Windows Malware Analysis Essentials电子书

Windows Malware Analysis Essentials

Table of Contents

Windows Malware Analysis Essentials

Credits

About the Author

Acknowledgments

About the Reviewer

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Instant updates on new Packt books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Down the Rabbit Hole

Number systems

Base conversion

Binary to hexadecimal (and vice versa)

Decimal to binary (and vice versa)

Octal base conversion

Signed numbers and complements

A signed data type overflow conditions table

Boolean logic and bit masks

Bit masking

Breathing in the ephemeral realm

Sharpening the scalpel

Performing binary reconnaissance

Scanning malware on the web

Getting a great view with PEView

Know the ins and outs with PEInsider

Identifying with PEiD

Walking on frozen terrain with DeepFreeze

Meeting the rex of HexEditors

Digesting string theory with strings

Hashish, pot, and stashing with hashing tools

Getting resourceful with XNResource Editor

Too much leech with Dependency Walker

Getting dumped by Dumpbin

Exploring the universe of binaries on PE Explorer

Getting to know IDA Pro

Knowing your bearings in IDA Pro

Hooking up with IDA Pro

Entropy

Summary

2. Dancing with the Dead

Motivation

Registers

Special-purpose registers

The initiation ritual

Preparing the alter

The static library generator

Code constructs in x86 disassembly

The for loop

The while loop

The do-while loop

The if-then-else loop

A switch case

Structs

Linked lists

Summary

3. Performing a Séance Session

Fortifying your debrief

Debriefing – seeing the forest for the trees

Preparing for D-Day – lab setup

Whippin' out your arsenal

Fingerprinting

User mode sandboxing

Debugging and disassembly

Monitoring

MISC

Next steps and prerequisites

Summoning the demon!

Step 1 – fingerprinting

Step 2 – static and dynamic analysis

Obfuscation – a dynamic in-memory function pointers table

The PEB traversal code

Section object creation

Temp file check

Taskkill invocation for antivirus services

New thread creation

MBR reading

MBR infection

Payload

Verifying MBR integrity

Post infection

Network activity

Registry activity

Yara signatures

Exorcism and the aftermath – debrief finale!

Executive synopsis

Mitigation

Summary

4. Traversing Across Parallel Dimensions

Compression sacks and straps

Releasing the Jack-in-the-Box

Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware

Syscalls

WDK procurement

Setting up IDA Pro for kernel debugging

Finding symbols in WINDBG/IDA PRO

Getting help

Windbg 'G' command in IDA Pro

Command types

Enumerating Running Processes

Enumerating Loaded Modules

Data Type Inspection and Display

Display headers

Pocket calculator

Base converter

Unassembly and disassembly

Debugger Interaction-Step-In, Step Over, Execute till Return

Registers

Call trace and walking the stack

Breakpoints

First chance and second chance debugging

A debugger implementation overview

Examine symbols

Objects

Summary

5. Good versus Evil – Ogre Wars

Wiretapping Linux for network traffic analysis

Encoding/decoding – XOR Deobfuscation

Malicious Web Script Analysis

Taking apart JS/Dropper

Preliminary dumping and analysis

Static and dynamic analysis:

Embedded exploits

Byte code decompilers

Document analysis

Redline – malware memory forensics

Volatility

Malware intelligence

Monitoring and visualization

Malware Control Monitor

Sandboxing and reporting

Summary

Index