Security
Safely Investigate an Attacker Online
Indirection Tactics Getting IP Address and Domain Information
Content-Based Network Countermeasures
Intrusion Detection with Snort Taking a Deeper Look
Combining Dynamic and Static Analysis Techniques
The Danger of Overanalysis Hiding in Plain Sight
Attackers Mimic Existing Protocols Attackers Use Existing Infrastructure Leveraging Client-Initiated Beaconing
Understanding Surrounding Code Finding the Networking Code Knowing the Sources of Network Content Hard-Coded Data vs. Ephemeral Data Identifying and Leveraging the Encoding Steps Creating a Signature Analyze the Parsing Routines Targeting Multiple Elements
Understanding the Attacker’s Perspective Conclusion Labs
Lab 14-1
Questions
Lab 14-2
Questions
Lab 14-3
Questions
V. Anti-Reverse-Engineering
15. Anti-Disassembly
Understanding Anti-Disassembly Defeating Disassembly Algorithms
Linear Disassembly Flow-Oriented Disassembly
Anti-Disassembly Techniques
Jump Instructions with the Same Target A Jump Instruction with a Constant Condition Impossible Disassembly NOP-ing Out Instructions with IDA Pro
Obscuring Flow Control
The Function Pointer Problem Adding Missing Code Cross-References in IDA Pro Return Pointer Abuse Misusing Structured Exception Handlers
Thwarting Stack-Frame Analysis Conclusion Labs
Lab 15-1
Questions
Lab 15-2
Questions
Lab 15-3
Questions
16. Anti-Debugging
Windows Debugger Detection
Using the Windows API Manually Checking Structures
Checking the BeingDebugged Flag Checking the ProcessHeap Flag Checking NTGlobalFlag
Checking for System Residue
Identifying Debugger Behavior
INT Scanning Performing Code Checksums Timing Checks
Using the rdtsc Instruction Using QueryPerformanceCounter and GetTickCount
Interfering with Debugger Functionality
Using TLS Callbacks Using Exceptions Inserting Interrupts
Inserting INT 3 Inserting INT 2D Inserting ICE
Debugger Vulnerabilities
PE Header Vulnerabilities The OutputDebugString Vulnerability
Conclusion Labs
Lab 16-1
Questions
Lab 16-2
Questions
Lab 16-3
Questions
17. Anti-Virtual Machine Techniques
VMware Artifacts
Bypassing VMware Artifact Searching Checking for Memory Artifacts
Vulnerable Instructions
Using the Red Pill Anti-VM Technique Using the No Pill Technique Querying the I/O Communication Port Using the str Instruction Anti-VM x86 Instructions Highlighting Anti-VM in IDA Pro Using ScoopyNG
Tweaking Settings Escaping the Virtual Machine Conclusion Labs
Lab 17-1
Questions
Lab 17-2
Questions
Lab 17-3
Questions
18. Packers and Unpacking
Packer Anatomy
The Unpacking Stub Loading the Executable Resolving Imports The Tail Jump Unpacking Illustrated
Identifying Packed Programs
Indicators of a Packed Program Entropy Calculation
Unpacking Options Automated Unpacking Manual Unpacking
Rebuilding the Import Table with Import Reconstructor Finding the OEP
Using Automated Tools to Find the OEP Finding the OEP Manually
Repairing the Import Table Manually
Tips and Tricks for Common Packers
UPX PECompact ASPack Petite WinUpack Themida
Analyzing Without Fully Unpacking Packed DLLs Conclusion Labs
VI. Special Topics
19. Shellcode Analysis
Loading Shellcode for Analysis Position-Independent Code Identifying Execution Location
Using call/pop Using fnstenv
Manual Symbol Resolution
Finding kernel32.dll in Memory Parsing PE Export Data Using Hashed Exported Names
A Full Hello World Example Shellcode Encodings NOP Sleds Finding Shellcode Conclusion Labs
Lab 19-1
Questions
Lab 19-2
Questions
Lab 19-3
Questions
20. C++ Analysis
Object-Oriented Programming
The this Pointer Overloading and Mangling Inheritance and Function Overriding
Virtual vs. Nonvirtual Functions
Use of Vtables Recognizing a Vtable
Creating and Destroying Objects Conclusion Labs
Lab 20-1
Questions
Lab 20-2
Questions
Lab 20-3
Questions
21. 64-Bit Malware
Why 64-Bit Malware? Differences in x64 Architecture
Differences in the x64 Calling Convention and Stack Usage
Leaf and Nonleaf Functions Prologue and Epilogue 64-Bit Code
64-Bit Exception Handling
Windows 32-Bit on Windows 64-Bit 64-Bit Hints at Malware Functionality Conclusion Labs
Lab 21-1
Questions
Lab 21-2
Questions
A. Important Windows Functions B. Tools for Malware Analysis C. Solutions to Labs
Lab 1-1 Solutions
Short Answers Detailed Analysis
Lab 1-2 Solutions
Short Answers Detailed Analysis
Lab 1-3 Solutions
Short Answers Detailed Analysis
Lab 1-4 Solutions
Short Answers Detailed Analysis
Lab 3-1 Solutions
Short Answers Detailed Analysis
Lab 3-2 Solutions
Short Answers Detailed Analysis
Lab 3-3 Solutions
Short Answers Detailed Analysis
Lab 3-4 Solutions
Short Answers Detailed Analysis
Lab 5-1 Solutions
Short Answers Detailed Analysis
Lab 6-1 Solutions
Short Answers Detailed Analysis
Lab 6-2 Solutions
Short Answers Detailed Analysis
Lab 6-3 Solutions
Short Answers Detailed Analysis
Graphical View of Command Character Switch Switch Options
Lab 6-4 Solutions
Short Answers Detailed Analysis
Lab 7-1 Solutions
Short Answers Detailed Analysis
Lab 7-2 Solutions
Short Answers Detailed Analysis
Lab 7-3 Solutions
Short Answers Detailed Analysis
Analyzing the DLL Analyzing the EXE
Lab 9-1 Solutions
Short Answers Detailed Analysis
Command-Line Option Analysis Backdoor Analysis Networking Analysis Malware Summary
Lab 9-2 Solutions
Short Answers Detailed Analysis
Decoding Stack-Formed Strings Filename Check Decoding XOR Encoded Strings Reverse Shell Analysis
Lab 9-3 Solutions
Short Answers Detailed Analysis
Using the Memory Map to Locate DLLs Applying a Structure in IDA Pro Specifying a New Image Base with IDA Pro Malware Summary
Lab 10-1 Solutions
Short Answers Detailed Analysis
Viewing Lab10-01.sys in IDA Pro Analyzing Lab10-01.sys in WinDbg
Lab 10-2 Solutions
Short Answers Detailed Analysis
Finding the Rootkit Examining the Hook Function Hiding Files Recovering the Hidden File
Lab 10-3 Solutions
Short Answers Detailed Analysis
Analyzing the Executable in IDA Pro Analyzing the Driver Finding the Driver in Memory with WinDbg Analyzing the Functions of the Major Function Table
Lab 11-1 Solutions
Short Answers Detailed Analysis
Analysis of msgina32.dll Summary
Lab 11-2 Solutions
Short Answers Detailed Analysis
Low-Level Hook Operation Summary Examining the Hook in OllyDbg Capturing the Network Traffic Summary
Lab 11-3 Solutions
Short Answers Detailed Analysis
Keylogger Analysis Summary
Lab 12-1 Solutions
Short Answers Detailed Analysis
Lab 12-2 Solutions
Short Answers Detailed Analysis
Lab 12-3 Solutions
Short Answers Detailed Analysis
Lab 12-4 Solutions
Short Answers Detailed Analysis
Lab 13-1 Solutions
Short Answers Detailed Analysis
Lab 13-2 Solutions
Short Answers Detailed Analysis
Decoding Using OllyDbg Scripting the Solution
Lab 13-3 Solutions
Short Answers Detailed Analysis
Modified Base64 Decoding Decrypting AES Crypto Pitfalls
Lab 14-1 Solutions
Short Answers Detailed Analysis
Network Signatures
Lab 14-2 Solutions
Short Answers Detailed Analysis
Network Signatures
Lab 14-3 Solutions
Short Answers Detailed Analysis
Beacon Web Commands
Lab 15-1 Solutions
Short Answers Detailed Analysis
Lab 15-2 Solutions
Short Answers Detailed Analysis
Lab 15-3 Solutions
Short Answers Detailed Analysis
Lab 16-1 Solutions
Short Answers Detailed Analysis
The BeingDebugged Flag The ProcessHeap Flag The NTGlobalFlag Flag Summary
Lab 16-2 Solutions
Short Answers Detailed Analysis
Getting the Correct Password
Lab 16-3 Solutions
Short Answers Detailed Analysis
The QueryPerformanceCounter Function The GetTickCount Function The rdtsc Instruction Summary
Lab 17-1 Solutions
Short Answers Detailed Analysis
Searching for Vulnerable Instructions The sidt Instruction—Red Pill The str Instruction The sldt Instruction—No Pill
Lab 17-2 Solutions
Short Answers Detailed Analysis
Lab 17-3 Solutions
Short Answers Detailed Analysis
Searching for Vulnerable Instructions Finding Anti-VM Techniques Using Strings Reviewing the Final Check Summary
Lab 18-1 Solutions Lab 18-2 Solutions Lab 18-3 Solutions Lab 18-4 Solutions Lab 18-5 Solutions Lab 19-1 Solutions
Short Answers Detailed Analysis
Lab 19-2 Solutions
Short Answers Detailed Analysis
Lab 19-3 Solutions
Short Answers Detailed Analysis
Lab 20-1 Solutions
Short Answers Detailed Analysis
Lab 20-2 Solutions
Short Answers Detailed Analysis
Lab 20-3 Solutions
Short Answers Detailed Analysis
Lab 21-1 Solutions
Short Answers Detailed Analysis
Lab 21-2 Solutions
Short Answers Detailed Analysis
X86 Code Path X64 Code Path
Index Updates About the Authors Copyright
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion