Master the fundamentals of malware analysis for the Windows platform and enhance your anti-malware
skill set.

Table of Contents:

Preface v
Chapter 1: Down the Rabbit Hole 1
Number systems 2
Base conversion 9
Binary to hexadecimal (and vice versa) 9
Decimal to binary (and vice versa) 10
Octal base conversion 10
Signed numbers and complements 11
A signed data type overflow conditions table 14
Boolean logic and bit masks 17
Bit masking 18
Breathing in the ephemeral realm 19
Sharpening the scalpel 20
Performing binary reconnaissance 22
Scanning malware on the web 24
Getting a great view with PEView 25
Know the ins and outs with PEInsider 26
Identifying with PEiD 26
Walking on frozen terrain with DeepFreeze 28
Meeting the rex of HexEditors 28
Digesting string theory with strings 29
Hashish, pot, and stashing with hashing tools 33
Getting resourceful with XNResource Editor 36
Too much leech with Dependency Walker 37
Getting dumped by Dumpbin 38
Exploring the universe of binaries on PE Explorer 40
Getting to know IDA Pro 45
Knowing your bearings in IDA Pro 53
Hooking up with IDA Pro 55
Table of Contents
[ ii ]
Entropy 57
Summary 61
Chapter 2: Dancing with the Dead 63
Motivation 63
Registers 66
Special-purpose registers 67
The initiation ritual 72
Preparing the alter 88
The static library generator 96
Code constructs in x86 disassembly 102
The for loop 103
The while loop 104
The do-while loop 105
The if-then-else loop 106
A switch case 107
Structs 110
Linked lists 114
Summary 121
Chapter 3: Performing a Séance Session 123
Fortifying your debrief 124
Debriefing – seeing the forest for the trees 126
Preparing for D-Day – lab setup 127
Whippin’ out your arsenal 129
Fingerprinting 129
User mode sandboxing 129
Debugging and disassembly 129
Monitoring 129
MISC 130
Next steps and prerequisites 130
Summoning the demon! 131
Step 1 – fingerprinting 131
Step 2 – static and dynamic analysis 137
Obfuscation – a dynamic in-memory function pointers table 148
The PEB traversal code 150
Section object creation 157
Temp file check 159
Taskkill invocation for antivirus services 159
New thread creation 161
MBR reading 163
MBR infection 170
Table of Contents
[ iii ]
Payload 170
Verifying MBR integrity 172
Post infection 178
Network activity 180
Registry activity 180
Yara signatures 180
Exorcism and the aftermath – debrief finale! 183
Executive synopsis 183
Mitigation 184
Summary 185
Chapter 4: Traversing Across Parallel Dimensions 187
Compression sacks and straps 187
Releasing the Jack-in-the-Box 189
Alice in kernel land – kernel debugging with IDA Pro,
Virtual KD, and VMware 196
Syscalls 197
WDK procurement 200
Setting up IDA Pro for kernel debugging 201
Finding symbols in WINDBG/IDA PRO 208
Getting help 208
Windbg ‘G’ command in IDA Pro 209
Command types 209
Enumerating Running Processes 210
Enumerating Loaded Modules 212
Data Type Inspection and Display 214
Display headers 222
Pocket calculator 223
Base converter 223
Unassembly and disassembly 223
Debugger Interaction-Step-In, Step Over, Execute till Return 224
Registers 225
Call trace and walking the stack 225
Breakpoints 226
First chance and second chance debugging 227
A debugger implementation overview 228
Examine symbols 230
Objects 232
Summary 235
Table of Contents
[ iv ]
Chapter 5: Good versus Evil – Ogre Wars 237
Wiretapping Linux for network traffic analysis 238
Encoding/decoding – XOR Deobfuscation 241
Malicious Web Script Analysis 245
Taking apart JS/Dropper 247
Preliminary dumping and analysis 248
Static and dynamic analysis: 256
Embedded exploits 262
Byte code decompilers 270
Document analysis 271
Redline – malware memory forensics 275
Volatility 283
Malware intelligence 286
Monitoring and visualization 286
Malware Control Monitor 292
Sandboxing and reporting 296
Summary 299
Index 301

 

Loading...

Deja un comentario