| |
| |
Praise for Practical Malware Analysis | |
| |
| |
Warning | |
| |
| |
About The Authors | |
| |
| |
About the Technical Reviewer | |
| |
| |
About the Contributing Authors; Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Individual Thanks | |
| |
| |
Introduction | |
| |
| |
What Is Malware Analysis? | |
| |
| |
Prerequisites | |
| |
| |
Practical, Hands-On Learning | |
| |
| |
What's in the Book? | |
| |
| |
| |
Malware Analysis Primer | |
| |
| |
| |
The Goals of Malware Analysis | |
| |
| |
| |
Malware Analysis Techniques | |
| |
| |
| |
Types of Malware | |
| |
| |
| |
General Rules for Malware Analysis; Basic Analysis | |
| |
| |
| |
Basic Static Techniques | |
| |
| |
| |
Antivirus Scanning: A Useful First Step | |
| |
| |
| |
Hashing: A Fingerprint for Malware | |
| |
| |
| |
Finding Strings | |
| |
| |
| |
Packed and Obfuscated Malware | |
| |
| |
| |
Portable Executable File Format | |
| |
| |
| |
Linked Libraries and Functions | |
| |
| |
| |
Static Analysis in Practice | |
| |
| |
| |
The PE File Headers and Sections | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Malware Analysis in Virtual Machines | |
| |
| |
| |
The Structure of a Virtual Machine | |
| |
| |
| |
Creating Your Malware Analysis Machine | |
| |
| |
| |
Using Your Malware Analysis Machine | |
| |
| |
| |
The Risks of Using VMware for Malware Analysis | |
| |
| |
| |
Record/Replay: Running Your Computer in Reverse | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Basic Dynamic Analysis | |
| |
| |
| |
Sandboxes: The Quick-and-Dirty Approach | |
| |
| |
| |
Running Malware | |
| |
| |
| |
Monitoring with Process Monitor | |
| |
| |
| |
Viewing Processes with Process Explorer | |
| |
| |
| |
Comparing Registry Snapshots with Regshot | |
| |
| |
| |
Faking a Network | |
| |
| |
| |
Packet Sniffing with Wireshark | |
| |
| |
| |
Using INetSim | |
| |
| |
| |
Basic Dynamic Tools in Practice | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs; Advanced Static Analysis | |
| |
| |
| |
A Crash Course in x86 Disassembly | |
| |
| |
| |
Levels of Abstraction | |
| |
| |
| |
Reverse-Engineering | |
| |
| |
| |
The x86 Architecture | |
| |
| |
| |
Conclusion | |
| |
| |
| |
IDA Pro | |
| |
| |
| |
Loading an Executable | |
| |
| |
| |
The IDA Pro Interface | |
| |
| |
| |
Using Cross-References | |
| |
| |
| |
Analyzing Functions | |
| |
| |
| |
Using Graphing Options | |
| |
| |
| |
Enhancing Disassembly | |
| |
| |
| |
Extending IDA with Plug-ins | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Recognizing C Code Constructs in Assembly | |
| |
| |
| |
Global vs. Local Variables | |
| |
| |
| |
Disassembling Arithmetic Operations | |
| |
| |
| |
Recognizing if Statements | |
| |
| |
| |
Recognizing Loops | |
| |
| |
| |
Understanding Function Call Conventions | |
| |
| |
| |
Analyzing switch Statements | |
| |
| |
| |
Disassembling Arrays | |
| |
| |
| |
Identifying Structs | |
| |
| |
| |
Analyzing Linked List Traversal | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Analyzing Malicious Windows Programs | |
| |
| |
| |
The Windows API | |
| |
| |
| |
The Windows Registry | |
| |
| |
| |
Networking APIs | |
| |
| |
| |
Following Running Malware | |
| |
| |
| |
Kernel vs. User Mode | |
| |
| |
| |
The Native API | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs; Advanced Dynamic Analysis | |
| |
| |
| |
Debugging | |
| |
| |
| |
Source-Level vs. Assembly-Level Debuggers | |
| |
| |
| |
Kernel vs. User-Mode Debugging | |
| |
| |
| |
Using a Debugger | |
| |
| |
| |
Exceptions | |
| |
| |
| |
Modifying Execution with a Debugger | |
| |
| |
| |
Modifying Program Execution in Practice | |
| |
| |
| |
Conclusion | |
| |
| |
| |
OllyDbg | |
| |
| |
| |
Loading Malware | |
| |
| |
| |
The OllyDbg Interface | |
| |
| |
| |
Memory Map | |
| |
| |
| |
Viewing Threads and Stacks | |
| |
| |
| |
Executing Code | |
| |
| |
| |
Breakpoints | |
| |
| |
| |
Loading DLLs | |
| |
| |
| |
Tracing | |
| |
| |
| |
Exception Handling | |
| |
| |
| |
Patching | |
| |
| |
| |
Analyzing Shellcode | |
| |
| |
| |
Assistance Features | |
| |
| |
| |
Plug-ins | |
| |
| |
| |
Scriptable Debugging | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Kernel Debugging with WinDbg | |
| |
| |
| |
Drivers and Kernel Code | |
| |
| |
| |
Setting Up Kernel Debugging | |
| |
| |
| |
Using WinDbg | |
| |
| |
| |
Microsoft Symbols | |
| |
| |
| |
Kernel Debugging in Practice | |
| |
| |
| |
Rootkits | |
| |
| |
| |
Loading Drivers | |
| |
| |
| |
Kernel Issues for Windows Vista, Windows 7, and x64 Versions | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs; Malware Functionality | |
| |
| |
| |
Malware Behavior | |
| |
| |
| |
Downloaders and Launchers | |
| |
| |
| |
Backdoors | |
| |
| |
| |
Credential Stealers | |
| |
| |
| |
Persistence Mechanisms | |
| |
| |
| |
Privilege Escalation | |
| |
| |
| |
Covering Its Tracks—User-Mode Rootkits | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Covert Malware Launching | |
| |
| |
| |
Launchers | |
| |
| |
| |
Process Injection | |
| |
| |
| |
Process Replacement | |
| |
| |
| |
Hook Injection | |
| |
| |
| |
Detours | |
| |
| |
| |
APC Injection | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Data Encoding | |
| |
| |
| |
The Goal of Analyzing Encoding Algorithms | |
| |
| |
| |
Simple Ciphers | |
| |
| |
| |
Common Cryptographic Algorithms | |
| |
| |
| |
Custom Encoding | |
| |
| |
| |
Decoding | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Malware-Focused Network Signatures | |
| |
| |
| |
Network Countermeasures | |
| |
| |
| |
Safely Investigate an Attacker Online | |
| |
| |
| |
Content-Based Network Countermeasures | |
| |
| |
| |
Combining Dynamic and Static Analysis Techniques | |
| |
| |
| |
Understanding the Attacker's Perspective | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs; Anti-Reverse-Engineering | |
| |
| |
| |
Anti-Disassembly | |
| |
| |
| |
Understanding Anti-Disasseeeeeembly | |
| |
| |
| |
Defeating Disassembly Algorithms | |
| |
| |
| |
Anti-Disassembly Techniques | |
| |
| |
| |
Obscuring Flow Control | |
| |
| |
| |
Thwarting Stack-Frame Analysis | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Anti-Debugging | |
| |
| |
| |
Windows Debugger Detection | |
| |
| |
| |
Identifying Debugger Behavior | |
| |
| |
| |
Interfering with Debugger Functionality | |
| |
| |
| |
Debugger Vulnerabilities | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Anti-Virtual Machine Techniques | |
| |
| |
| |
VMware Artifacts | |
| |
| |
| |
Vulnerable Instructions | |
| |
| |
| |
Tweaking Settings | |
| |
| |
| |
Escaping the Virtual Machine | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
Packers and Unpacking | |
| |
| |
| |
Packer Anatomy | |
| |
| |
| |
Identifying Packed Programs | |
| |
| |
| |
Unpacking Options | |
| |
| |
| |
Automated Unpacking | |
| |
| |
| |
Manual Unpacking | |
| |
| |
| |
Tips and Tricks for Common Packers | |
| |
| |
| |
Analyzing Without Fully Unpacking | |
| |
| |
| |
Packed DLLs | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs; Special Topics | |
| |
| |
| |
Shellcode Analysis | |
| |
| |
| |
Loading Shellcode for Analysis | |
| |
| |
| |
Position-Independent Code | |
| |
| |
| |
Identifying Execution Location | |
| |
| |
| |
Manual Symbol Resolution | |
| |
| |
| |
A Full Hello World Example | |
| |
| |
| |
Shellcode Encodings | |
| |
| |
| |
NOP Sleds | |
| |
| |
| |
Finding Shellcode | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
C++ Analysis | |
| |
| |
| |
Object-Oriented Programming | |
| |
| |
| |
Virtual vs. Nonvirtual Functions | |
| |
| |
| |
Creating and Destroying Objects | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
| |
64-Bit Malware | |
| |
| |
| |
Why 64-Bit Malware? | |
| |
| |
| |
Differences in x64 Architecture | |
| |
| |
| |
Windows 32-Bit on Windows 64-Bit | |
| |
| |
| |
64-Bit Hints at Malware Functionality | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Labs | |
| |
| |
Important Windows Functions | |
| |
| |
Tools for Malware Analysis | |
| |
| |
Solutions to Labs | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |
| |
| |
| |
Solutions | |