Table of Contents for
Windows Malware Analysis Essentials

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Windows Malware Analysis Essentials by Victor Marak Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Windows Malware Analysis Essentials
  4. Windows Malware Analysis Essentials
  5. Credits
  6. About the Author
  7. Acknowledgments
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Down the Rabbit Hole
  17. Signed numbers and complements
  18. Boolean logic and bit masks
  19. Breathing in the ephemeral realm
  20. Sharpening the scalpel
  21. Performing binary reconnaissance
  22. Exploring the universe of binaries on PE Explorer
  23. Getting to know IDA Pro
  24. Entropy
  25. Summary
  26. 2. Dancing with the Dead
  27. Registers
  28. The initiation ritual
  29. Preparing the alter
  30. Code constructs in x86 disassembly
  31. Summary
  32. 3. Performing a Séance Session
  33. Debriefing – seeing the forest for the trees
  34. Preparing for D-Day – lab setup
  35. Whippin' out your arsenal
  36. Summoning the demon!
  37. Post infection
  38. Exorcism and the aftermath – debrief finale!
  39. Summary
  40. 4. Traversing Across Parallel Dimensions
  41. Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
  42. Summary
  43. 5. Good versus Evil – Ogre Wars
  44. Encoding/decoding – XOR Deobfuscation
  45. Malicious Web Script Analysis
  46. Byte code decompilers
  47. Document analysis
  48. Redline – malware memory forensics
  49. Malware intelligence
  50. Summary
  51. Index

Document analysis

Digital documents are something we all consume in one form or another. Malwares have been making use of this medium for a very long time indeed, and even more so given the popularity of software ebook readers and the PDF format, which is mainly used for targeted spear phishing and as an exploits vector. MS Office files are also very popular targets given that Windows has the largest market share and most of the users use these software. Some of the more popular tools are as follows:

  • OfficeCat: This can be found at https://www.microsoft.com/enus/download/details.aspx?id=36852
  • OfficeMalScanner: This can be found at http://www.reconstructer.org/code.html with the various options as follows and the output of the scan mode.
    Document analysis
  • OffVis: This can be found at https://www.microsoft.com/en-us/download/details.aspx?id=2096. As shown in the following image, it uses a hex view and a selection of parsers from the drop down menu that can aid in auditing of the MS Office documents:
    Document analysis

    For PDF files, the extraction of Javascript, Flash content or executables is the main objective. After that, rest of the process is quite the same as regular Javascript deobfuscation, which can include exploits (including the popular heap spray) and shellcode packed inside it. A PDF document is composed of the file magic number or the signature %PDF-1.1, followed by a hierarchy of objects replete with tags that categorize the objects, followed by an ending marker %%EOF. Some of the types are Boolean values, Number, Strings, Names, Arrays, Dictionaries, and Streams.

  • PDF Examiner: This can be found at https://github.com/mwtracker/pdfexaminer
  • Wepawet: This can be found at http://wepawet.iseclab.org/
  • PDF StreamDumper: This can be found at http://sandsprite.com/blogs/index.php?uid=7&pid=57
    Document analysis

    PDF StreamDumper also has a very capable and featured Javascript deobfuscation and analysis engine. The Javascript streams can be chosen from the object list at the left hand tab and initially perused with the text, hex, and object information tabs. The Javascript UI can then be invoked to commence analysis.

    Document analysis
  • SWF Decompiler: This can be found at http://www.eltima.com/products/flashdecompiler. It is one of the better products that can analyze upto ActionScript 3.0 and aid in Flash (*.swf) files analysis.