Malware analysis is big business, and attacks can cost a company
dearly. When malware breaches your defenses, you need to act
quickly to cure current infections and prevent future ones from
For those who want to stay ahead of the latest malware, Practical
Malware Analysis will teach you the tools and techniques used by
professionals analysts. With this book as your guide, you'll be
able to safely analyze, debug, and disassemble any malicious
software that comes your way.
You'll learn how to:
- Set up safe virtual environment to analyze malware
- Quickly extract network signatures and host-based
- Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
- Overcome malware tricks like obfuscation, anti-disassembly,
anti-debugging, and anti-virtual machine techniques
- Use your newfound knowlegde of Windows internals for malware
- Develop a methodology for unpacking malware and get practical
experience with five of the most popular packers
- Analyze special cases of malware with shellcode, C++, and 64-bit
Hands-on labs throughout the book challenge you to practice and
synthesize your skills as you dissect real malware samples, and
pages of detailed dissections offer an over-the-shoulder look at
how the pros do it. You'll learn how to crack open malware to
see how it really works, determine what damage it has done,
thoroughly clean your network, and ensure that the malware never
Malware analysis is a cat-and-mouse game with rules that are
constantly changing, so make sure you have the fundamentals.
Whether you're tasked with securing one network or a thousand
networks, or you're making a living as a malware analyst,
you'll find what you need to succeed in Practical Malware
Ausstattung/Bilder: 2012. XXXII, 766 p. w. figs., tables and listings.
Abmessung: 243mm x 179mm x 41mm
Michael Sikorski is a Principal Consultant at Mandiant. He provides specialized research and development security solutions to the company's federal client base, reverse engineers malicious software discovered by incident responders, and has helped create a series of courses in malware analysis (from Beginner to Advanced). He has taught these courses to a variety of audiences including the FBI, the National Security Agency (NSA), and BlackHat. A former member of MIT's Lincoln Laboratory and the NSA, he holds a Top Secret security clearance. Andrew Honig is an Information Assurance Expert for the Department of Defense. He teaches courses on software analysis, reverse engineering, and Windows system programming. Andy is publicly credited with several zero-day exploits in VMware's virtualization products.
Praise for Practical Malware Analysis Warning About the Authors About the Technical Reviewer About the Contributing Authors Foreword Acknowledgments Individual Thanks Introduction What Is Malware Analysis? Prerequisites Practical, Hands-On Learning What's in the Book? Chapter 0: Malware Analysis Primer 1.1 The Goals of Malware Analysis 1.2 Malware Analysis Techniques 1.3 Types of Malware 1.4 General Rules for Malware Analysis Basic Analysis Chapter 1: Basic Static Techniques 2.1 Antivirus Scanning: A Useful First Step 2.2 Hashing: A Fingerprint for Malware 2.3 Finding Strings 2.4 Packed and Obfuscated Malware 2.5 Portable Executable File Format 2.6 Linked Libraries and Functions 2.7 Static Analysis in Practice 2.8 The PE File Headers and Sections 2.9 Conclusion 2.10 Labs Chapter 2: Malware Analysis in Virtual Machines 3.1 The Structure of a Virtual Machine 3.2 Creating Your Malware Analysis Machine 3.3 Using Your Malware Analysis Machine 3.4 The Risks of Using VMware for Malware Analysis 3.5 Record/Replay: Running Your Computer in Reverse 3.6 Conclusion Chapter 3: Basic Dynamic Analysis 4.1 Sandboxes: The Quick-and-Dirty Approach 4.2 Running Malware 4.3 Monitoring with Process Monitor 4.4 Viewing Processes with Process Explorer 4.5 Comparing Registry Snapshots with Regshot 4.6 Faking a Network 4.7 Packet Sniffing with Wireshark 4.8 Using INetSim 4.9 Basic Dynamic Tools in Practice 4.10 Conclusion 4.11 Labs Advanced Static Analysis Chapter 4: A Crash Course in x86 Disassembly 5.1 Levels of Abstraction 5.2 Reverse-Engineering 5.3 The x86 Architecture 5.4 Conclusion Chapter 5: IDA Pro 6.1 Loading an Executable 6.2 The IDA Pro Interface 6.3 Using Cross-References 6.4 Analyzing Functions 6.5 Using Graphing Options 6.6 Enhancing Disassembly 6.7 Extending IDA with Plug-ins 6.8 Conclusion 6.9 Labs Chapter 6: Recognizing C Code Constructs in Assembly 7.1 Global vs. Local Variables 7.2 Disassembling Arithmetic Operations 7.3 Recognizing if Statements 7.4 Recognizing Loops 7.5 Understanding Function Call Conventions 7.6 Analyzing switch Statements 7.7 Disassembling Arrays 7.8 Identifying Structs 7.9 Analyzing Linked List Traversal 7.10 Conclusion 7.11 Labs Chapter 7: Analyzing Malicious Windows Programs 8.1 The Windows API 8.2 The Windows Registry 8.3 Networking APIs 8.4 Following Running Malware 8.5 Kernel vs. User Mode 8.6 The Native API 8.7 Conclusion 8.8 Labs Advanced Dynamic Analysis Chapter 8: Debugging 9.1 Source-Level vs. Assembly-Level Debuggers 9.2 Kernel vs. User-Mode Debugging 9.3 Using a Debugger 9.4 Exceptions 9.5 Modifying Execution with a Debugger 9.6 Modifying Program Execution in Practice 9.7 Conclusion Chapter 9: OllyDbg 10.1 Loading Malware 10.2 The OllyDbg Interface 10.3 Memory Map 10.4 Viewing Threads and Stacks 10.5 Executing Code 10.6 Breakpoints 10.7 Loading DLLs 10.8 Tracing 10.9 Exception Handling 10.10 Patching 10.11 Analyzing Shellcode 10.12 Assistance Features 10.13 Plug-ins 10.14 Scriptable Debugging 10.15 Conclusion 10.16 Labs Chapter 10: Kernel Debugging with WinDbg 11.1 Drivers and Kernel Code 11.2 Setting Up Kernel Debugging 11.3 Using WinDbg 11.4 Microsoft Symbols 11.5 Kernel Debugging in Practice 11.6 Rootkits 11.7 Loading Drivers 11.8 Kernel Issues for Windows Vista, Windows 7, and x64 Versions 11.9 Conclusion 11.10 Labs Malware Functionality Chapter 11: Malware Behavior 12.1 Downloaders and Launchers 12.2 Backdoors 12.3 Credential Stealers 12.4 Persistence Mechanisms 12.5 Privilege Escalation 12.6 Covering Its Tracks--User-Mode Rootkits 12.7 Conclusion 12.8 Labs Chapter 12: Covert Malware Launching 13.1 Launchers 13.2 Process Injection 13.3 Process Replacement 13.4 Hook Injection 13.5 Detours 13.6 APC Injection 13.7 Conclusion 13.8 Labs Chapter 13: Data Encoding 14.1 The Goal of Analyzing Encoding Algorithms 14.2 Simple Ciphers 14.3 Common Cryptographic Algorithms 14.4 Custom Encoding 14.5 Decoding 14.6 Conclusion 14.7 Labs Chapter 14: Malware-Focused Network Signatures 15.1 Network Countermeasures 15.2 Safely Investigate an Attacker Online 15.3 Content-Based Network Countermeasures 15.4 Combining Dynamic and Static Analysis Techniques 15.5 Understanding the Attacker's Perspective 15.6 Conclusion 15.7 Labs Anti-Reverse-Engineering Chapter 15: Anti-Disassembly 16.1 Understanding Anti-Disasseeeeeembly 16.2 Defeating Disassembly Algorithms 16.3 Anti-Disassembly Techniques 16.4 Obscuring Flow Control 16.5 Thwarting Stack-Frame Analysis 16.6 Conclusion 16.7 Labs Chapter 16: Anti-Debugging 17.1 Windows Debugger Detection 17.2 Identifying Debugger Behavior 17.3 Interfering with Debugger Functionality 17.4 Debugger Vulnerabilities 17.5 Conclusion 17.6 Labs Chapter 17: Anti-Virtual Machine Techniques 18.1 VMware Artifacts 18.2 Vulnerable Instructions 18.3 Tweaking Settings 18.4 Escaping the Virtual Machine 18.5 Conclusion 18.6 Labs Chapter 18: Packers and Unpacking 19.1 Packer Anatomy 19.2 Identifying Packed Programs 19.3 Unpacking Options 19.4 Automated Unpacking 19.5 Manual Unpacking 19.6 Tips and Tricks for Common Packers 19.7 Analyzing Without Fully Unpacking 19.8 Packed DLLs 19.9 Conclusion 19.10 Labs Special Topics Chapter 19: Shellcode Analysis 20.1 Loading Shellcode for Analysis 20.2 Position-Independent Code 20.3 Identifying Execution Location 20.4 Manual Symbol Resolution 20.5 A Full Hello World Example 20.6 Shellcode Encodings 20.7 NOP Sleds 20.8 Finding Shellcode 20.9 Conclusion 20.10 Labs Chapter 20: C++ Analysis 21.1 Object-Oriented Programming 21.2 Virtual vs. Nonvirtual Functions 21.3 Creating and Destroying Objects 21.4 Conclusion 21.5 Labs Chapter 21: 64-Bit Malware 22.1 Why 64-Bit Malware? 22.2 Differences in x64 Architecture 22.3 Windows 32-Bit on Windows 64-Bit 22.4 64-Bit Hints at Malware Functionality 22.5 Conclusion 22.6 Labs Important Windows Functions Tools for Malware Analysis Solutions to Labs Lab 1-1 Solutions Lab 1-2 Solutions Lab 1-3 Solutions Lab 1-4 Solutions Lab 3-1 Solutions Lab 3-2 Solutions Lab 3-3 Solutions Lab 3-4 Solutions Lab 5-1 Solutions Lab 6-1 Solutions Lab 6-2 Solutions Lab 6-3 Solutions Lab 6-4 Solutions Lab 7-1 Solutions Lab 7-2 Solutions Lab 7-3 Solutions Lab 9-1 Solutions Lab 9-2 Solutions Lab 9-3 Solutions Lab 10-1 Solutions Lab 10-2 Solutions Lab 10-3 Solutions Lab 11-1 Solutions Lab 11-2 Solutions Lab 11-3 Solutions Lab 12-1 Solutions Lab 12-2 Solutions Lab 12-3 Solutions Lab 12-4 Solutions Lab 13-1 Solutions Lab 13-2 Solutions Lab 13-3 Solutions Lab 14-1 Solutions Lab 14-2 Solutions Lab 14-3 Solutions Lab 15-1 Solutions Lab 15-2 Solutions Lab 15-3 Solutions Lab 16-1 Solutions Lab 16-2 Solutions Lab 16-3 Solutions Lab 17-1 Solutions Lab 17-2 Solutions Lab 17-3 Solutions Lab 18-1 Solutions Lab 18-2 Solutions Lab 18-3 Solutions Lab 18-4 Solutions Lab 18-5 Solutions Lab 19-1 Solutions Lab 19-2 Solutions Lab 19-3 Solutions Lab 20-1 Solutions Lab 20-2 Solutions Lab 20-3 Solutions Lab 21-1 Solutions Lab 21-2 Solutions