Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Mastering Malware Analysis
  • Table Of Contents Toc
  • Feedback & Rating feedback
Mastering Malware Analysis

Mastering Malware Analysis

By : Alexey Kleymenov, Amr Thabet
4.5 (10)
Buy this Book
close
close
Mastering Malware Analysis

Mastering Malware Analysis

4.5 (10)
By: Alexey Kleymenov, Amr Thabet
Buy this Book

Overview of this book

With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches. You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Moving forward, you will cover all aspects of malware analysis for the Windows platform in detail. Next, you will get to grips with obfuscation and anti-disassembly, anti-debugging, as well as anti-virtual machine techniques. This book will help you deal with modern cross-platform malware. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. Finally, this book will help you strengthen your defenses and prevent malware breaches for IoT devices and mobile platforms. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Reviews
Free Chapter
1
Section 1: Fundamental Theory
Icon
Section 1: Fundamental Theory
2
A Crash Course in CISC/RISC and Programming Basics
Icon
A Crash Course in CISC/RISC and Programming Basics
Icon
Basic concepts
Icon
Registers
Icon
Memory
Icon
Virtual memory
Icon
Stack
Icon
Branches, loops, and conditions
Icon
Exceptions, interrupts, and communicating with other devices
Icon
Assembly languages
Icon
CISC versus RISC
Icon
Types of instructions
Icon
Becoming familiar with x86 (IA-32 and x64)
Icon
Registers
Icon
Special registers
Icon
The instruction structure
Icon
opcode
Icon
dest
Icon
src
Icon
The instruction set
Icon
Data manipulation instructions
Icon
Data transfer instructions
Icon
Flow control instructions
Icon
Arguments, local variables, and calling conventions (in x86 and x64)
Icon
stdcall
Icon
Arguments
Icon
Local variables
Icon
cdecl
Icon
fastcall
Icon
thiscall
Icon
The x64 calling convention
Icon
Exploring ARM assembly
Icon
Basics
Icon
Instruction sets
Icon
Basics of MIPS
Icon
Basics
Icon
The instruction set
Icon
Diving deep into PowerPC
Icon
Basics
Icon
The instruction set
Icon
Covering the SuperH assembly
Icon
Basics
Icon
The instruction set
Icon
Working with SPARC
Icon
Basics
Icon
The instruction set
Icon
Moving from assembly to high-level programming languages
Icon
Arithmetic statements
Icon
If conditions
Icon
While loop conditions
Icon
Summary
3
Section 2: Diving Deep into Windows Malware
Icon
Section 2: Diving Deep into Windows Malware
4
Basic Static and Dynamic Analysis for x86/x64
Icon
Basic Static and Dynamic Analysis for x86/x64
Icon
Working with the PE header structure
Icon
Why PE?
Icon
Exploring PE structure
Icon
MZ header
Icon
PE header
Icon
File header
Icon
Optional header
Icon
Data directory
Icon
Section table
Icon
PE+ (x64 PE)
Icon
PE header analysis tools
Icon
Static and dynamic linking
Icon
Static linking
Icon
Dynamic linking
Icon
Dynamic link libraries
Icon
Application programming interface
Icon
Dynamic API loading
Icon
Using PE header information for static analysis
Icon
How to use PE header for incident handling
Icon
How to use a PE header for threat intelligence
Icon
PE loading and process creation
Icon
Basic terminology
Icon
What's process?
Icon
Virtual memory to physical memory mapping
Icon
Threads
Icon
Important data structures: TIB, TEB, and PEB
Icon
Process loading step by step
Icon
PE file loading step by step
Icon
WOW64 processes
Icon
Dynamic analysis with OllyDbg/Immunity Debugger
Icon
Debugging tools
Icon
How to analyze a sample with OllyDbg
Icon
Types of breakpoints
Icon
Step into/step over breakpoint
Icon
INT3 breakpoint
Icon
Memory breakpoints
Icon
Hardware breakpoints
Icon
Modifying the program execution
Icon
Patching—modifying the program's assembly instructions
Icon
Change EFlags
Icon
Modifying the instruction pointer value
Icon
Changing the program data
Icon
Debugging malicious services
Icon
What is service?
Icon
Attaching to the service
Icon
Summary
5
Unpacking, Decryption, and Deobfuscation
Icon
Unpacking, Decryption, and Deobfuscation
Icon
Exploring packers
Icon
Exploring packing and encrypting tools
Icon
Identifying a packed sample
Icon
Technique 1 – checking PE tool static signatures
Icon
Technique 2 – evaluating PE section names
Icon
Technique 3 – using stub execution signs
Icon
Technique 4 – detecting a small import table
Icon
Automatically unpacking packed samples
Icon
Technique 1 – the official unpacking process
Icon
Technique 2 – using OllyScript with OllyDbg
Icon
Technique 3 – using generic unpackers
Icon
Technique 4 – emulation
Icon
Technique 5 – memory dumps
Icon
Manual unpacking using OllyDbg
Icon
Technique 6 – memory breakpoint on execution
Icon
Step 1 – setting the breakpoints
Icon
Step 2 – turning on Data Execution Prevention
Icon
Step 3 – preventing any further attempts to change memory permissions
Icon
Step 4 – executing and getting the OEP
Icon
Technique 7 – call stack backtracing
Icon
Step 1 – setting the breakpoints
Icon
Step 2 – following the call stack
Icon
Step 3 – reaching the OEP
Icon
Technique 8 – monitoring memory allocated spaces for unpacked code
Icon
Technique 9 – in-place unpacking
Icon
Technique 10 – stack restoration-based
Icon
Dumping the unpacked sample and fixing the import table
Icon
Dumping the process
Icon
Fixing the import table
Icon
Identifying different encryption algorithms and functions
Icon
Types of encryption algorithms
Icon
Basic encryption algorithms
Icon
How to identify encryption functions
Icon
String search detection techniques for simple algorithms
Icon
The basics of X-RAYING
Icon
Simple static encryption
Icon
Other encryption algorithms
Icon
X-RAYING tools for malware analysis and detection
Icon
Identifying the RC4 encryption algorithm
Icon
The RC4 encryption algorithm
Icon
Key-scheduling algorithm
Icon
Pseudo-random generation algorithm
Icon
Identifying RC4 algorithms in a malware sample
Icon
Standard symmetric and asymmetric encryption algorithms
Icon
Extracting information from Windows cryptography APIs
Icon
Step 1 – initializing and connecting to the cryptographic service provider (CSP)
Icon
Step 2 – preparing the key
Icon
Step 3 – encrypting or decrypting the data
Icon
Step 4 – freeing the memory
Icon
Cryptography API next generation (CNG)
Icon
Applications of encryption in modern malware – Vawtrak banking Trojan
Icon
String and API name encryption
Icon
Network communication encryption
Icon
Using IDA for decryption and unpacking
Icon
IDA tips and tricks
Icon
Static analysis
Icon
Dynamic analysis
Icon
Classic and new syntax of IDA scripts
Icon
Dynamic string decryption
Icon
Dynamic WinAPIs resolution
Icon
Summary
6
Inspecting Process Injection and API Hooking
chevron up
Icon
Inspecting Process Injection and API Hooking
Icon
Understanding process injection
Icon
What's process injection?
Icon
Why process injection?
Icon
DLL injection
Icon
Windows-supported DLL injection
Icon
A simple DLL injection technique
Icon
Working with process injection
Icon
Getting the list of running processes
Icon
Code injection
Icon
Advanced code injection-reflective DLL injection
Icon
Stuxnet secret technique-process hollowing
Icon
Dynamic analysis of code injection
Icon
Technique 1—debug it where it is
Icon
Technique 2—attach to the targeted process
Icon
Technique 3—dealing with process hollowing
Icon
Memory forensics techniques for process injection
Icon
Technique 1—detecting code injection and reflective DLL injection
Icon
Technique 2—detecting process hollowing
Icon
Technique 3—detecting process hollowing using the HollowFind plugin
Icon
Understanding API hooking
Icon
Why API hooking?
Icon
Working with API hooking
Icon
Inline API hooking
Icon
Inline API hooking with trampoline
Icon
Inline API hooking with a length disassembler
Icon
Detecting API hooking using memory forensics
Icon
Exploring IAT hooking
Icon
Summary
7
Bypassing Anti-Reverse Engineering Techniques
Icon
Bypassing Anti-Reverse Engineering Techniques
Icon
Exploring debugger detection
Icon
Direct check for debugger presence
Icon
Detecting a debugger through an environment change
Icon
Detecting a debugger using parent processes
Icon
Handling debugger breakpoints evasion
Icon
Detecting software breakpoints (INT3)
Icon
Detecting single-stepping breakpoints (trap flag)
Icon
Detecting a trap flag using the SS register
Icon
Detecting single-stepping using timing techniques
Icon
Evading hardware breakpoints
Icon
What is structured exception handling?
Icon
Detecting and removing hardware breakpoints
Icon
Memory breakpoints
Icon
Escaping the debugger
Icon
Process injection
Icon
TLS callbacks
Icon
Windows events callbacks
Icon
Obfuscation and anti-disassemblers
Icon
Encryption
Icon
Junk code insertion
Icon
Code transportation
Icon
Dynamic API calling with checksum
Icon
Proxy functions and proxy argument stacking
Icon
Detecting and evading behavioral analysis tools
Icon
Finding the tool process
Icon
Searching for the tool window
Icon
Detecting sandboxes and virtual machines
Icon
Different output between virtual machines and real machines
Icon
Detecting virtualization processes and services
Icon
Detecting virtualization through registry keys
Icon
Detecting virtual machines using PowerShell
Icon
Detecting sandboxes by using default settings
Icon
Other techniques
Icon
Summary
8
Understanding Kernel-Mode Rootkits
Icon
Understanding Kernel-Mode Rootkits
Icon
Kernel mode versus user mode
Icon
Protection rings
Icon
Windows internals
Icon
The infrastructure of Windows
Icon
The execution path from user mode to kernel mode
Icon
Rootkits and device drivers
Icon
What is a rootkit?
Icon
Types of rootkits
Icon
What is a device driver?
Icon
Hooking mechanisms
Icon
SSDT hooking
Icon
Hooking the SYSENTER entry function
Icon
Modifying SSDT in an x86 environment
Icon
Modifying SSDT in an x64 environment
Icon
Hooking SSDT functions
Icon
IRP hooking
Icon
Devices and major functions
Icon
Attaching to a device
Icon
Modifying the IRP response and setting a completion routine
Icon
DKOM
Icon
The kernel objects—EPROCESS and ETHREAD
Icon
How do rootkits perform an object manipulation attack?
Icon
Process injection in kernel mode
Icon
Executing the inject code using APC queuing
Icon
KPP in x64 systems (PatchGuard)
Icon
Bypassing driver signature enforcement
Icon
Bypassing PatchGuard—the Turla example
Icon
Bypassing PatchGuard—GhostHook
Icon
Disabling PatchGuard using the Command Prompt
Icon
Static and dynamic analysis in kernel mode
Icon
Static analysis
Icon
Tools
Icon
Tips and tricks
Icon
Dynamic and behavioral analysis
Icon
Tools
Icon
Monitors
Icon
Rootkit detectors
Icon
Setting up a testing environment
Icon
Setting up the debugger
Icon
Stopping at the driver's entry point
Icon
Loading the driver
Icon
Restoring the debugging state
Icon
Summary
9
Section 3: Examining Cross-Platform Malware
Icon
Section 3: Examining Cross-Platform Malware
10
Handling Exploits and Shellcode
Icon
Handling Exploits and Shellcode
Icon
Getting familiar with vulnerabilities and exploits
Icon
Types of vulnerabilities
Icon
Stack overflow vulnerability
Icon
Heap overflow vulnerabilities
Icon
The use-after-free vulnerability
Icon
Logical vulnerabilities
Icon
Types of exploits
Icon
Cracking the shellcode
Icon
What's shellcode?
Icon
Linux shellcode in x86-64
Icon
Getting the absolute address
Icon
Null-free shellcode
Icon
Local shell shellcode
Icon
Reverse shell shellcode
Icon
Linux shellcode for ARM
Icon
Null-free shellcode
Icon
Windows shellcode
Icon
Getting the Kernel32.dll's ImageBase
Icon
Getting the required APIs from Kernel32.dll
Icon
The download and execute shellcode
Icon
Static and dynamic analysis of exploits
Icon
Analysis workflow
Icon
Shellcode analysis
Icon
Exploring bypasses for exploit mitigation technologies
Icon
Data execution prevention (DEP/NX)
Icon
Return-oriented programming
Icon
Address space layout randomization
Icon
DEP and partial ASLR
Icon
DEP and full ASLR – partial ROP and chaining multiple vulnerabilities
Icon
DEP and full ASLR – heap spray technique
Icon
Other mitigation technologies
Icon
Analyzing Microsoft Office exploits
Icon
File structures
Icon
Compound file binary format
Icon
Rich text format
Icon
Office open XML format
Icon
Static and dynamic analysis of MS Office exploits
Icon
Static analysis
Icon
Dynamic analysis
Icon
Studying malicious PDFs
Icon
File structure
Icon
Static and dynamic analysis of PDF files
Icon
Static analysis
Icon
Dynamic analysis
Icon
Summary
11
Reversing Bytecode Languages: .NET, Java, and More
Icon
Reversing Bytecode Languages: .NET, Java, and More
Icon
The basic theory of bytecode languages
Icon
Object-oriented programming
Icon
Inheritance
Icon
Polymorphism
Icon
.NET explained
Icon
.NET file structure
Icon
.NET COR20 header
Icon
Metadata streams
Icon
How to identify a .NET application from PE characteristics
Icon
The CIL language instruction set
Icon
Pushing into stack instructions
Icon
Pulling out a value from the stack
Icon
Mathematical and logical operations
Icon
Branching instructions
Icon
CIL language to higher-level languages
Icon
Local variable assignments
Icon
Local variable assignment with a method return value
Icon
Basic branching statements
Icon
Loops statements
Icon
.NET malware analysis
Icon
.NET analysis tools
Icon
Static and dynamic analysis (with Dnspy)
Icon
.NET static analysis
Icon
.NET dynamic analysis
Icon
Patching a .NET sample
Icon
Dealing with obfuscation
Icon
Obfuscated names for classes, methods, and others
Icon
Encrypted strings inside the binary
Icon
The sample is obfuscated using an obfuscator
Icon
The essentials of Visual Basic
Icon
File structure
Icon
P-code versus native code
Icon
Common p-code instructions
Icon
Dissecting Visual Basic samples
Icon
Static analysis
Icon
P-code
Icon
Native code
Icon
Dynamic analysis
Icon
P-code
Icon
Native code
Icon
The internals of Java samples
Icon
File structure
Icon
JVM instructions
Icon
Static analysis
Icon
Dynamic analysis
Icon
Dealing with anti-reverse engineering solutions
Icon
Python—script language internals
Icon
File structure
Icon
Bytecode instructions
Icon
Analyzing compiled Python
Icon
Static analysis
Icon
Dynamic analysis
Icon
Summary
12
Scripts and Macros: Reversing, Deobfuscation, and Debugging
Icon
Scripts and Macros: Reversing, Deobfuscation, and Debugging
Icon
Classic shell script languages
Icon
Windows batch scripting
Icon
Bash
Icon
VBScript explained
Icon
Basic syntax
Icon
Static and dynamic analysis
Icon
Deobfuscation
Icon
Those evil macros inside documents
Icon
Basic syntax
Icon
Static and dynamic analysis
Icon
Besides macros
Icon
The power of PowerShell
Icon
Basic syntax
Icon
Static and dynamic analysis
Icon
Handling JavaScript
Icon
Basic syntax
Icon
Static and dynamic analysis
Icon
Anti-reverse engineering tricks
Icon
Behind C and C—even malware has its own backend
Icon
Things to focus on
Icon
Static and dynamic analysis
Icon
Other script languages
Icon
Where to start from
Icon
Questions to answer
Icon
Summary
13
Section 4: Looking into IoT and Other Platforms
Icon
Section 4: Looking into IoT and Other Platforms
14
Dissecting Linux and IoT Malware
Icon
Dissecting Linux and IoT Malware
Icon
Explaining ELF files
Icon
ELF structure
Icon
System calls
Icon
Filesystem
Icon
Network
Icon
Process management
Icon
Other
Icon
Syscalls in assembly
Icon
Common anti-reverse engineering tricks
Icon
Exploring common behavioral patterns
Icon
Initial delivery and lateral movement
Icon
Persistence
Icon
Privilege escalation
Icon
Interaction with the command and control server
Icon
Attacking stage
Icon
Static and dynamic analysis of x86 (32- and 64-bit) samples
Icon
Static analysis
Icon
File type detectors
Icon
Data carving
Icon
Disassemblers
Icon
Actual tools
Icon
Engines
Icon
How to choose
Icon
Dynamic analysis
Icon
Tracers
Icon
Network monitors
Icon
Debuggers
Icon
Binary emulators
Icon
Radare2 cheat sheet
Icon
Anti-reverse engineering techniques
Icon
Learning Mirai, its clones, and more
Icon
High-level functionality
Icon
Propagation
Icon
Weaponry
Icon
Self-defense
Icon
Later derivatives
Icon
Other widespread families
Icon
Static and dynamic analysis of RISC samples
Icon
ARM
Icon
MIPS
Icon
PowerPC
Icon
SuperH
Icon
SPARC
Icon
Handling other architectures
Icon
What to start from
Icon
Summary
15
Introduction to macOS and iOS Threats
Icon
Introduction to macOS and iOS Threats
Icon
Understanding the role of the security model
Icon
macOS
Icon
Security policies
Icon
Filesystem hierarchy and encryption
Icon
Directory structure
Icon
Encryption
Icon
Apps protection
Icon
Gatekeeper
Icon
App sandbox
Icon
Other technologies
Icon
iOS
Icon
System security
Icon
Data encryption and password management
Icon
Apps' security
Icon
File formats and APIs
Icon
Mach-O
Icon
Thin
Icon
Fat
Icon
Application bundles (.app)
Icon
Info.plist
Icon
macOS
Icon
iOS
Icon
Installer packages (.pkg)
Icon
Apple disk images (.dmg)
Icon
iOS app store packages (.ipa)
Icon
APIs
Icon
Static and dynamic analyses of macOS and iOS samples
Icon
Static analysis
Icon
Retrieving samples
Icon
Disassemblers and decompilers
Icon
Auxiliary tools and libraries
Icon
Dynamic and behavioral analysis
Icon
macOS
Icon
Debuggers
Icon
Monitoring and dynamic instrumentation
Icon
Network analysis
Icon
iOS
Icon
Installers and loaders
Icon
Debuggers
Icon
Dumping and decryption
Icon
Monitors and in-memory patching
Icon
Network analysis
Icon
Attack stages
Icon
Jailbreaks on demand
Icon
Penetration
Icon
Deployment and persistence
Icon
macOS
Icon
iOS
Icon
Action phase
Icon
macOS
Icon
iOS
Icon
Other attack techniques
Icon
macOS
Icon
iOS
Icon
Advanced techniques
Icon
Anti-reverse-engineering (RE) tricks
Icon
Misusing dynamic data exchange (DDE)
Icon
User hiding
Icon
Use of AppleScript
Icon
API hijacking
Icon
Rootkits for Mac—do they exist?
Icon
Analysis workflow
Icon
Summary
16
Analyzing Android Malware Samples
Icon
Analyzing Android Malware Samples
Icon
(Ab)using Android internals
Icon
File hierarchy
Icon
Android security model
Icon
Process management
Icon
Filesystem
Icon
App permissions
Icon
Security services
Icon
Console
Icon
To root or not to root?
Icon
Understanding Dalvik and ART
Icon
Dalvik VM (DVM)
Icon
Android runtime (ART)
Icon
APIs
Icon
File formats
Icon
DEX
Icon
ODEX
Icon
OAT
Icon
VDEX
Icon
ART
Icon
ELF
Icon
APK
Icon
Bytecode set
Icon
Malware behavior patterns
Icon
Attack stages
Icon
Penetration
Icon
Deployment
Icon
Action phase
Icon
Advanced techniques—investment pays off
Icon
Patching system libraries
Icon
Keylogging
Icon
Self-defense
Icon
Rootkits—get it covered
Icon
Static and dynamic analysis of threats
Icon
Static analysis
Icon
Disassembling and data extraction
Icon
Decompiling
Icon
Dynamic analysis
Icon
Android debug bridge
Icon
Emulators
Icon
Behavioral analysis and tracing
Icon
Debuggers
Icon
Analysis workflow
Icon
Summary
17
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think

Inline API hooking with a length disassembler

As we have seen in the previous techniques, API hooking is quite simple when you use the mov edi, edi instruction at the beginning of each API, which makes the first five bytes predictable for API hooking functionality. Unfortunately, this can't always be the case with all Windows APIs, so sometimes malware families have to disassemble the first few instructions to avoid breaking the API.

Some malware families such as Vawtrak use a length disassembler to replace a few instructions (with a size equal or greater than five bytes) with the jmp instruction to the hooking function, as shown in the following screenshot. Then, they copy these instructions to the trampoline and add a jmp instruction to the API:

Figure 18. The Vawtrak API hooking with a disassembler

The main goal of this is to ensure that the trampoline doesn't jmp back to the API in the middle of the instruction and to make the API hooking work seamlessly without any unpredictable...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 26
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY