Learning Malware Analysis电子书

Title Page

Copyright and Credits

Learning Malware Analysis

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Introduction to Malware Analysis

1. What Is Malware?

2. What Is Malware Analysis?

3. Why Malware Analysis?

4. Types Of Malware Analysis

5. Setting Up The Lab Environment

5.1 Lab Requirements

5.2 Overview Of Lab Architecture

5.3 Setting Up And Configuring Linux VM

5.4 Setting Up And Configuring Windows VM

6. Malware Sources

Summary

Static Analysis

1. Determining the File Type

1.1 Identifying File Type Using Manual Method

1.2 Identifying File Type Using Tools

1.3 Determining File Type Using Python

2. Fingerprinting the Malware

2.1 Generating Cryptographic Hash Using Tools

2.2 Determining Cryptographic Hash in Python

3. Multiple Anti-Virus Scanning

3.1 Scanning the Suspect Binary with VirusTotal

3.2 Querying Hash Values Using VirusTotal Public API

4. Extracting Strings

4.1 String Extraction Using Tools

4.2 Decoding Obfuscated Strings Using FLOSS

5. Determining File Obfuscation

5.1 Packers and Cryptors

5.2 Detecting File Obfuscation Using Exeinfo PE

6. Inspecting PE Header Information

6.1 Inspecting File Dependencies and Imports

6.2 Inspecting Exports

6.3 Examining PE Section Table And Sections

6.4 Examining the Compilation Timestamp

6.5 Examining PE Resources

7. Comparing And Classifying The Malware

7.1 Classifying Malware Using Fuzzy Hashing

7.2 Classifying Malware Using Import Hash

7.3 Classifying Malware Using Section Hash

7.4 Classifying Malware Using YARA

7.4.1 Installing YARA

7.4.2 YARA Rule Basics

7.4.3 Running YARA

7.4.4 Applications of YARA

Summary

Dynamic Analysis

1. Lab Environment Overview

2. System And Network Monitoring

3. Dynamic Analysis (Monitoring) Tools

3.1 Process Inspection with Process Hacker

3.2 Determining System Interaction with Process Monitor

3.3 Logging System Activities Using Noriben

3.4 Capturing Network Traffic With Wireshark

3.5 Simulating Services with INetSim

4. Dynamic Analysis Steps

5. Putting it All Together: Analyzing a Malware Executable

5.1 Static Analysis of the Sample

5.2 Dynamic Analysis of the Sample

6. Dynamic-Link Library (DLL) Analysis

6.1 Why Attackers Use DLLs

6.2 Analyzing the DLL Using rundll32.exe

6.2.1 Working of rundll32.exe

6.2.2 Launching the DLL Using rundll32.exe

Example 1 – Analyzing a DLL With No Exports

Example 2 – Analyzing a DLL Containing Exports

Example 3 – Analyzing a DLL Accepting Export Arguments

6.3 Analyzing a DLL with Process Checks

Summary

Assembly Language and Disassembly Primer

1. Computer Basics

1.1 Memory

1.1.1 How Data Resides In Memory

1.2 CPU

1.2.1 Machine Language

1.3 Program Basics

1.3.1 Program Compilation

1.3.2 Program On Disk

1.3.3 Program In Memory

1.3.4 Program Disassembly (From Machine code To Assembly code)

2. CPU Registers

2.1 General-Purpose Registers

2.2 Instruction Pointer (EIP)

2.3 EFLAGS Register

3. Data Transfer Instructions

3.1 Moving a Constant Into Register

3.2 Moving Values From Register To Register

3.3 Moving Values From Memory To Registers

3.4 Moving Values From Registers To Memory

3.5 Disassembly Challenge

3.6 Disassembly Solution

4. Arithmetic Operations

4.1 Disassembly Challenge

4.2 Disassembly Solution

5. Bitwise Operations

6. Branching And Conditionals

6.1 Unconditional Jumps

6.2 Conditional Jumps

6.3 If Statement

6.4 If-Else Statement

6.5 If-Elseif-Else Statement

6.6 Disassembly Challenge

6.7 Disassembly Solution

7. Loops

7.1 Disassembly Challenge

7.2 Disassembly Solution

8. Functions

8.1 Stack

8.2 Calling Function

8.3 Returning From Function

8.4 Function Parameters And Return Values

9. Arrays And Strings

9.1 Disassembly Challenge

9.2 Disassembly Solution

9.3 Strings

9.3.1 String Instructions

9.3.2 Moving From Memory To Memory (movsx)

9.3.3 Repeat Instructions (rep)

9.3.4 Storing Value From Register to Memory (stosx)

9.3.5 Loading From Memory to Register (lodsx)

9.3.6 Scanning Memory (scasx)

9.3.7 Comparing Values in Memory (cmpsx)

10. Structures

11. x64 Architecture

11.1 Analyzing 32-bit Executable On 64-bit Windows

12. Additional Resources

Summary

Disassembly Using IDA

1. Code Analysis Tools

2. Static Code Analysis (Disassembly) Using IDA

2.1 Loading Binary in IDA

2.2 Exploring IDA Displays

2.2.1 Disassembly Window

2.2.2 Functions Window

2.2.3 Output Window

2.2.4 Hex View Window

2.2.5 Structures Window

2.2.6 Imports Window

2.2.7 Exports Window

2.2.8 Strings Window

2.2.9 Segments Window

2.3 Improving Disassembly Using IDA

2.3.1 Renaming Locations

2.3.2 Commenting in IDA

2.3.3 IDA Database

2.3.4 Formatting Operands

2.3.5 Navigating Locations

2.3.6 Cross-References

2.3.7 Listing All Cross-References

2.3.8 Proximity View And Graphs

3. Disassembling Windows API

3.1 Understanding Windows API

3.1.1 ANSI and Unicode API Functions

3.1.2 Extended API Functions

3.2 Windows API 32-Bit and 64-Bit Comparison

4. Patching Binary Using IDA

4.1 Patching Program Bytes

4.2 Patching Instructions

5. IDA Scripting and Plugins

5.1 Executing IDA Scripts

5.2 IDAPython

5.2.1 Checking The Presence Of CreateFile API

5.2.2 Code Cross-References to CreateFile Using IDAPython

5.3 IDA Plugins

Summary

Debugging Malicious Binaries

1. General Debugging Concepts

1.1 Launching And Attaching To Process

1.2 Controlling Process Execution

1.3 Interrupting a Program with Breakpoints

1.4 Tracing Program Execution

2. Debugging a Binary Using x64dbg

2.1 Launching a New Process in x64dbg

2.2 Attaching to an Existing Process Using x64dbg

2.3 x64dbg Debugger Interface

2.4 Controlling Process Execution Using x64dbg

2.5 Setting a Breakpoint in x64dbg

2.6 Debugging 32-bit Malware

2.7 Debugging 64-bit Malware

2.8 Debugging a Malicious DLL Using x64dbg

2.8.1 Using rundll32.exe to Debug the DLL in x64dbg

2.8.2 Debugging a DLL in a Specific Process

2.9 Tracing Execution in x64dbg

2.9.1 Instruction Tracing

2.9.2 Function Tracing

2.10 Patching in x64dbg

3. Debugging a Binary Using IDA

3.1 Launching a New Process in IDA

3.2 Attaching to an Existing Process Using IDA

3.3 IDA's Debugger Interface

3.4 Controlling Process Execution Using IDA

3.5 Setting a Breakpoint in IDA

3.6 Debugging Malware Executables

3.7 Debugging a Malicious DLL Using IDA

3.7.1 Debugging a DLL in a Specific Process

3.8 Tracing Execution Using IDA

3.9 Debugger Scripting Using IDAPython

3.9.1 Example – Determining Files Accessed by Malware

4. Debugging a .NET Application

Summary

Malware Functionalities and Persistence

1. Malware Functionalities

1.1 Downloader

1.2 Dropper

1.2.1 Reversing a 64-bit Dropper

1.3 Keylogger

1.3.1 Keylogger Using GetAsyncKeyState()

1.3.2 Keylogger Using SetWindowsHookEx()

1.4 Malware Replication Via Removable Media

1.5 Malware Command and Control (C2)

1.5.1 HTTP Command and Control

1.5.2 Custom Command and Control

1.6 PowerShell-Based Execution

1.6.1 PowerShell Command Basics

1.6.2 PowerShell Scripts And Execution Policy

1.6.2 Analyzing PowerShell Commands/Scripts

1.6.3 How Attackers Use PowerShell

2. Malware Persistence Methods

2.1 Run Registry Key

2.2 Scheduled Tasks

2.3 Startup Folder

2.4 Winlogon Registry Entries

2.5 Image File Execution Options

2.6 Accessibility Programs

2.7 AppInit_DLLs

2.8 DLL Search Order Hijacking

2.9 COM hijacking

2.10 Service

Summary

Code Injection and Hooking

1. Virtual Memory

1.1 Process Memory Components (User Space)

1.2 Kernel Memory Contents (Kernel Space)

2. User Mode And Kernel Mode

2.1 Windows API Call Flow

3. Code Injection Techniques

3.1 Remote DLL Injection

3.2 DLL Injection Using APC (APC Injection)

3.3 DLL Injection Using SetWindowsHookEx()

3.4 DLL Injection Using The Application Compatibility Shim

3.4.1 Creating A Shim

3.4.2 Shim Artifacts

3.4.3 How Attackers Use Shims

3.4.4 Analyzing The Shim Database

3.5 Remote Executable/Shellcode Injection

3.6 Hollow Process Injection (Process Hollowing)

4. Hooking Techniques

4.1 IAT Hooking

4.2 Inline Hooking (Inline Patching)

4.3 In-memory Patching Using Shim

5. Additional Resources

Summary

Malware Obfuscation Techniques

1. Simple Encoding

1.1 Caesar Cipher

1.1.1 Working Of Caesar Cipher

1.1.2 Decrypting Caesar Cipher In Python

1.2 Base64 Encoding

1.2.1 Translating Data To Base64

1.2.2 Encoding And Decoding Base64

1.2.3 Decoding Custom Base64

1.2.4 Identifying Base64

1.3 XOR Encoding

1.3.1 Single Byte XOR

1.3.2 Finding XOR Key Through Brute-Force

1.3.3 NULL Ignoring XOR Encoding

1.3.4 Multi-byte XOR Encoding

1.3.5 Identifying XOR Encoding

2. Malware Encryption

2.1 Identifying Crypto Signatures Using Signsrch

2.2 Detecting Crypto Constants Using FindCrypt2

2.3 Detecting Crypto Signatures Using YARA

2.4 Decrypting In Python

3. Custom Encoding/Encryption

4. Malware Unpacking

4.1 Manual Unpacking

4.1.1 Identifying The OEP

4.1.2 Dumping Process Memory With Scylla

4.1.3 Fixing The Import Table

4.2 Automated Unpacking

Summary

Hunting Malware Using Memory Forensics

1. Memory Forensics Steps

2. Memory Acquisition

2.1 Memory Acquisition Using DumpIt

3. Volatility Overview

3.1 Installing Volatility

3.1.1 Volatility Standalone Executable

3.1.2 Volatility Source Package

3.2 Using Volatility

4. Enumerating Processes

4.1 Process Overview

4.1.1 Examining the _EPROCESS Structure

4.1.2 Understanding ActiveProcessLinks

4.2 Listing Processes Using psscan

4.2.1 Direct Kernel Object Manipulation (DKOM)

4.2.2 Understanding Pool Tag Scanning

4.3 Determining Process Relationships

4.4 Process Listing Using psxview

5. Listing Process Handles

6. Listing DLLs

6.1 Detecting a Hidden DLL Using ldrmodules

7. Dumping an Executable and DLL

8. Listing Network Connections and Sockets

9. Inspecting Registry

10. Investigating Service

11. Extracting Command History

Summary

Detecting Advanced Malware Using Memory Forensics

1. Detecting Code Injection

1.1 Getting VAD Information

1.2 Detecting Injected Code Using VAD

1.3 Dumping The Process Memory Region

1.4 Detecting Injected Code Using malfind

2. Investigating Hollow Process Injection

2.1 Hollow Process Injection Steps

2.2 Detecting Hollow Process Injection

2.3 Hollow Process Injection Variations

3. Detecting API Hooks

4. Kernel Mode Rootkits

5. Listing Kernel Modules

5.1 Listing Kernel Modules Using driverscan

6. I/O Processing

6.1 The Role Of The Device Driver

6.2 The Role Of The I/O Manager

6.3 Communicating With The Device Driver

6.4 I/O Requests To Layered Drivers

7. Displaying Device Trees

8. Detecting Kernel Space Hooking

8.1 Detecting SSDT Hooking

8.2 Detecting IDT Hooking

8.3 Identifying Inline Kernel Hooks

8.4 Detecting IRP Function Hooks

9. Kernel Callbacks And Timers

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think