Mastering Malware Analysis: A malware analyst’s practical guide to combating malicious software, APT, cybercrime, and IoT attacks, 2nd Edition
- Length: 572 pages
- Edition: 2
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2022-09-30
- ISBN-10: 1803240245
- ISBN-13: 9781803240244
- Sales Rank: #98422 (See Top 100 Books)
Learn effective malware analysis tactics to prevent your systems from getting infected
Key Features
- Investigate cyberattacks and prevent malware-related incidents from occurring in the future
- Learn core concepts of static and dynamic malware analysis, memory forensics, decryption, and much more
- Get practical guidance in developing efficient solutions to handle malware incidents
Book Description
New and developing technologies inevitably bring new types of malware with them, creating a huge demand for IT professionals that can keep malware at bay. With the help of this updated second edition of Mastering Malware Analysis, you’ll be able to add valuable reverse-engineering skills to your CV and learn how to protect organizations in the most efficient way.
This book will familiarize you with multiple universal patterns behind different malicious software types and teach you how to analyze them using a variety of approaches.
You’ll learn how to examine malware code and determine the damage it can possibly cause to systems, along with ensuring that the right prevention or remediation steps are followed. As you cover all aspects of malware analysis for Windows, Linux, macOS, and mobile platforms in detail, you’ll also get to grips with obfuscation, anti-debugging, and other advanced anti-reverse-engineering techniques. The skills you acquire in this cybersecurity book will help you deal with all types of modern malware, strengthen your defenses, and prevent or promptly mitigate breaches regardless of the platforms involved.
By the end of this book, you will have learned how to efficiently analyze samples, investigate suspicious activity, and build innovative solutions to handle malware incidents.
What you will learn
- Explore assembly languages to strengthen your reverse-engineering skills
- Master various file formats and relevant APIs used by attackers
- Discover attack vectors and start handling IT, OT, and IoT malware
- Understand how to analyze samples for x86 and various RISC architectures
- Perform static and dynamic analysis of files of various types
- Get to grips with handling sophisticated malware cases
- Understand real advanced attacks, covering all their stages
- Focus on how to bypass anti-reverse-engineering techniques
Who this book is for
If you are a malware researcher, forensic analyst, IT security administrator, or anyone looking to secure against malicious software or investigate malicious code, this book is for you. This new edition is suited to all levels of knowledge, including complete beginners. Any prior exposure to programming or cybersecurity will further help to speed up your learning process.
Mastering Malware Analysis Second Edition Contributors About the authors About the reviewer Preface Who this book is for What this book covers To get the most out of this book Download the example code files Download the color images Conventions used Get in touch Share Your Thoughts Part 1 Fundamental Theory Chapter 1: Cybercrime, APT Attacks, and Research Strategies Why malware analysis? Malware analysis in collecting threat intelligence Malware analysis in incident response Malware analysis in threat hunting Malware analysis in creating detections Exploring types of malware A short history of malware development Malware categories Naming conventions The MITRE ATT&CK framework explained Basic terminology Enterprise Matrix APT and zero-day attacks and fileless malware APT attack Zero-day attack Fileless malware Choosing your analysis strategy Understand your audience Answer your audience’s questions Define your goals Avoid unnecessary technical details Example structures Typical analysis workflow Setting up the environment Choosing the virtualization software Safety features Summary Chapter 2: A Crash Course in Assembly and Programming Basics Basics of informatics Numeral systems Basic data units and data types Bitwise operations Architectures and their assembly Registers Memory Instructions (CISC and RISC) Becoming familiar with x86 (IA-32 and x64) Registers The instruction structure The instruction set Arguments, local variables, and calling conventions (in x86 and x64) Exploring ARM assembly Basics Instruction sets Basics of MIPS Basics The instruction set Diving deep into PowerPC Basics The instruction set Covering the SuperH assembly Basics The instruction set Working with SPARC Basics The instruction set Moving from assembly to high-level programming languages Arithmetic statements If conditions While loop conditions Summary Part 2 Diving Deep into Windows Malware Chapter 3: Basic Static and Dynamic Analysis for x86/x64 Working with the PE header structure Why PE? Exploring PE’s structure PE+ (x64 PE) PE header analysis tools Static and dynamic linking Static linking Dynamic linking Dynamic link libraries Application programming interface (API) Using PE header information for static analysis How to use the PE header for incident handling How to use a PE header for threat hunting PE loading and process creation Basic terminology Process creation step by step PE file loading step by step WOW64 processes Basics of dynamic analysis using OllyDbg and x64dbg Debugging tools How to analyze a sample with OllyDbg Types of breakpoints Modifying the program’s execution List strings, APIs, and cross-references Setting labels and comments Differences between OllyDbg and x64dbg Debugging malicious services What is a service? Attaching to services Essentials of behavioral analysis File operations Registry operations Process operations WinAPIs Network activity Sandboxes Summary Chapter 4: Unpacking, Decryption, and Deobfuscation Exploring packers Exploring packing and encrypting tools Identifying a packed sample Technique 1 – using static signatures Technique 2 – evaluating PE section names Technique 3 – using stub execution signs Technique 4 – detecting a small import table Automatically unpacking packed samples Technique 1 – the official unpacking process Technique 2 – using OllyScript with OllyDbg Technique 3 – using generic unpackers Technique 4 – emulation Technique 5 – memory dumps Manual unpacking techniques Technique 1 – memory breakpoint on execution Technique 2 – call stack backtracing Technique 3 – monitoring memory allocated spaces for unpacked code Technique 4 – in-place unpacking Technique 5 – searching for and transferring control to OEP Technique 6 – stack restoration-based Dumping the unpacked sample and fixing the import table Dumping the process Fixing the import table Identifying simple encryption algorithms and functions Types of encryption algorithms Basic encryption algorithms Identifying encryption functions in disassembly String search detection techniques for simple algorithms Identifying the RC4 encryption algorithm Advanced symmetric and asymmetric encryption algorithms Extracting information from Windows cryptography APIs Cryptography API: Next Generation (CNG) Applications of encryption in modern malware – Vawtrak banking Trojan String and API name encryption Network communication encryption Using IDA for decryption and unpacking IDA tips and tricks Classic and new syntax of IDA scripts Dynamic string decryption Dynamic WinAPIs resolution Summary Chapter 5: Inspecting Process Injection and API Hooking Understanding process injection What’s process injection? Why process injection? DLL injection Windows-supported DLL injection A simple DLL injection technique Diving deeper into process injection Finding the victim process Code block injection Reflective DLL injection Stuxnet secret technique – process hollowing A dynamic analysis of code injection Technique 1 – Debug it where it is Technique 2 – Attach to the targeted process Technique 3 – Dealing with process hollowing Memory forensics techniques for process injection Technique 1 – Detecting code injection and reflective DLL injection Technique 2 – Detecting process hollowing Technique 3 – Detecting process hollowing using the HollowFind plugin Understanding API hooking Why API hooking? Working with API hooking Detecting API hooking using memory forensics Exploring IAT hooking Summary Chapter 6: Bypassing Anti-Reverse Engineering Techniques Exploring debugger detection Using PEB information Using EPROCESS information Using DebugObject Using handles Using exceptions Using parent processes Handling the evasion of debugger breakpoints Detecting software breakpoints (INT3) Detecting single-stepping breakpoints using a trap flag Detecting single-stepping using timing techniques Evading hardware breakpoints Memory breakpoints Escaping the debugger Process injection TLS callbacks Windows events callbacks Attacking the debugger Understanding obfuscation and anti-disassemblers Encryption Junk code Code transportation Dynamic API calling with checksum Proxy functions and proxy argument stacking Using the COM functionality Detecting and evading behavioral analysis tools Finding the tool process Searching for the tool window Detecting sandboxes and VMs Different output between VMs and real machines Detecting virtualization processes and services Detecting virtualization through registry keys Detecting VMs using WMI Other VM detection techniques Detecting sandboxes using default settings Summary Chapter 7: Understanding Kernel-Mode Rootkits Kernel mode versus user mode Protection rings Windows internals The anatomy of Windows The execution path from user mode to kernel mode Rootkits and device drivers What is a rootkit? Types of rootkits What is a device driver? Hooking mechanisms Hooking the SYSENTER entry function Modifying SSDT in an x86 environment Modifying SSDT in an x64 environment Patching SSDT functions IRP hooking DKOM The kernel objects – EPROCESS and ETHREAD How do rootkits perform an object manipulation attack? Process injection in kernel mode Executing the inject code using APC queuing KPP in x64 systems (PatchGuard) Bypassing driver signature enforcement Bypassing PatchGuard – the Turla example Bypassing PatchGuard – GhostHook Static and dynamic analysis in kernel mode Static analysis Dynamic and behavioral analysis Setting up a testing environment Setting up the debugger Stopping at the driver's entry point Loading the driver Restoring the debugging state Summary Part 3 Examining Cross-Platform and Bytecode-Based Malware Chapter 8: Handling Exploits and Shellcode Getting familiar with vulnerabilities and exploits Types of vulnerabilities Types of exploits Cracking the shellcode What’s shellcode? Linux shellcode in x86-64 Linux shellcode for ARM Windows shellcode Static and dynamic analysis of exploits Exploring bypasses for exploit mitigation technologies Data execution prevention (DEP/NX) Return-oriented programming Address space layout randomization Other mitigation technologies Analyzing Microsoft Office exploits File structures Static and dynamic analysis of MS Office exploits Studying malicious PDFs File structure Static and dynamic analysis of PDF files Summary Chapter 9: Reversing Bytecode Languages – .NET, Java, and More The basic theory of bytecode languages Object-oriented programming Inheritance Polymorphism .NET explained .NET file structure How to identify a .NET application from PE characteristics The CIL language instruction set CIL language into higher-level languages .NET malware analysis .NET analysis tools Static and dynamic analysis Dealing with obfuscation The essentials of Visual Basic File structure P-code versus native code Common p-code instructions Dissecting Visual Basic samples Static analysis Dynamic analysis The internals of Java samples File structure JVM instructions Static analysis Dynamic analysis Dealing with anti-reverse engineering solutions Analyzing compiled Python threats File structure Bytecode instructions Static analysis Dynamic analysis Summary Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging Classic shell script languages Windows batch scripting Bash VBScript explained Basic syntax Static and dynamic analysis Deobfuscation VBA and Excel 4.0 (XLM) macros and more VBA macros Excel 4.0 (XLM) macros Besides macros The power of PowerShell Basic syntax Obfuscation Static and dynamic analysis Handling JavaScript Basic syntax Anti-reverse engineering tricks Static and dynamic analysis Behind C&C – even malware has its own backend Things to focus on Static and dynamic analysis Other script languages Where to start Questions to answer Summary Part 4 Looking into IoT and Other Platforms Chapter 11: Dissecting Linux and IoT Malware Explaining ELF files The ELF structure System calls Exploring common behavioral patterns Initial access and lateral movement Persistence Privilege escalation Command and control Impact Defense evasion Static and dynamic analysis of x86 (32- and 64-bit) samples Static analysis Dynamic analysis A radare2 cheat sheet Learning about Mirai, its clones, and more High-level functionality Later derivatives Other widespread families Static and dynamic analysis of RISC samples ARM MIPS PowerPC SuperH SPARC Handling other architectures What to start from Summary Chapter 12: Introduction to macOS and iOS Threats Understanding the role of the security model macOS Other technologies iOS File formats and APIs Mach-O Application bundles (.app) Installer packages (.pkg) Apple disk images (.dmg) iOS app store packages (.ipa) APIs Attack stages Jailbreaks on demand Initial access Execution and persistence Impact Other attack techniques Advanced techniques Anti-analysis and detection tricks Misusing dynamic data exchange (DDE) User hiding Using AppleScript API hijacking Other techniques Rootkits for Mac – do they exist? Static and dynamic analysis of macOS and iOS samples Static analysis Dynamic and behavioral analysis The analysis workflow Summary Chapter 13: Analyzing Android Malware Samples (Ab)using the Android internals The file hierarchy The Android security model To root or not to root? Understanding Dalvik and ART Dalvik VM (DVM) Android runtime (ART) The bytecode set File formats and APIs DEX ODEX OAT VDEX ART ELF APK APIs Malware behavior patterns Initial access Privilege escalation Persistence Impact Collection Defence evasion Static and dynamic analysis of threats Static analysis Dynamic analysis Behavioral analysis and tracing The analysis workflow Summary Index Why subscribe? Other Books You May Enjoy Packt is searching for authors like you
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Mastering Malware Analysis: A malware analyst’s practical guide to combating malicious software, APT, cybercrime, and IoT attacks, 2nd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.