Book Image

Windows Malware Analysis Essentials

By : Victor Marak
Book Image

Windows Malware Analysis Essentials

By: Victor Marak

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Windows Malware Analysis Essentials
Victor Marak
Sep, 2015 | 330 pages
No titles found
Table of Contents (13 chapters)
Windows Malware Analysis Essentials
Windows Malware Analysis Essentials
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Down the Rabbit Hole
Down the Rabbit Hole
Number systems
Signed numbers and complements
Boolean logic and bit masks
Breathing in the ephemeral realm
Sharpening the scalpel
Performing binary reconnaissance
Exploring the universe of binaries on PE Explorer
Getting to know IDA Pro
Entropy
Summary
2
Dancing with the Dead
Dancing with the Dead
Motivation
Registers
The initiation ritual
Preparing the alter
Code constructs in x86 disassembly
Summary
3
Performing a Séance Session
Performing a Séance Session
Fortifying your debrief
Debriefing – seeing the forest for the trees
Preparing for D-Day – lab setup
Whippin' out your arsenal
Summoning the demon!
Post infection
Exorcism and the aftermath – debrief finale!
Summary
4
Traversing Across Parallel Dimensions
Traversing Across Parallel Dimensions
Compression sacks and straps
Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
Summary
5
Good versus Evil – Ogre Wars
Good versus Evil – Ogre Wars
Wiretapping Linux for network traffic analysis
Encoding/decoding – XOR Deobfuscation
Malicious Web Script Analysis
Byte code decompilers
Document analysis
Redline – malware memory forensics
Malware intelligence
Summary
Index
Index

Post infection

The shutdown function is executed as follows:

0040211F  /. 55    PUSH EBP
00402120  |. 8BEC  MOV EBP,ESP
00402122  |. 83EC >SUB ESP,10
00402125  |. 56    PUSH ESI
00402126  |. 8B75 >MOV ESI,DWORD PTR SS:[EBP+8]
00402129  |. 57    PUSH EDI
0040212A  |. 33FF  XOR EDI,EDI
0040212C  |. 57    PUSH EDI
0040212D  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+58E]
00402133  |. 50    PUSH EAX
00402134  |. FF96 >CALL DWORD PTR DS:[ESI+394]
;kernel32.WinExec

With parameters:

Nopping that part out (select the code area in the CPU window, press space, type nop in the dialog box, and then press Enter), so that it does not execute, we reach:

0040213A  |. 68 10>PUSH 2710
0040213F  |. FF96 >CALL DWORD PTR DS:[ESI+354]              ;
kernel32.Sleep

You can change the value in the stack just before the call to sleep is made to 0 to save time.

Call to LookupPrivilegeValue():

00402164  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+59F]
0040216A  |. 50    PUSH EAX
0040216B  |. 57    PUSH EDI
0040216C ...
Previous Section
End of Section 7
Next Section