Book Image

Learning Malware Analysis

By : Monnappa K A
5 (1)
Book Image

Learning Malware Analysis

5 (1)
By: Monnappa K A

Overview of this book

Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. With adversaries becoming sophisticated and carrying out advanced malware attacks on critical infrastructures, data centers, and private and public organizations, detecting, responding to, and investigating such intrusions is critical to information security professionals. Malware analysis and memory forensics have become must-have skills to fight advanced malware, targeted attacks, and security breaches. This book teaches you the concepts, techniques, and tools to understand the behavior and characteristics of malware through malware analysis. It also teaches you techniques to investigate and hunt malware using memory forensics. This book introduces you to the basics of malware analysis, and then gradually progresses into the more advanced concepts of code analysis and memory forensics. It uses real-world malware samples, infected memory images, and visual diagrams to help you gain a better understanding of the subject and to equip you with the skills required to analyze, investigate, and respond to malware-related incidents.
Table of Contents (19 chapters)
Title Page
Copyright and Credits
Dedication
Packt Upsell
Contributors
Preface
Index

1. Lab Environment Overview


When performing dynamic analysis, you will be executing the malware specimen, so you need to have a safe and secure lab environment to prevent your production system from being infected. To demonstrate the concepts, I will be using the isolated lab environment that was configured in Chapter 1Introduction to Malware Analysis. The following diagram shows the lab environment that will be used to perform dynamic analysis and the same lab architecture is used throughout the book:

In this setup, both the Linux and Windows VM were configured to use the host-only network configuration mode. The Linux VM was preconfigured to an IP address of 192.168.1.100, and the IP address of the Windows VM was set to 192.168.1.50. The default gateway and the DNS of the Windows VM were set to the IP address of the Linux VM (192.168.1.100), so all the Windows network traffic is routed through the Linux VM.

The Windows VM will be used to execute the malware sample during analysis, and...