Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

<p>For those who want to stay ahead of the latest malware, <i>Practical Malware Analysis</i> will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way.</p>

Рейтинг:

Добавить в избранные:

Автор: Michael Sikorski and Andrew Honig
Категория: Компьютерная литература
Страниц: 274

1. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

3. Warning

4. About the Authors

5. About the Technical Reviewer

6. About the Contributing Authors

7. Foreword

8. Acknowledgments

9. Individual Thanks

10. Introduction

11. What Is Malware Analysis?

12. Prerequisites

13. Practical, Hands-On Learning

14. What’s in the Book?

15. 0. Malware Analysis Primer

16. The Goals of Malware Analysis

17. Malware Analysis Techniques

18. Types of Malware

19. General Rules for Malware Analysis

20. I. Basic Analysis

21. 1. Basic Static Techniques

22. Antivirus Scanning: A Useful First Step

23. Hashing: A Fingerprint for Malware

24. Finding Strings

25. Packed and Obfuscated Malware

26. Portable Executable File Format

27. Linked Libraries and Functions

28. Static Analysis in Practice

29. The PE File Headers and Sections

30. Conclusion

31. Labs

32. 2. Malware Analysis in Virtual Machines

33. The Structure of a Virtual Machine

34. Creating Your Malware Analysis Machine

35. Using Your Malware Analysis Machine

36. The Risks of Using VMware for Malware Analysis

37. Record/Replay: Running Your Computer in Reverse

38. Conclusion

39. 3. Basic Dynamic Analysis

40. Sandboxes: The Quick-and-Dirty Approach

41. Running Malware

42. Monitoring with Process Monitor

43. Viewing Processes with Process Explorer

44. Comparing Registry Snapshots with Regshot

45. Faking a Network

46. Packet Sniffing with Wireshark

47. Using INetSim

48. Basic Dynamic Tools in Practice

49. Conclusion

50. Labs

51. II. Advanced Static Analysis

52. 4. A Crash Course in x86 Disassembly

53. Levels of Abstraction

54. Reverse-Engineering

55. The x86 Architecture

56. Conclusion

57. 5. IDA Pro

58. Loading an Executable

59. The IDA Pro Interface

60. Using Cross-References

61. Analyzing Functions

62. Using Graphing Options

63. Enhancing Disassembly

64. Extending IDA with Plug-ins

65. Conclusion

67. 6. Recognizing C Code Constructs in Assembly

68. Global vs. Local Variables

69. Disassembling Arithmetic Operations

70. Recognizing if Statements

71. Recognizing Loops

72. Understanding Function Call Conventions

73. Analyzing switch Statements

74. Disassembling Arrays

75. Identifying Structs

76. Analyzing Linked List Traversal

77. Conclusion

78. Labs

79. 7. Analyzing Malicious Windows Programs

81. The Windows Registry

82. Networking APIs

83. Following Running Malware

84. Kernel vs. User Mode

85. The Native API

86. Conclusion

87. Labs

88. III. Advanced Dynamic Analysis

89. 8. Debugging

90. Source-Level vs. Assembly-Level Debuggers

91. Kernel vs. User-Mode Debugging

92. Using a Debugger

93. Exceptions

94. Modifying Execution with a Debugger

95. Modifying Program Execution in Practice

96. Conclusion

97. 9. OllyDbg

98. Loading Malware

99. The OllyDbg Interface

100. Memory Map

101. Viewing Threads and Stacks

102. Executing Code

103. Breakpoints

104. Loading DLLs

105. Tracing

106. Exception Handling

107. Patching

108. Analyzing Shellcode

109. Assistance Features

110. Plug-ins

111. Scriptable Debugging

112. Conclusion

114. 10. Kernel Debugging with WinDbg

115. Drivers and Kernel Code

116. Setting Up Kernel Debugging

117. Using WinDbg

118. Microsoft Symbols

119. Kernel Debugging in Practice

120. Rootkits

121. Loading Drivers

122. Kernel Issues for Windows Vista, Windows 7, and x64 Versions

123. Conclusion

124. Labs

125. IV. Malware Functionality

126. 11. Malware Behavior

127. Downloaders and Launchers

128. Backdoors

129. Credential Stealers

130. Persistence Mechanisms

131. Privilege Escalation

132. Covering Its Tracks—User-Mode Rootkits

133. Conclusion

135. 12. Covert Malware Launching

136. Launchers

137. Process Injection

138. Process Replacement

139. Hook Injection

140. Detours

141. APC Injection

142. Conclusion

143. Labs

144. 13. Data Encoding

145. The Goal of Analyzing Encoding Algorithms

146. Simple Ciphers

147. Common Cryptographic Algorithms

148. Custom Encoding

149. Decoding

150. Conclusion

152. 14. Malware-Focused Network Signatures

153. Network Countermeasures

154. Safely Investigate an Attacker Online

156. Combining Dynamic and Static Analysis Techniques

157. Understanding the Attacker’s Perspective

158. Conclusion

159. Labs

160. V. Anti-Reverse-Engineering

161. 15. Anti-Disassembly

162. Understanding Anti-Disassembly

163. Defeating Disassembly Algorithms

164. Anti-Disassembly Techniques

165. Obscuring Flow Control

166. Thwarting Stack-Frame Analysis

167. Conclusion

168. Labs

169. 16. Anti-Debugging

170. Windows Debugger Detection

171. Identifying Debugger Behavior

172. Interfering with Debugger Functionality

173. Debugger Vulnerabilities

174. Conclusion

175. Labs

176. 17. Anti-Virtual Machine Techniques

177. VMware Artifacts

178. Vulnerable Instructions

179. Tweaking Settings

180. Escaping the Virtual Machine

181. Conclusion

182. Labs

183. 18. Packers and Unpacking

184. Packer Anatomy

185. Identifying Packed Programs

186. Unpacking Options

187. Automated Unpacking

188. Manual Unpacking

189. Tips and Tricks for Common Packers

190. Analyzing Without Fully Unpacking

191. Packed DLLs

192. Conclusion

193. Labs

194. VI. Special Topics

195. 19. Shellcode Analysis

196. Loading Shellcode for Analysis

197. Position-Independent Code

198. Identifying Execution Location

199. Manual Symbol Resolution

200. A Full Hello World Example

201. Shellcode Encodings

202. NOP Sleds

203. Finding Shellcode

204. Conclusion

205. Labs

206. 20. C++ Analysis

207. Object-Oriented Programming

208. Virtual vs. Nonvirtual Functions

209. Creating and Destroying Objects

210. Conclusion

211. Labs

212. 21. 64-Bit Malware

213. Why 64-Bit Malware?

214. Differences in x64 Architecture

215. Windows 32-Bit on Windows 64-Bit

216. 64-Bit Hints at Malware Functionality

217. Conclusion

218. Labs

219. A. Important Windows Functions

220. B. Tools for Malware Analysis

221. C. Solutions to Labs

222. Lab 1-1 Solutions

223. Lab 1-2 Solutions

224. Lab 1-3 Solutions

225. Lab 1-4 Solutions

226. Lab 3-1 Solutions

227. Lab 3-2 Solutions

228. Lab 3-3 Solutions

229. Lab 3-4 Solutions

230. Lab 5-1 Solutions

231. Lab 6-1 Solutions

232. Lab 6-2 Solutions

233. Lab 6-3 Solutions

234. Lab 6-4 Solutions

235. Lab 7-1 Solutions

236. Lab 7-2 Solutions

238. Lab 9-1 Solutions

239. Lab 9-2 Solutions

240. Lab 9-3 Solutions

241. Lab 10-1 Solutions

242. Lab 10-2 Solutions

243. Lab 10-3 Solutions

244. Lab 11-1 Solutions

245. Lab 11-2 Solutions

246. Lab 11-3 Solutions

247. Lab 12-1 Solutions

248. Lab 12-2 Solutions

249. Lab 12-3 Solutions

250. Lab 12-4 Solutions

251. Lab 13-1 Solutions

252. Lab 13-2 Solutions

253. Lab 13-3 Solutions

254. Lab 14-1 Solutions

255. Lab 14-2 Solutions

256. Lab 14-3 Solutions

257. Lab 15-1 Solutions

258. Lab 15-2 Solutions

259. Lab 15-3 Solutions

260. Lab 16-1 Solutions

261. Lab 16-2 Solutions

262. Lab 16-3 Solutions

263. Lab 17-1 Solutions

264. Lab 17-2 Solutions

265. Lab 17-3 Solutions

266. Lab 18-1 Solutions

267. Lab 18-2 Solutions

268. Lab 18-3 Solutions

269. Lab 18-4 Solutions

270. Lab 18-5 Solutions

271. Lab 19-1 Solutions

272. Lab 19-2 Solutions

273. Lab 19-3 Solutions

274. Lab 20-1 Solutions

275. Lab 20-2 Solutions

276. Lab 20-3 Solutions

277. Lab 21-1 Solutions

278. Lab 21-2 Solutions

279. Index

280. Updates

281. About the Authors

282. Copyright