Table of Contents for
Windows Malware Analysis Essentials

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Windows Malware Analysis Essentials by Victor Marak Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Windows Malware Analysis Essentials
  4. Windows Malware Analysis Essentials
  5. Credits
  6. About the Author
  7. Acknowledgments
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Down the Rabbit Hole
  17. Signed numbers and complements
  18. Boolean logic and bit masks
  19. Breathing in the ephemeral realm
  20. Sharpening the scalpel
  21. Performing binary reconnaissance
  22. Exploring the universe of binaries on PE Explorer
  23. Getting to know IDA Pro
  24. Entropy
  25. Summary
  26. 2. Dancing with the Dead
  27. Registers
  28. The initiation ritual
  29. Preparing the alter
  30. Code constructs in x86 disassembly
  31. Summary
  32. 3. Performing a Séance Session
  33. Debriefing – seeing the forest for the trees
  34. Preparing for D-Day – lab setup
  35. Whippin' out your arsenal
  36. Summoning the demon!
  37. Post infection
  38. Exorcism and the aftermath – debrief finale!
  39. Summary
  40. 4. Traversing Across Parallel Dimensions
  41. Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
  42. Summary
  43. 5. Good versus Evil – Ogre Wars
  44. Encoding/decoding – XOR Deobfuscation
  45. Malicious Web Script Analysis
  46. Byte code decompilers
  47. Document analysis
  48. Redline – malware memory forensics
  49. Malware intelligence
  50. Summary
  51. Index

Preface

Welcome to Windows Malware Analysis Essentials. This book will help you demystify the process of analyzing Windows-specific malware, and it will show you how to work with the weapons in the malware analysts' arsenal. It will also help you develop skills to analyze malware on your own with informed confidence.

Malware is a big and global business—with malware fighters a relatively reclusive and closed community since the inception of the antivirus industry. This also means that anti-malware technologies are a relative mystery to most regular folk with a dichotomy existing perpetually. Only recently have extensive steps been taken to alleviate this problem, which is becoming more and more visible and pervasive. Even gaining knowledge has become an expensive affair with training and courses running into many thousands of dollars for relatively foundational information. The training market does have value and an audience, but the IT masses do not have much access to it, even if the interest is there. Malware has moved on from being a sport or hobby to organized crime and even though the hacker community shares between them, the IT crowd is not very initiated or well informed. Skilled manpower is required, and right now, demand exceeds supply. Working in an anti-malware firm is not the only way to fight malware, and with signature-based detection slowly becoming an unwieldy technology, more minds are required to innovate or invent new solutions to existing challenges. This has to be a multipronged approach taking from data analytics, mathematics, biology, law enforcement, and of course, computers, among a host of other requirements. Getting up to speed with the fundamentals of malware analysis makes things more manageable when the proverbial stuff hits the fan.

The book will commence with the essentials of computing where you get a foothold for the challenges ahead. It will show you how to decipher disassembly text obtained from analysis of compiled binary code and acclimatize you to the battery of tools at your disposal. It will also give you an unprecedented look at the myriad ways that an analyst can approach analyses of real-world malware and points you in the right direction in order to start building your own malware lab, gathering intelligence, and revealing maleficent agents through thorough investigation. This book will, as a rite of passage, effectively prepare you to be the anti-malware warrior you always wanted to be.

What this book covers

Chapter 1, Down the Rabbit Hole, prepares you for the challenges ahead by reviewing some essential computing concepts, which must be mastered before you commence analysis of malware. You will explore number bases, binary arithmetic, and boolean algebra. This chapter also covers the malware analysts' toolkit and introduces IDA Pro, the Portable Executable format, and instances of reverse engineering program binaries on the Windows platform. This will set the pace for the activities in the chapters ahead.

Chapter 2, Dancing with the Dead, covers x86 assembly programming using VC++ 2008 and MASM32. You will then proceed with x86 disassembly of compiled code binary and analysis thereof in VC++ IDE. Finally, you will explore the myriad configurations in order to do assembly programming in the VC++ environment and end with a detailed overview of common data structures and code constructs in the C and x86 assembly.

Chapter 3, Performing a Séance Session, demonstrates a complete end-to-end malware analysis of real-world destructive malware. You will get unprecedented insight into an analysis session along with configurations, tips and tricks, and step-by-step progression towards a full analysis, right up to signature generation and report creation for the entire set of malware samples.

Chapter 4, Traversing Across Parallel Dimensions, delves into kernel-mode concepts and the fundamentals of Windows internals, which will help you with your analysis and understanding of the overall framework you are dealing with. You will work with IDA Pro and Windbg as the primary weapons for kernel mode analysis.

Chapter 5, Good versus Evil – Ogre Wars, rounds off the earlier excursions with a general set of devices—from the configuration of the Linux virtual machine guest for wiretapping the network activity of malware, to exploring XOR deobfuscations programmatically. Thereafter, you will revisit malware analysis with a different target—malicious web scripts, and you will learn how the innards are picked one by one, gathering information about the exploits used, the various infection vectors, dealing with obfuscated JavaScript and working with a rather familiar set of new tools. You will also be introduced to Mandiant Redline for malware forensics, and finally end the tour with a discussion of bytecode decompilation utilities and open source tools for malware intelligence gathering.