product iamge

Mastering Malware Analysis: A malware analyst's practical guide to combating malicious software, APT, cybercrime, and IoT attacks

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Learn effective malware analysis tactics to prevent your systems from getting infected

Key Features

  • Investigate cyberattacks and prevent malware-related incidents from occurring in the future
  • Learn core concepts of static and dynamic malware analysis, memory forensics, decryption, and much more
  • Get practical guidance in developing efficient solutions to handle malware incidents

Book Description

New and developing technologies inevitably bring new types of malware with them, creating a huge demand for IT professionals that can keep malware at bay. With the help of this updated second edition of Mastering Malware Analysis, you'll be able to add valuable reverse-engineering skills to your CV and learn how to protect organizations in the most efficient way.

This book will familiarize you with multiple universal patterns behind different malicious software types and teach you how to analyze them using a variety of approaches.

You'll learn how to examine malware code and determine the damage it can possibly cause to systems, along with ensuring that the right prevention or remediation steps are followed. As you cover all aspects of malware analysis for Windows, Linux, macOS, and mobile platforms in detail, you'll also get to grips with obfuscation, anti-debugging, and other advanced anti-reverse-engineering techniques. The skills you acquire in this cybersecurity book will help you deal with all types of modern malware, strengthen your defenses, and prevent or promptly mitigate breaches regardless of the platforms involved.

By the end of this book, you will have learned how to efficiently analyze samples, investigate suspicious activity, and build innovative solutions to handle malware incidents.

What you will learn

  • Explore assembly languages to strengthen your reverse-engineering skills
  • Master various file formats and relevant APIs used by attackers
  • Discover attack vectors and start handling IT, OT, and IoT malware
  • Understand how to analyze samples for x86 and various RISC architectures
  • Perform static and dynamic analysis of files of various types
  • Get to grips with handling sophisticated malware cases
  • Understand real advanced attacks, covering all their stages
  • Focus on how to bypass anti-reverse-engineering techniques

Who this book is for

If you are a malware researcher, forensic analyst, IT security administrator, or anyone looking to secure against malicious software or investigate malicious code, this book is for you. This new edition is suited to all levels of knowledge, including complete beginners. Any prior exposure to programming or cybersecurity will further help to speed up your learning process.

Table of Contents

  1. Cybercrime, APT Attacks, and Research Strategies
  2. A Crash Course in Assembly and Programming Basics
  3. Basic Static and Dynamic Analysis for x86/x64
  4. Unpacking, Decryption, and Deobfuscation
  5. Inspecting Process Injection and API Hooking
  6. Bypassing Anti-Reverse Engineering Techniques
  7. Understanding Kernel-Mode Rootkits
  8. Handling Exploits and Shellcode
  9. Reversing Bytecode Languages – .NET, Java, and More
  10. Scripts and Macros – Reversing, Deobfuscation, and Debugging
  11. Dissecting Linux and IoT Malware
  12. Introduction to macOS and iOS Threats
  13. Analyzing Android Malware Samples

Author(s): Alexey Kleymenov, Amr Thabet
Edition: 2
Publisher: Packt Publishing
Year: 2022

Language: English
Commentary: Publisher PDF
Pages: 572
City: Birmingham, UK
Tags: Malware Analysis; Malicious Software; Cybercrime; IoT Attacks; APT Attacks; Decryption; Deobfuscation; Assembly Programming Basics; Process Injection; API Hooking; Bypassing Anti-Reverse; Kernel-Mode Rootkits; Shellcode; Reversing Bytecode Languages; macOS iOS Threats; Android Malware

Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Part 1: Fundamental Theory
Chapter 1: Cybercrime, APT Attacks, and Research Strategies
Why malware analysis?
Malware analysis in collecting threat intelligence
Malware analysis in incident response
Malware analysis in threat hunting
Malware analysis in creating detections
Exploring types of malware
A short history of malware development
Malware categories
Naming conventions
The MITRE ATT&CK framework explained
Basic terminology
Enterprise Matrix
APT and zero-day attacks and fileless malware
APT attack
Zero-day attack
Fileless malware
Choosing your analysis strategy
Understand your audience
Answer your audience’s questions
Define your goals
Avoid unnecessary technical details
Example structures
Typical analysis workflow
Setting up the environment
Choosing the virtualization software
Safety features
Summary
Chapter 2: A Crash Course in Assembly and Programming Basics
Basics of informatics
Numeral systems
Basic data units and data types
Bitwise operations
Architectures and their assembly
Registers
Memory
Instructions (CISC and RISC)
Becoming familiar with x86 (IA-32 and x64)
Registers
The instruction structure
The instruction set
Arguments, local variables, and calling conventions (in x86 and x64)
Exploring ARM assembly
Basics
Instruction sets
Basics of MIPS
Basics
The instruction set
Diving deep into PowerPC
Basics
The instruction set
Covering the SuperH assembly
Basics
The instruction set
Working with SPARC
Basics
The instruction set
Moving from assembly to high-level programming languages
Arithmetic statements
If conditions
While loop conditions
Summary
Part 2: Diving Deep into Windows Malware
Chapter 3: Basic Static and Dynamic Analysis for x86/x64
Working with the PE header structure
Why PE?
Exploring PE’s structure
PE+ (x64 PE)
PE header analysis tools
Static and dynamic linking
Static linking
Dynamic linking
Dynamic link libraries
Application programming interface (API)
Using PE header information for static analysis
How to use the PE header for incident handling
How to use a PE header for threat hunting
PE loading and process creation
Basic terminology
Process creation step by step
PE file loading step by step
WOW64 processes
Basics of dynamic analysis using OllyDbg and x64dbg
Debugging tools
How to analyze a sample with OllyDbg
Types of breakpoints
Modifying the program’s execution
List strings, APIs, and cross-references
Setting labels and comments
Differences between OllyDbg and x64dbg
Debugging malicious services
What is a service?
Attaching to services
Essentials of behavioral analysis
File operations
Registry operations
Process operations
WinAPIs
Network activity
Sandboxes
Summary
Chapter 4: Unpacking, Decryption, and Deobfuscation
Exploring packers
Exploring packing and encrypting tools
Identifying a packed sample
Technique 1 – using static signatures
Technique 2 – evaluating PE section names
Technique 3 – using stub execution signs
Technique 4 – detecting a small import table
Automatically unpacking packed samples
Technique 1 – the official unpacking process
Technique 2 – using OllyScript with OllyDbg
Technique 3 – using generic unpackers
Technique 4 – emulation
Technique 5 – memory dumps
Manual unpacking techniques
Technique 1 – memory breakpoint on execution
Technique 2 – call stack backtracing
Technique 3 – monitoring memory allocated spaces for unpacked code
Technique 4 – in-place unpacking
Technique 5 – searching for and transferring control to OEP
Technique 6 – stack restoration-based
Dumping the unpacked sample and fixing the import table
Dumping the process
Fixing the import table
Identifying simple encryption algorithms and functions
Types of encryption algorithms
Basic encryption algorithms
Identifying encryption functions in disassembly
String search detection techniques for simple algorithms
Identifying the RC4 encryption algorithm
Advanced symmetric and asymmetric encryption algorithms
Extracting information from Windows cryptography APIs
Cryptography API: Next Generation (CNG)
Applications of encryption in modern malware – Vawtrak banking Trojan
String and API name encryption
Network communication encryption
Using IDA for decryption and unpacking
IDA tips and tricks
Classic and new syntax of IDA scripts
Dynamic string decryption
Dynamic WinAPIs resolution
Summary
Chapter 5: Inspecting Process Injection and API Hooking
Understanding process injection
What’s process injection?
Why process injection?
DLL injection
Windows-supported DLL injection
A simple DLL injection technique
Diving deeper into process injection
Finding the victim process
Code block injection
Reflective DLL injection
Stuxnet secret technique – process hollowing
A dynamic analysis of code injection
Technique 1 – Debug it where it is
Technique 2 – Attach to the targeted process
Technique 3 – Dealing with process hollowing
Memory forensics techniques for process injection
Technique 1 – Detecting code injection and reflective DLL injection
Technique 2 – Detecting process hollowing
Technique 3 – Detecting process hollowing using the HollowFind plugin
Understanding API hooking
Why API hooking?
Working with API hooking
Detecting API hooking using memory forensics
Exploring IAT hooking
Summary
Chapter 6: Bypassing Anti-Reverse Engineering Techniques
Exploring debugger detection
Using PEB information
Using EPROCESS information
Using DebugObject
Using handles
Using exceptions
Using parent processes
Handling the evasion of debugger breakpoints
Detecting software breakpoints (INT3)
Detecting single-stepping breakpoints using a trap flag
Detecting single-stepping using timing techniques
Evading hardware breakpoints
Memory breakpoints
Escaping the debugger
Process injection
TLS callbacks
Windows events callbacks
Attacking the debugger
Understanding obfuscation and anti-disassemblers
Encryption
Junk code
Code transportation
Dynamic API calling with checksum
Proxy functions and proxy argument stacking
Using the COM functionality
Detecting and evading behavioral analysis tools
Finding the tool process
Searching for the tool window
Detecting sandboxes and VMs
Different output between VMs and real machines
Detecting virtualization processes and services
Detecting virtualization through registry keys
Detecting VMs using WMI
Other VM detection techniques
Detecting sandboxes using default settings
Summary
Chapter 7: Understanding Kernel-Mode Rootkits
Kernel mode versus user mode
Protection rings
Windows internals
The anatomy of Windows
The execution path from user mode to kernel mode
Rootkits and device drivers
What is a rootkit?
Types of rootkits
What is a device driver?
Hooking mechanisms
Hooking the SYSENTER entry function
Modifying SSDT in an x86 environment
Modifying SSDT in an x64 environment
Patching SSDT functions
IRP hooking
DKOM
The kernel objects – EPROCESS and ETHREAD
How do rootkits perform an object manipulation attack?
Process injection in kernel mode
Executing the inject code using APC queuing
KPP in x64 systems (PatchGuard)
Bypassing driver signature enforcement
Bypassing PatchGuard – the Turla example
Bypassing PatchGuard – GhostHook
Static and dynamic analysis in kernel mode
Static analysis
Dynamic and behavioral analysis
Setting up a testing environment
Setting up the debugger
Stopping at the driver's entry point
Loading the driver
Restoring the debugging state
Summary
Part 3: Examining Cross-Platform and Bytecode-Based Malware
Chapter 8: Handling Exploits and Shellcode
Getting familiar with vulnerabilities and exploits
Types of vulnerabilities
Types of exploits
Cracking the shellcode
What’s shellcode?
Linux shellcode in x86-64
Linux shellcode for ARM
Windows shellcode
Static and dynamic analysis of exploits
Exploring bypasses for exploit mitigation technologies
Data execution prevention (DEP/NX)
Return-oriented programming
Address space layout randomization
Other mitigation technologies
Analyzing Microsoft Office exploits
File structures
Static and dynamic analysis of MS Office exploits
Studying malicious PDFs
File structure
Static and dynamic analysis of PDF files
Summary
Chapter 9: Reversing Bytecode Languages – .NET, Java, and More
The basic theory of bytecode languages
Object-oriented programming
Inheritance
Polymorphism
.NET explained
.NET file structure
How to identify a .NET application from PE characteristics
The CIL language instruction set
CIL language into higher-level languages
.NET malware analysis
.NET analysis tools
Static and dynamic analysis
Dealing with obfuscation
The essentials of Visual Basic
File structure
P-code versus native code
Common p-code instructions
Dissecting Visual Basic samples
Static analysis
Dynamic analysis
The internals of Java samples
File structure
JVM instructions
Static analysis
Dynamic analysis
Dealing with anti-reverse engineering solutions
Analyzing compiled Python threats
File structure
Bytecode instructions
Static analysis
Dynamic analysis
Summary
Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging
Classic shell script languages
Windows batch scripting
Bash
VBScript explained
Basic syntax
Static and dynamic analysis
Deobfuscation
VBA and Excel 4.0 (XLM) macros and more
VBA macros
Excel 4.0 (XLM) macros
Besides macros
The power of PowerShell
Basic syntax
Obfuscation
Static and dynamic analysis
Handling JavaScript
Basic syntax
Anti-reverse engineering tricks
Static and dynamic analysis
Behind C&C – even malware has its own backend
Things to focus on
Static and dynamic analysis
Other script languages
Where to start
Questions to answer
Summary
Part 4: Looking into IoT and Other Platforms
Chapter 11: Dissecting Linux and IoT Malware
Explaining ELF files
The ELF structure
System calls
Exploring common behavioral patterns
Initial access and lateral movement
Persistence
Privilege escalation
Command and control
Impact
Defense evasion
Static and dynamic analysis of x86 (32- and 64-bit) samples
Static analysis
Dynamic analysis
A radare2 cheat sheet
Learning about Mirai, its clones, and more
High-level functionality
Later derivatives
Other widespread families
Static and dynamic analysis of RISC samples
ARM
MIPS
PowerPC
SuperH
SPARC
Handling other architectures
What to start from
Summary
Chapter 12: Introduction to macOS and iOS Threats
Understanding the role of the security model
macOS
Other technologies
iOS
File formats and APIs
Mach-O
Application bundles (.app)
Installer packages (.pkg)
Apple disk images (.dmg)
iOS app store packages (.ipa)
APIs
Attack stages
Jailbreaks on demand
Initial access
Execution and persistence
Impact
Other attack techniques
Advanced techniques
Anti-analysis and detection tricks
Misusing dynamic data exchange (DDE)
User hiding
Using AppleScript
API hijacking
Other techniques
Rootkits for Mac – do they exist?
Static and dynamic analysis of macOS and iOS samples
Static analysis
Dynamic and behavioral analysis
The analysis workflow
Summary
Chapter 13: Analyzing Android Malware Samples
(Ab)using the Android internals
The file hierarchy
The Android security model
To root or not to root?
Understanding Dalvik and ART
Dalvik VM (DVM)
Android runtime (ART)
The bytecode set
File formats and APIs
DEX
ODEX
OAT
VDEX
ART
ELF
APK
APIs
Malware behavior patterns
Initial access
Privilege escalation
Persistence
Impact
Collection
Defence evasion
Static and dynamic analysis of threats
Static analysis
Dynamic analysis
Behavioral analysis and tracing
The analysis workflow
Summary
Index
Other Books You May Enjoy