Learning Malware Analysis

Learning Malware Analysis

By : Monnappa K A

5 (1)

Buy this Book

Learning Malware Analysis

5 (1)

By: Monnappa K A

Buy this Book

Overview of this book

Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. With adversaries becoming sophisticated and carrying out advanced malware attacks on critical infrastructures, data centers, and private and public organizations, detecting, responding to, and investigating such intrusions is critical to information security professionals. Malware analysis and memory forensics have become must-have skills to fight advanced malware, targeted attacks, and security breaches. This book teaches you the concepts, techniques, and tools to understand the behavior and characteristics of malware through malware analysis. It also teaches you techniques to investigate and hunt malware using memory forensics. This book introduces you to the basics of malware analysis, and then gradually progresses into the more advanced concepts of code analysis and memory forensics. It uses real-world malware samples, infected memory images, and visual diagrams to help you gain a better understanding of the subject and to equip you with the skills required to analyze, investigate, and respond to malware-related incidents.

Title Page

Dedication

Packt Upsell

Contributors

Preface

Free Chapter

Introduction to Malware Analysis

1. What Is Malware?

2. What Is Malware Analysis?

3. Why Malware Analysis?

4. Types Of Malware Analysis

5. Setting Up The Lab Environment

6. Malware Sources

Summary

Static Analysis

1. Determining the File Type

2. Fingerprinting the Malware

3. Multiple Anti-Virus Scanning

4. Extracting Strings

5. Determining File Obfuscation

6. Inspecting PE Header Information

7. Comparing And Classifying The Malware

Summary

Dynamic Analysis

1. Lab Environment Overview

2. System And Network Monitoring

3. Dynamic Analysis (Monitoring) Tools

4. Dynamic Analysis Steps

5. Putting it All Together: Analyzing a Malware Executable

6. Dynamic-Link Library (DLL) Analysis

Summary

Assembly Language and Disassembly Primer

1. Computer Basics

2. CPU Registers

3. Data Transfer Instructions

4. Arithmetic Operations

5. Bitwise Operations

6. Branching And Conditionals

7. Loops

8. Functions

9. Arrays And Strings

10. Structures

11. x64 Architecture

12. Additional Resources

Summary

Disassembly Using IDA

1. Code Analysis Tools

2. Static Code Analysis (Disassembly) Using IDA

3. Disassembling Windows API

4. Patching Binary Using IDA

5. IDA Scripting and Plugins

Summary

Debugging Malicious Binaries

1. General Debugging Concepts

2. Debugging a Binary Using x64dbg

3. Debugging a Binary Using IDA

4. Debugging a .NET Application

Summary

Malware Functionalities and Persistence

1. Malware Functionalities

2. Malware Persistence Methods

Summary

Code Injection and Hooking

1. Virtual Memory

2. User Mode And Kernel Mode

3. Code Injection Techniques

4. Hooking Techniques

5. Additional Resources

Summary

Malware Obfuscation Techniques

1. Simple Encoding

2. Malware Encryption

3. Custom Encoding/Encryption

4. Malware Unpacking

Summary

Hunting Malware Using Memory Forensics

1. Memory Forensics Steps

2. Memory Acquisition

3. Volatility Overview

4. Enumerating Processes

5. Listing Process Handles

6. Listing DLLs

7. Dumping an Executable and DLL

8. Listing Network Connections and Sockets

9. Inspecting Registry

10. Investigating Service

11. Extracting Command History

Summary

Detecting Advanced Malware Using Memory Forensics

1. Detecting Code Injection

2. Investigating Hollow Process Injection

3. Detecting API Hooks

4. Kernel Mode Rootkits

5. Listing Kernel Modules

6. I/O Processing

7. Displaying Device Trees

8. Detecting Kernel Space Hooking

9. Kernel Callbacks And Timers

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Index

Customer Reviews

5 (1)

5 star

100%

4 star

3 star

2 star

1 star

4. Hooking Techniques

So far, we have looked at different code injection techniques to execute malicious code. Another reason an attacker injects code (mostly DLL, but it can also be an executable or shellcode) into the legitimate (target) process is to hook the API calls made by the target process. Once a code is injected into the target process, it has full access to the process memory and can modify its components. The ability to alter the process memory components allows an attacker to replace the entries in the IAT or modify the API function itself; this technique is referred to as hooking. By hooking an API, an attacker can control the execution path of the program and re route it to the malicious code of his choice. The malicious function can then:

Block calls made to the API by legitimate applications (such as security products).
Monitor and intercept input parameters passed to the API.
Filter the output parameters returned from the API.

In this section, we will look at different types...

Learning Malware Analysis

By : Monnappa K A

Learning Malware Analysis

By: Monnappa K A

Overview of this book

Related Content you might be interested in

Current Title:

Learning Malware Analysis

Mastering Malware Analysis

Mastering Reverse Engineering

Antivirus Bypass Techniques

4. Hooking Techniques