Home Page Icon
Home Page
Table of Contents for
Windows Malware Analysis Essentials
Close
Windows Malware Analysis Essentials
by Victor Marak
Windows Malware Analysis Essentials
Windows Malware Analysis Essentials
Table of Contents
Windows Malware Analysis Essentials
Credits
About the Author
Acknowledgments
About the Reviewer
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Instant updates on new Packt books
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Down the Rabbit Hole
Number systems
Base conversion
Binary to hexadecimal (and vice versa)
Decimal to binary (and vice versa)
Octal base conversion
Signed numbers and complements
A signed data type overflow conditions table
Boolean logic and bit masks
Bit masking
Breathing in the ephemeral realm
Sharpening the scalpel
Performing binary reconnaissance
Scanning malware on the web
Getting a great view with PEView
Know the ins and outs with PEInsider
Identifying with PEiD
Walking on frozen terrain with DeepFreeze
Meeting the rex of HexEditors
Digesting string theory with strings
Hashish, pot, and stashing with hashing tools
Getting resourceful with XNResource Editor
Too much leech with Dependency Walker
Getting dumped by Dumpbin
Exploring the universe of binaries on PE Explorer
Entropy
Summary
2. Dancing with the Dead
Motivation
Registers
Special-purpose registers
The initiation ritual
Preparing the alter
The static library generator
Code constructs in x86 disassembly
The for loop
The while loop
The do-while loop
The if-then-else loop
A switch case
Structs
Linked lists
Summary
3. Performing a Séance Session
Fortifying your debrief
Debriefing – seeing the forest for the trees
Whippin' out your arsenal
Fingerprinting
User mode sandboxing
Debugging and disassembly
Monitoring
MISC
Next steps and prerequisites
Summoning the demon!
Step 1 – fingerprinting
Step 2 – static and dynamic analysis
Obfuscation – a dynamic in-memory function pointers table
The PEB traversal code
Section object creation
Temp file check
Taskkill invocation for antivirus services
New thread creation
MBR reading
MBR infection
Payload
Verifying MBR integrity
Exorcism and the aftermath – debrief finale!
Executive synopsis
Mitigation
Summary
4. Traversing Across Parallel Dimensions
Compression sacks and straps
Releasing the Jack-in-the-Box
Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
Syscalls
WDK procurement
Setting up IDA Pro for kernel debugging
Finding symbols in WINDBG/IDA PRO
Getting help
Windbg 'G' command in IDA Pro
Command types
Enumerating Running Processes
Enumerating Loaded Modules
Data Type Inspection and Display
Display headers
Pocket calculator
Base converter
Unassembly and disassembly
Debugger Interaction-Step-In, Step Over, Execute till Return
Registers
Call trace and walking the stack
Breakpoints
First chance and second chance debugging
A debugger implementation overview
Examine symbols
Objects
Summary
5. Good versus Evil – Ogre Wars
Wiretapping Linux for network traffic analysis
Encoding/decoding – XOR Deobfuscation
Malicious Web Script Analysis
Taking apart JS/Dropper
Preliminary dumping and analysis
Static and dynamic analysis:
Embedded exploits
Byte code decompilers
Document analysis
Redline – malware memory forensics
Volatility
Malware intelligence
Monitoring and visualization
Malware Control Monitor
Sandboxing and reporting
Summary
Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Table of Contents
Next
Next Chapter
Windows Malware Analysis Essentials
Windows Malware Analysis Essentials
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset