Index

A

• analysis
  • prerequisites / Fortifying your debrief
• analysis passes
  • about / Sharpening the scalpel
• AND gate
  • about / Boolean logic and bit masks
• API Monitor
  • URL / Monitoring
• assembler
  • about / Motivation
• assembly code
  • about / Motivation
• assembly language
  • about / The initiation ritual
• Authenticode Digital Signature Viewer
  • about / Exploring the universe of binaries on PE Explorer

B

• base conversion
  • about / Base conversion
  • binary, to hexadecimal / Binary to hexadecimal (and vice versa)
  • hexadecimal, to binary / Binary to hexadecimal (and vice versa)
  • decimal, to binary / Decimal to binary (and vice versa)
  • binary, to decimal / Decimal to binary (and vice versa)
  • octal base conversion / Octal base conversion
• binary
  • converting, to hexadecimal / Binary to hexadecimal (and vice versa)
  • converting, to decimal / Decimal to binary (and vice versa)
• binary reconnaissance, performing
  • about / Performing binary reconnaissance
  • malware, scanning on web / Scanning malware on the web
  • view, obtaining with PEView / Getting a great view with PEView
  • PEInsider, using / Know the ins and outs with PEInsider
  • PEiD, using / Identifying with PEiD
  • DeepFreeze, using / Walking on frozen terrain with DeepFreeze
  • HexEditors, using / Meeting the rex of HexEditors
  • string theory, digesting with strings / Digesting string theory with strings
  • hashing utilities, using / Hashish, pot, and stashing with hashing tools
  • XNResource, using / Getting resourceful with XNResource Editor
  • Dependency Walker, using / Too much leech with Dependency Walker
  • Dumpbin / Getting dumped by Dumpbin
• Binder
  • about / Fortifying your debrief
• Bintext
  • about / Digesting string theory with strings
• bit masking
  • about / Bit masking
• Bochs
  • about / Next steps and prerequisites
• Bochs 2.4.6
  • URL / Debugging and disassembly
• Boolean logic
  • about / Boolean logic and bit masks
• branch lists
  • about / Sharpening the scalpel
• BSA Buster Sandbox
  • URL / User mode sandboxing
• BSA Buster Sandbox Analyzer
  • about / Step 2 – static and dynamic analysis
• byte code decompilers
  • about / Byte code decompilers

C

• Canari
  • URL / Malware intelligence
  • about / Malware Control Monitor
• carry flag
  • about / Special-purpose registers
• CleanMX
  • URL / Sandboxing and reporting
• code constructs, x86 disassembly
  • about / Code constructs in x86 disassembly
  • for loop / The for loop
  • while loop / The while loop
  • do-while loop / The do-while loop
  • if-then-else loop / The if-then-else loop
  • switch case / A switch case
  • structs / Structs
  • linked lists / Linked lists
• COFF Specification
  • reference link / Scanning malware on the web
• collector types
  • about / Redline – malware memory forensics
• combinations
  • about / Number systems
• Combinatorics
  • about / Number systems
• command types, Windbg
  • about / Command types
  • regular / Command types
  • meta / Command types
  • extension / Command types
• complements
  • about / Signed numbers and complements
• Complex Instruction Set Computer (CISC)
  • about / Motivation
• Comprehensive Redline Collectors
  • about / Redline – malware memory forensics
• console-based C program
  • writing, in Visual Studio C++ 2008 Express Edition / The initiation ritual
• CreateThread API
  • about / New thread creation
• Cuckoo
  • about / Step 2 – static and dynamic analysis
• Cuckoo Sandbox
  • URL / User mode sandboxing, Malware intelligence, Sandboxing and reporting
  • feature set / Sandboxing and reporting
  • formats / Sandboxing and reporting

D

• Dark Seoul
  • references / Debriefing – seeing the forest for the trees
• Data Type Inspection and Display
  • about / Data Type Inspection and Display
  • headers, displaying / Display headers
  • pocket calculator / Pocket calculator
  • base converter / Base converter
  • unassembly / Unassembly and disassembly
  • disassembly / Unassembly and disassembly
  • Debugger Interaction-Step-In / Debugger Interaction-Step-In, Step Over, Execute till Return
  • Step Over / Debugger Interaction-Step-In, Step Over, Execute till Return
  • Execute Till Return / Debugger Interaction-Step-In, Step Over, Execute till Return
  • registers / Registers
  • call trace / Call trace and walking the stack
  • stack, walking / Call trace and walking the stack
  • breakpoints / Breakpoints
  • first chance debugging / First chance and second chance debugging
  • second chance debugging / First chance and second chance debugging
  • debugger implementation overview / A debugger implementation overview
  • symbols, examining / Examine symbols
• Debugging Tools for Windows(x86)
  • URL / Debugging and disassembly
• decimal
  • converting, to binary / Decimal to binary (and vice versa)
• decoding
  • about / Encoding/decoding – XOR Deobfuscation
• DeepFreeze
  • about / Walking on frozen terrain with DeepFreeze
• Deep Freeze
  • URL / Preparing for D-Day – lab setup
• default box
  • about / Step 2 – static and dynamic analysis
• Dependency Walker
  • about / Too much leech with Dependency Walker
• direction flag
  • about / Special-purpose registers
• disassembler
  • about / Sharpening the scalpel
• disassemblers
  • text, disassembling in / The initiation ritual
• disassembly, of native code
  • about / Motivation
• DLoad
  • URL / Data Type Inspection and Display
• do-while loop
  • about / The do-while loop
• document analysis
  • about / Document analysis
• document analysis, tools
  • OfficeCat / Document analysis
  • OfficeMalScanner / Document analysis
  • OffVis / Document analysis
  • PDF Examiner / Document analysis
  • Wepawet / Document analysis
  • PDF StreamDumper / Document analysis
  • SWF Decompiler / Document analysis
• dry run
  • about / Breathing in the ephemeral realm
• Dumpbin
  • about / Getting dumped by Dumpbin
• dynamic analysis
  • about / Breathing in the ephemeral realm
• dynamic in-memory function pointers table
  • about / Obfuscation – a dynamic in-memory function pointers table
• dynamic versioning / Static and dynamic analysis:

E

• 010 Editor
  • URL / MISC
• encoding
  • about / Encoding/decoding – XOR Deobfuscation
• Entropy
  • overview / Entropy
• ephemeral realm
  • about / Breathing in the ephemeral realm
• executive summaries
  • adding / Exorcism and the aftermath – debrief finale!
• executive synopsis
  • about / Executive synopsis
• ExeInfo
  • about / Releasing the Jack-in-the-Box

F

• FakeNet
  • URL / Monitoring
• far jump
  • about / The initiation ritual
• Fast Library Identification and Recognition Technology (FLIRT)
  • about / Getting to know IDA Pro
• FileAlyzer
  • URL / Fingerprinting
• Filealyzer 2
  • about / Hashish, pot, and stashing with hashing tools
• Firebug
  • about / Malicious Web Script Analysis
  • URL / Malicious Web Script Analysis
• for loop
  • about / The for loop
• full analysis, performing steps
  • fingerprinting / Step 1 – fingerprinting
  • static analysis / Step 2 – static and dynamic analysis
  • dynamic analysis / Step 2 – static and dynamic analysis
• full analysis, performng steps
  • about / Summoning the demon!
• function prologue
  • about / The initiation ritual
• fuzzy hash
  • reference link / Hashish, pot, and stashing with hashing tools

G

• G command, in IDA Pro / Windbg 'G' command in IDA Pro
• general-purpose registers, Intel microprocessor
  • about / Motivation
  • RAX / Registers
  • RBX / Registers
  • RCX / Registers
  • RDX / Registers
  • RBP / Registers
  • RDI / Registers
  • RSI / Registers
  • RSP / Registers

H

• HashMyFiles
  • about / Hashish, pot, and stashing with hashing tools
• HeaventoolsPEExplorer
  • URL / Whippin' out your arsenal
• hexadecimal
  • converting, to binary / Binary to hexadecimal (and vice versa)
• HexEditors
  • about / Meeting the rex of HexEditors
• Hex workshop
  • about / Meeting the rex of HexEditors
• honeypots
  • references / Monitoring and visualization
• HxD Editor
  • URL / MISC

I

• IA32 instruction set
  • reference link / Motivation
• IDA Pro
  • about / Getting dumped by Dumpbin
  • overview / Getting to know IDA Pro, Knowing your bearings in IDA Pro
  • hooking up with / Hooking up with IDA Pro
  • G command / Windbg 'G' command in IDA Pro
• IDA Pro 6.1
  • URL / Debugging and disassembly
• IDA Pro Kernel Debugging Setup
  • about / Setting up IDA Pro for kernel debugging
• if-then-else loop
  • about / The if-then-else loop
• immediate value
  • about / Special-purpose registers
• Import Reconstructor
  • about / Releasing the Jack-in-the-Box
• ImpRec
  • about / Releasing the Jack-in-the-Box
• Indicators of Compromise (IOC)
  • about / Redline – malware memory forensics
• Indicators of Compromises (IOCs)
  • about / Step 1 – fingerprinting
• inline assembler
  • about / The initiation ritual
  • using / Preparing the alter
• Inspector
  • about / Fortifying your debrief
• instruction sequence
  • about / Motivation
• Intel microprocessor
  • general-purpose registers / Motivation, Registers
  • special-purpose registers / Special-purpose registers
• Intermediate Language (IL)
  • about / Byte code decompilers
• Interrupt Descriptor Table (IDT)
  • about / Data Type Inspection and Display
• In The Wild (ITW)
  • about / Next steps and prerequisites
• IRP (I/O Request Packets)
  • about / Data Type Inspection and Display

J

• Jad
  • URL / Byte code decompilers
• Joe sandbox
  • URL / Sandboxing and reporting
• JSDetox
  • URL / Static and dynamic analysis:
• Jsunpack
  • URL / Static and dynamic analysis:
• jump list
  • about / Sharpening the scalpel
• Just-In-Time (JIT) / The static library generator

K

• KANAL plugin / Identifying with PEiD
• kernel debugging
  • about / Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
  • syscalls / Syscalls
  • WDK procurement / WDK procurement
  • Symbols, finding in WINDBG/IDA PRO / Finding symbols in WINDBG/IDA PRO
  • help file / Getting help
  • Running Processes, enumerating / Enumerating Running Processes
  • loaded modules, enumerating / Enumerating Loaded Modules

L

• lab setup
  • performing / Preparing for D-Day – lab setup
• linked lists
  • about / Linked lists
• Linux
  • wiretrapping, for network traffic analysis / Wiretapping Linux for network traffic analysis
• Literature and Latte
  • URL / Fortifying your debrief

M

• Malc0de
  • URL / Sandboxing and reporting
• Malcom
  • URL / Malware intelligence
  • about / Malware Control Monitor
• malicious web script analysis
  • about / Malicious Web Script Analysis
  • JS/Dropper, taking apart / Taking apart JS/Dropper
  • Preliminary Dumping and Analysis / Preliminary dumping and analysis
  • Static and Dynamic Analysis / Static and dynamic analysis:
  • Embedded Exploits / Embedded exploits
• Maltrieve crawls
  • Malc0de / Sandboxing and reporting
  • Malware Domain List / Sandboxing and reporting
  • VX Vault / Sandboxing and reporting
  • URLquery / Sandboxing and reporting
  • CleanMX / Sandboxing and reporting
  • ZeusTracker / Sandboxing and reporting
  • Malware URLs / Sandboxing and reporting
• malware
  • scanning, on web / Scanning malware on the web
  • selecting / Debriefing – seeing the forest for the trees
• malware analysis
  • commercial tools, prerequisites / Next steps and prerequisites
• Malware Communication Analyzer
  • about / Malware Control Monitor
• Malware Control Monitor
  • URL / Malware intelligence
  • about / Malware Control Monitor
• Malware Domain List
  • URL / Sandboxing and reporting
• Malware Intelligence
  • about / Malware intelligence
  • monitoring / Monitoring and visualization
  • visualization / Monitoring and visualization
  • sandboxing / Sandboxing and reporting
  • reporting / Sandboxing and reporting
• Malware Memory Forensics
  • about / Redline – malware memory forensics
• Malware Risk Index (MRI)
  • about / Redline – malware memory forensics
• Malware samples crawler
  • URL / Malware intelligence
• malware specific commands
  • reference link / Volatility
• Malware URLs
  • URL / Sandboxing and reporting
• Malzilla
  • URL / Malicious Web Script Analysis
• MapBox
  • URL / Malware Control Monitor
• MBR infection
  • about / MBR infection
• MBR integrity
  • verifying / Verifying MBR integrity
• MBR reading
  • about / MBR reading
• mechanism, XMLHTTP
  • reference link / Static and dynamic analysis:
• memory addressing
  • about / Special-purpose registers
• memory regions
  • de-obfuscating / Encoding/decoding – XOR Deobfuscation
• Microsoft Intermediate Language (MSIL) / The static library generator
• Microsoft PE
  • reference link / Scanning malware on the web
• mitigation
  • about / Mitigation
• mnemonic
  • about / Motivation
• Modern Honey Network
  • URL / Malware intelligence, Monitoring and visualization
  • about / Monitoring and visualization
• Most Significant Bit (MSB)
  • about / Signed numbers and complements
• MSDN via Internet
  • URL / MISC
• multi-snort and honeypot sensor management
  • about / Monitoring and visualization

N

• natural or processor word / Binary to hexadecimal (and vice versa)
• near jump
  • about / The initiation ritual
• negative numbers
  • about / Signed numbers and complements
• network activity
  • about / Network activity
  • registry activity / Registry activity
• networking modes, VMWare
  • Bridged / Preparing for D-Day – lab setup
  • NAT / Preparing for D-Day – lab setup
  • Host-only / Preparing for D-Day – lab setup
  • Custom / Preparing for D-Day – lab setup
• network traffic analysis
  • Linux, wiretrapping for / Wiretapping Linux for network traffic analysis
• nibble
  • about / Number systems
• notation system
  • about / Number systems
• number system
  • about / Number systems
  • base conversion / Base conversion

O

• objects
  • about / Objects
• octal base conversion / Octal base conversion
• OfficeCat
  • URL / Document analysis
• OfficeMalScanner
  • URL / Document analysis
• OffVis
  • URL / Document analysis
• OllyBone plugin
  • about / Releasing the Jack-in-the-Box
• OllyDBG 1.10/2.0
  • URL / Debugging and disassembly
• OllyDump plugin
  • about / Releasing the Jack-in-the-Box
• On-Access Scanning
  • about / Scanning malware on the web
• On-Demand Scanning
  • about / Scanning malware on the web
• OpenIOC
  • URL / Redline – malware memory forensics
• ordinals
  • about / Getting dumped by Dumpbin
• OR gate
  • about / Boolean logic and bit masks
• OSR Driver Loader
  • URL / Data Type Inspection and Display
• overflow flag
  • about / Special-purpose registers

P

• packed binaries
  • unpacking / Compression sacks and straps, Releasing the Jack-in-the-Box
• PackerBreaker
  • about / Releasing the Jack-in-the-Box
• parity flag
  • about / Special-purpose registers
• payload code region
  • about / Payload
• PDF Examiner
  • URL / Document analysis
• PDF StreamDumper
  • URL / Document analysis
• PE/Coff (common object file format) / The static library generator
• PEB (Process Environment Block)
  • about / Data Type Inspection and Display
• PEB traversal code
  • about / The PEB traversal code
• PE Explorer
  • about / Getting dumped by Dumpbin
  • binaries, exploring / Exploring the universe of binaries on PE Explorer
• PE format
  • reference link / Scanning malware on the web
• PEiD
  • about / Identifying with PEiD, Releasing the Jack-in-the-Box
• PEiD/ExeInfo
  • URL / Whippin' out your arsenal
• PEInsider
  • about / Know the ins and outs with PEInsider
• percent-encodeing
  • about / Embedded exploits
• permutations
  • about / Number systems
• PEView
  • about / Getting a great view with PEView
• PEView tool / The static library generator
• post infection
  • about / Post infection
• ProcDOT
  • URL / Monitoring
• ProcDot
  • about / Step 2 – static and dynamic analysis
• Process Environment Block (PEB)
  • about / Special-purpose registers
• program counters
  • about / Special-purpose registers

Q

• Quick Function Syntax Lookup
  • about / Exploring the universe of binaries on PE Explorer

R

• Redline
  • about / Redline – malware memory forensics
  • working / Redline – malware memory forensics
• Redline.msi package
  • URL, for downloading / Redline – malware memory forensics
• Reduced Instruction Set Computer (RISC)
  • about / Motivation
• registers
  • about / Registers
• relay switch
  • about / Boolean logic and bit masks
• Resource Editor
  • about / Exploring the universe of binaries on PE Explorer
• resume flag
  • about / Special-purpose registers
• return list
  • about / Sharpening the scalpel

S

• Sandboxie
  • URL / User mode sandboxing
• scanning modes, PEiD
  • normal / Identifying with PEiD
  • deep / Identifying with PEiD
  • hardcore / Identifying with PEiD
• Scrivener
  • about / Fortifying your debrief
• section object creation
  • about / Section object creation
• SEH (Structured Exception Handling) / First chance and second chance debugging
• semaphores
  • about / Objects
• short jump
  • about / The initiation ritual
• signed data type overflow conditions table
  • about / A signed data type overflow conditions table
• signed numbers
  • about / Signed numbers and complements
• special-purpose registers, Intel microprocessor
  • about / Special-purpose registers
• Standard Redline Collectors
  • about / Redline – malware memory forensics
• static library generator
  • about / The static library generator
• static versioning / Static and dynamic analysis:
• structs
  • about / Structs
• Structured Exception Handling (SEH)
  • about / Special-purpose registers
• SWF Decompiler
  • URL / Document analysis
• switch case
  • about / A switch case
• Symbols
  • finding, in WINDBG/IDA PRO / Finding symbols in WINDBG/IDA PRO
• syscalls
  • about / Syscalls
• Sysinternals Suite
  • about / Digesting string theory with strings
  • URL / Monitoring
• system programming, Intel chips
  • reference link / Motivation

T

• taskkill invocation, for antivirus services
  • about / Taskkill invocation for antivirus services
• temp file check
  • about / Temp file check
• thread
  • creating / New thread creation
• TitanEngine
  • about / Releasing the Jack-in-the-Box
• tools, debugging and disassembly
  • OllyDBG 1.10/2.0 / Debugging and disassembly
  • IDA Pro 6.1 or above / Debugging and disassembly
  • Debugging Tools for Windows(x86) / Debugging and disassembly
  • Bochs 2.4.6 / Debugging and disassembly
• tools, fingerprinting
  • PEiD/ExeInfo / Whippin' out your arsenal
  • HeaventoolsPEExplorer / Whippin' out your arsenal
  • Yara / Whippin' out your arsenal
  • FileAlyzer (with ssdeep.dll for ssdeep hashes) / Fingerprinting
• tools, MISC
  • 010 Editor / MISC
  • WinHex / MISC
  • HxD Editor / MISC
  • MSDN via Internet / MISC
• tools, monitoring
  • FakeNet / Monitoring
  • Sysinternals Suite / Monitoring
  • ProcDOT / Monitoring
  • API Monitor / Monitoring
  • Win32Override / Monitoring
• tools, user mode sandboxing
  • Sandboxie / Whippin' out your arsenal
  • BSA Buster Sandbox / User mode sandboxing
  • Cuckoo Sandbox / User mode sandboxing
  • VMWare / Debugging and disassembly
• Total Commander
  • URL / Fortifying your debrief
• trap flag
  • about / Special-purpose registers

U

• 592 UDP port
  • about / Embedded exploits
• Ultimate Packer for Executables (UPX)
  • about / Compression sacks and straps
• Unicode
  • reference link / Bit masking
• UPX
  • URL, for downloading / Releasing the Jack-in-the-Box
• URLquery
  • URL / Sandboxing and reporting

V

• VB decompiler
  • URL / Byte code decompilers
• VC++ debugger
  • about / The initiation ritual
• VDL (Virus Definition Language)
  • about / Hashish, pot, and stashing with hashing tools
• VirtualBox
  • about / Preparing for D-Day – lab setup
• VirtualKD
  • URL / Setting up IDA Pro for kernel debugging
• VirusTotal
  • URL / Step 1 – fingerprinting
• Visual Studio C++ 2008 Express Edition
  • console-based C program, writing in / The initiation ritual
• VMWare
  • about / Preparing for D-Day – lab setup
  • networking modes / Preparing for D-Day – lab setup
  • URL / User mode sandboxing
• VX Vault
  • URL / Sandboxing and reporting

W

• WDK procurement
  • about / WDK procurement
• web
  • malware, scanning on / Scanning malware on the web
• Wepawet
  • URL / Document analysis
• while loop
  • about / The while loop
• Win32Override
  • URL / Monitoring
• Windbg
  • about / Next steps and prerequisites
  • command types / Command types
• WINDBG/IDA PRO
  • Symbols, finding in / Finding symbols in WINDBG/IDA PRO
• Windows help file / Getting help
• WinHex
  • about / Meeting the rex of HexEditors
  • URL / MISC
• word (computer architecture)
  • URL / Binary to hexadecimal (and vice versa)

X

• x86 disassembly
  • code constructs / Code constructs in x86 disassembly
• XNResourceEditor
  • about / Getting resourceful with XNResource Editor
• XOR Boolean operation
  • about / Encoding/decoding – XOR Deobfuscation
• XORSearch
  • reference link / Encoding/decoding – XOR Deobfuscation
• XORStrings
  • reference link / Encoding/decoding – XOR Deobfuscation

Y

• Yara
  • URL / Whippin' out your arsenal
• Yara signatures
  • about / Yara signatures
  • meta section / Yara signatures
  • strings section / Yara signatures
  • condition section / Yara signatures

Z

• zero flag
  • about / Special-purpose registers
• ZeusTracker
  • URL / Sandboxing and reporting