Sign In Start Free Trial

Book Overview & Buying
Table Of Contents
Feedback & Rating

Learning Malware Analysis

By : Monnappa K A

4.7 (31)

Learning Malware Analysis

4.7 (31)

By: Monnappa K A

Overview of this book

Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. With adversaries becoming sophisticated and carrying out advanced malware attacks on critical infrastructures, data centers, and private and public organizations, detecting, responding to, and investigating such intrusions is critical to information security professionals. Malware analysis and memory forensics have become must-have skills to fight advanced malware, targeted attacks, and security breaches. This book teaches you the concepts, techniques, and tools to understand the behavior and characteristics of malware through malware analysis. It also teaches you techniques to investigate and hunt malware using memory forensics. This book introduces you to the basics of malware analysis, and then gradually progresses into the more advanced concepts of code analysis and memory forensics. It uses real-world malware samples, infected memory images, and visual diagrams to help you gain a better understanding of the subject and to equip you with the skills required to analyze, investigate, and respond to malware-related incidents.

Preface

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Free Chapter

Introduction to Malware Analysis

Introduction to Malware Analysis

1. What Is Malware?

2. What Is Malware Analysis?

3. Why Malware Analysis?

4. Types Of Malware Analysis

5. Setting Up The Lab Environment

6. Malware Sources

Summary

Static Analysis

Static Analysis

1. Determining the File Type

2. Fingerprinting the Malware

3. Multiple Anti-Virus Scanning

4. Extracting Strings

5. Determining File Obfuscation

6. Inspecting PE Header Information

7. Comparing And Classifying The Malware

Summary

Dynamic Analysis

Dynamic Analysis

1. Lab Environment Overview

2. System And Network Monitoring

3. Dynamic Analysis (Monitoring) Tools

4. Dynamic Analysis Steps

5. Putting it All Together: Analyzing a Malware Executable

6. Dynamic-Link Library (DLL) Analysis

Summary

Assembly Language and Disassembly Primer

Assembly Language and Disassembly Primer

1. Computer Basics

2. CPU Registers

3. Data Transfer Instructions

4. Arithmetic Operations

5. Bitwise Operations

6. Branching And Conditionals

7. Loops

8. Functions

9. Arrays And Strings

10. Structures

11. x64 Architecture

12. Additional Resources

Summary

Disassembly Using IDA

Disassembly Using IDA

1. Code Analysis Tools

2. Static Code Analysis (Disassembly) Using IDA

3. Disassembling Windows API

4. Patching Binary Using IDA

5. IDA Scripting and Plugins

Summary

Debugging Malicious Binaries

Debugging Malicious Binaries

1. General Debugging Concepts

2. Debugging a Binary Using x64dbg

3. Debugging a Binary Using IDA

4. Debugging a .NET Application

Summary

Malware Functionalities and Persistence

Malware Functionalities and Persistence

1. Malware Functionalities

2. Malware Persistence Methods

Summary

Code Injection and Hooking

Code Injection and Hooking

1. Virtual Memory

2. User Mode And Kernel Mode

3. Code Injection Techniques

4. Hooking Techniques

5. Additional Resources

Summary

Malware Obfuscation Techniques

Malware Obfuscation Techniques

1. Simple Encoding

2. Malware Encryption

3. Custom Encoding/Encryption

4. Malware Unpacking

Summary

Hunting Malware Using Memory Forensics

Hunting Malware Using Memory Forensics

1. Memory Forensics Steps

2. Memory Acquisition

3. Volatility Overview

4. Enumerating Processes

5. Listing Process Handles

6. Listing DLLs

7. Dumping an Executable and DLL

8. Listing Network Connections and Sockets

9. Inspecting Registry

10. Investigating Service

11. Extracting Command History

Summary

Detecting Advanced Malware Using Memory Forensics

Detecting Advanced Malware Using Memory Forensics

1. Detecting Code Injection

2. Investigating Hollow Process Injection

3. Detecting API Hooks

4. Kernel Mode Rootkits

5. Listing Kernel Modules

6. I/O Processing

7. Displaying Device Trees

8. Detecting Kernel Space Hooking

9. Kernel Callbacks And Timers

Summary

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

4.7 (31)

5 star

87.1%

4 star

6.5%

3 star

0

2 star

6.5%

1 star

0

9. Kernel Callbacks And Timers

The Windows operating system allows a driver to register a callback routine, which will be called when a particular event occurs. For instance, if a rootkit driver wants to monitor the execution and termination of all processes running on the system, it can register a callback routine for the process event by calling the kernel function PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, or PsSetCreateProcessNotifyRoutineEx2. When the process event occurs (starts or exits) the rootkit's callback routine will be invoked, which can then take necessary action such as preventing a process from launching. In the same manner, a rootkit driver can register a callback routine to receive notifications when an image (EXE or DLL) gets loaded into memory, when file and registry operations are performed, or when the system is about to...

Search

Your notes and bookmarks