Index
A
- analysis
- prerequisites / Fortifying your debrief
- analysis passes
- about / Sharpening the scalpel
- AND gate
- about / Boolean logic and bit masks
- API Monitor
- URL / Monitoring
- assembler
- about / Motivation
- assembly code
- about / Motivation
- assembly language
- about / The initiation ritual
- Authenticode Digital Signature Viewer
B
- base conversion
- about / Base conversion
- binary, to hexadecimal / Binary to hexadecimal (and vice versa)
- hexadecimal, to binary / Binary to hexadecimal (and vice versa)
- decimal, to binary / Decimal to binary (and vice versa)
- binary, to decimal / Decimal to binary (and vice versa)
- octal base conversion / Octal base conversion
- binary
- converting, to hexadecimal / Binary to hexadecimal (and vice versa)
- converting, to decimal / Decimal to binary (and vice versa)
- binary reconnaissance, performing
- about / Performing binary reconnaissance
- malware, scanning on web / Scanning malware on the web
- view, obtaining with PEView / Getting a great view with PEView
- PEInsider, using / Know the ins and outs with PEInsider
- PEiD, using / Identifying with PEiD
- DeepFreeze, using / Walking on frozen terrain with DeepFreeze
- HexEditors, using / Meeting the rex of HexEditors
- string theory, digesting with strings / Digesting string theory with strings
- hashing utilities, using / Hashish, pot, and stashing with hashing tools
- XNResource, using / Getting resourceful with XNResource Editor
- Dependency Walker, using / Too much leech with Dependency Walker
- Dumpbin / Getting dumped by Dumpbin
- Binder
- about / Fortifying your debrief
- Bintext
- bit masking
- about / Bit masking
- Bochs
- about / Next steps and prerequisites
- Bochs 2.4.6
- Boolean logic
- about / Boolean logic and bit masks
- branch lists
- about / Sharpening the scalpel
- BSA Buster Sandbox
- URL / User mode sandboxing
- BSA Buster Sandbox Analyzer
- byte code decompilers
- about / Byte code decompilers
C
- Canari
- URL / Malware intelligence
- about / Malware Control Monitor
- carry flag
- about / Special-purpose registers
- CleanMX
- URL / Sandboxing and reporting
- code constructs, x86 disassembly
- about / Code constructs in x86 disassembly
- for loop / The for loop
- while loop / The while loop
- do-while loop / The do-while loop
- if-then-else loop / The if-then-else loop
- switch case / A switch case
- structs / Structs
- linked lists / Linked lists
- COFF Specification
- reference link / Scanning malware on the web
- collector types
- combinations
- about / Number systems
- Combinatorics
- about / Number systems
- command types, Windbg
- about / Command types
- regular / Command types
- meta / Command types
- extension / Command types
- complements
- about / Signed numbers and complements
- Complex Instruction Set Computer (CISC)
- about / Motivation
- Comprehensive Redline Collectors
- console-based C program
- writing, in Visual Studio C++ 2008 Express Edition / The initiation ritual
- CreateThread API
- about / New thread creation
- Cuckoo
- Cuckoo Sandbox
- URL / User mode sandboxing, Malware intelligence, Sandboxing and reporting
- feature set / Sandboxing and reporting
- formats / Sandboxing and reporting
D
- Dark Seoul
- references / Debriefing – seeing the forest for the trees
- Data Type Inspection and Display
- about / Data Type Inspection and Display
- headers, displaying / Display headers
- pocket calculator / Pocket calculator
- base converter / Base converter
- unassembly / Unassembly and disassembly
- disassembly / Unassembly and disassembly
- Debugger Interaction-Step-In / Debugger Interaction-Step-In, Step Over, Execute till Return
- Step Over / Debugger Interaction-Step-In, Step Over, Execute till Return
- Execute Till Return / Debugger Interaction-Step-In, Step Over, Execute till Return
- registers / Registers
- call trace / Call trace and walking the stack
- stack, walking / Call trace and walking the stack
- breakpoints / Breakpoints
- first chance debugging / First chance and second chance debugging
- second chance debugging / First chance and second chance debugging
- debugger implementation overview / A debugger implementation overview
- symbols, examining / Examine symbols
- Debugging Tools for Windows(x86)
- decimal
- converting, to binary / Decimal to binary (and vice versa)
- decoding
- DeepFreeze
- Deep Freeze
- default box
- Dependency Walker
- direction flag
- about / Special-purpose registers
- disassembler
- about / Sharpening the scalpel
- disassemblers
- text, disassembling in / The initiation ritual
- disassembly, of native code
- about / Motivation
- DLoad
- do-while loop
- about / The do-while loop
- document analysis
- about / Document analysis
- document analysis, tools
- OfficeCat / Document analysis
- OfficeMalScanner / Document analysis
- OffVis / Document analysis
- PDF Examiner / Document analysis
- Wepawet / Document analysis
- PDF StreamDumper / Document analysis
- SWF Decompiler / Document analysis
- dry run
- about / Breathing in the ephemeral realm
- Dumpbin
- about / Getting dumped by Dumpbin
- dynamic analysis
- about / Breathing in the ephemeral realm
- dynamic in-memory function pointers table
- dynamic versioning / Static and dynamic analysis:
E
- 010 Editor
- URL / MISC
- encoding
- Entropy
- overview / Entropy
- ephemeral realm
- about / Breathing in the ephemeral realm
- executive summaries
- executive synopsis
- about / Executive synopsis
- ExeInfo
- about / Releasing the Jack-in-the-Box
F
- FakeNet
- URL / Monitoring
- far jump
- about / The initiation ritual
- Fast Library Identification and Recognition Technology (FLIRT)
- about / Getting to know IDA Pro
- FileAlyzer
- URL / Fingerprinting
- Filealyzer 2
- Firebug
- for loop
- about / The for loop
- full analysis, performing steps
- fingerprinting / Step 1 – fingerprinting
- static analysis / Step 2 – static and dynamic analysis
- dynamic analysis / Step 2 – static and dynamic analysis
- full analysis, performng steps
- about / Summoning the demon!
- function prologue
- about / The initiation ritual
- fuzzy hash
- reference link / Hashish, pot, and stashing with hashing tools
G
- G command, in IDA Pro / Windbg 'G' command in IDA Pro
- general-purpose registers, Intel microprocessor
H
- HashMyFiles
- HeaventoolsPEExplorer
- hexadecimal
- converting, to binary / Binary to hexadecimal (and vice versa)
- HexEditors
- about / Meeting the rex of HexEditors
- Hex workshop
- about / Meeting the rex of HexEditors
- honeypots
- references / Monitoring and visualization
- HxD Editor
- URL / MISC
I
- IA32 instruction set
- reference link / Motivation
- IDA Pro
- about / Getting dumped by Dumpbin
- overview / Getting to know IDA Pro, Knowing your bearings in IDA Pro
- hooking up with / Hooking up with IDA Pro
- G command / Windbg 'G' command in IDA Pro
- IDA Pro 6.1
- IDA Pro Kernel Debugging Setup
- if-then-else loop
- about / The if-then-else loop
- immediate value
- about / Special-purpose registers
- Import Reconstructor
- about / Releasing the Jack-in-the-Box
- ImpRec
- about / Releasing the Jack-in-the-Box
- Indicators of Compromise (IOC)
- Indicators of Compromises (IOCs)
- about / Step 1 – fingerprinting
- inline assembler
- about / The initiation ritual
- using / Preparing the alter
- Inspector
- about / Fortifying your debrief
- instruction sequence
- about / Motivation
- Intel microprocessor
- general-purpose registers / Motivation, Registers
- special-purpose registers / Special-purpose registers
- Intermediate Language (IL)
- about / Byte code decompilers
- Interrupt Descriptor Table (IDT)
- about / Data Type Inspection and Display
- In The Wild (ITW)
- about / Next steps and prerequisites
- IRP (I/O Request Packets)
- about / Data Type Inspection and Display
J
- Jad
- URL / Byte code decompilers
- Joe sandbox
- URL / Sandboxing and reporting
- JSDetox
- Jsunpack
- jump list
- about / Sharpening the scalpel
- Just-In-Time (JIT) / The static library generator
K
- KANAL plugin / Identifying with PEiD
- kernel debugging
- about / Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
- syscalls / Syscalls
- WDK procurement / WDK procurement
- Symbols, finding in WINDBG/IDA PRO / Finding symbols in WINDBG/IDA PRO
- help file / Getting help
- Running Processes, enumerating / Enumerating Running Processes
- loaded modules, enumerating / Enumerating Loaded Modules
L
- lab setup
- performing / Preparing for D-Day – lab setup
- linked lists
- about / Linked lists
- Linux
- wiretrapping, for network traffic analysis / Wiretapping Linux for network traffic analysis
- Literature and Latte
- URL / Fortifying your debrief
M
- Malc0de
- URL / Sandboxing and reporting
- Malcom
- URL / Malware intelligence
- about / Malware Control Monitor
- malicious web script analysis
- about / Malicious Web Script Analysis
- JS/Dropper, taking apart / Taking apart JS/Dropper
- Preliminary Dumping and Analysis / Preliminary dumping and analysis
- Static and Dynamic Analysis / Static and dynamic analysis:
- Embedded Exploits / Embedded exploits
- Maltrieve crawls
- Malc0de / Sandboxing and reporting
- Malware Domain List / Sandboxing and reporting
- VX Vault / Sandboxing and reporting
- URLquery / Sandboxing and reporting
- CleanMX / Sandboxing and reporting
- ZeusTracker / Sandboxing and reporting
- Malware URLs / Sandboxing and reporting
- malware
- scanning, on web / Scanning malware on the web
- selecting / Debriefing – seeing the forest for the trees
- malware analysis
- commercial tools, prerequisites / Next steps and prerequisites
- Malware Communication Analyzer
- about / Malware Control Monitor
- Malware Control Monitor
- URL / Malware intelligence
- about / Malware Control Monitor
- Malware Domain List
- URL / Sandboxing and reporting
- Malware Intelligence
- about / Malware intelligence
- monitoring / Monitoring and visualization
- visualization / Monitoring and visualization
- sandboxing / Sandboxing and reporting
- reporting / Sandboxing and reporting
- Malware Memory Forensics
- Malware Risk Index (MRI)
- Malware samples crawler
- URL / Malware intelligence
- malware specific commands
- reference link / Volatility
- Malware URLs
- URL / Sandboxing and reporting
- Malzilla
- MapBox
- URL / Malware Control Monitor
- MBR infection
- about / MBR infection
- MBR integrity
- verifying / Verifying MBR integrity
- MBR reading
- about / MBR reading
- mechanism, XMLHTTP
- reference link / Static and dynamic analysis:
- memory addressing
- about / Special-purpose registers
- memory regions
- de-obfuscating / Encoding/decoding – XOR Deobfuscation
- Microsoft Intermediate Language (MSIL) / The static library generator
- Microsoft PE
- reference link / Scanning malware on the web
- mitigation
- about / Mitigation
- mnemonic
- about / Motivation
- Modern Honey Network
- Most Significant Bit (MSB)
- about / Signed numbers and complements
- MSDN via Internet
- URL / MISC
- multi-snort and honeypot sensor management
- about / Monitoring and visualization
N
- natural or processor word / Binary to hexadecimal (and vice versa)
- near jump
- about / The initiation ritual
- negative numbers
- about / Signed numbers and complements
- network activity
- about / Network activity
- registry activity / Registry activity
- networking modes, VMWare
- Bridged / Preparing for D-Day – lab setup
- NAT / Preparing for D-Day – lab setup
- Host-only / Preparing for D-Day – lab setup
- Custom / Preparing for D-Day – lab setup
- network traffic analysis
- Linux, wiretrapping for / Wiretapping Linux for network traffic analysis
- nibble
- about / Number systems
- notation system
- about / Number systems
- number system
- about / Number systems
- base conversion / Base conversion
O
- objects
- about / Objects
- octal base conversion / Octal base conversion
- OfficeCat
- URL / Document analysis
- OfficeMalScanner
- URL / Document analysis
- OffVis
- URL / Document analysis
- OllyBone plugin
- about / Releasing the Jack-in-the-Box
- OllyDBG 1.10/2.0
- OllyDump plugin
- about / Releasing the Jack-in-the-Box
- On-Access Scanning
- about / Scanning malware on the web
- On-Demand Scanning
- about / Scanning malware on the web
- OpenIOC
- ordinals
- about / Getting dumped by Dumpbin
- OR gate
- about / Boolean logic and bit masks
- OSR Driver Loader
- overflow flag
- about / Special-purpose registers
P
- packed binaries
- PackerBreaker
- about / Releasing the Jack-in-the-Box
- parity flag
- about / Special-purpose registers
- payload code region
- about / Payload
- PDF Examiner
- URL / Document analysis
- PDF StreamDumper
- URL / Document analysis
- PE/Coff (common object file format) / The static library generator
- PEB (Process Environment Block)
- about / Data Type Inspection and Display
- PEB traversal code
- about / The PEB traversal code
- PE Explorer
- about / Getting dumped by Dumpbin
- binaries, exploring / Exploring the universe of binaries on PE Explorer
- PE format
- reference link / Scanning malware on the web
- PEiD
- PEiD/ExeInfo
- PEInsider
- percent-encodeing
- about / Embedded exploits
- permutations
- about / Number systems
- PEView
- about / Getting a great view with PEView
- PEView tool / The static library generator
- post infection
- about / Post infection
- ProcDOT
- URL / Monitoring
- ProcDot
- Process Environment Block (PEB)
- about / Special-purpose registers
- program counters
- about / Special-purpose registers
Q
- Quick Function Syntax Lookup
R
- Redline
- about / Redline – malware memory forensics
- working / Redline – malware memory forensics
- Redline.msi package
- URL, for downloading / Redline – malware memory forensics
- Reduced Instruction Set Computer (RISC)
- about / Motivation
- registers
- about / Registers
- relay switch
- about / Boolean logic and bit masks
- Resource Editor
- resume flag
- about / Special-purpose registers
- return list
- about / Sharpening the scalpel
S
- Sandboxie
- URL / User mode sandboxing
- scanning modes, PEiD
- normal / Identifying with PEiD
- deep / Identifying with PEiD
- hardcore / Identifying with PEiD
- Scrivener
- about / Fortifying your debrief
- section object creation
- about / Section object creation
- SEH (Structured Exception Handling) / First chance and second chance debugging
- semaphores
- about / Objects
- short jump
- about / The initiation ritual
- signed data type overflow conditions table
- signed numbers
- about / Signed numbers and complements
- special-purpose registers, Intel microprocessor
- about / Special-purpose registers
- Standard Redline Collectors
- static library generator
- about / The static library generator
- static versioning / Static and dynamic analysis:
- structs
- about / Structs
- Structured Exception Handling (SEH)
- about / Special-purpose registers
- SWF Decompiler
- URL / Document analysis
- switch case
- about / A switch case
- Symbols
- finding, in WINDBG/IDA PRO / Finding symbols in WINDBG/IDA PRO
- syscalls
- about / Syscalls
- Sysinternals Suite
- about / Digesting string theory with strings
- URL / Monitoring
- system programming, Intel chips
- reference link / Motivation
T
- taskkill invocation, for antivirus services
- temp file check
- about / Temp file check
- thread
- creating / New thread creation
- TitanEngine
- about / Releasing the Jack-in-the-Box
- tools, debugging and disassembly
- OllyDBG 1.10/2.0 / Debugging and disassembly
- IDA Pro 6.1 or above / Debugging and disassembly
- Debugging Tools for Windows(x86) / Debugging and disassembly
- Bochs 2.4.6 / Debugging and disassembly
- tools, fingerprinting
- PEiD/ExeInfo / Whippin' out your arsenal
- HeaventoolsPEExplorer / Whippin' out your arsenal
- Yara / Whippin' out your arsenal
- FileAlyzer (with ssdeep.dll for ssdeep hashes) / Fingerprinting
- tools, MISC
- tools, monitoring
- FakeNet / Monitoring
- Sysinternals Suite / Monitoring
- ProcDOT / Monitoring
- API Monitor / Monitoring
- Win32Override / Monitoring
- tools, user mode sandboxing
- Sandboxie / Whippin' out your arsenal
- BSA Buster Sandbox / User mode sandboxing
- Cuckoo Sandbox / User mode sandboxing
- VMWare / Debugging and disassembly
- Total Commander
- URL / Fortifying your debrief
- trap flag
- about / Special-purpose registers
U
- 592 UDP port
- about / Embedded exploits
- Ultimate Packer for Executables (UPX)
- about / Compression sacks and straps
- Unicode
- reference link / Bit masking
- UPX
- URL, for downloading / Releasing the Jack-in-the-Box
- URLquery
- URL / Sandboxing and reporting
V
- VB decompiler
- URL / Byte code decompilers
- VC++ debugger
- about / The initiation ritual
- VDL (Virus Definition Language)
- VirtualBox
- about / Preparing for D-Day – lab setup
- VirtualKD
- VirusTotal
- URL / Step 1 – fingerprinting
- Visual Studio C++ 2008 Express Edition
- console-based C program, writing in / The initiation ritual
- VMWare
- about / Preparing for D-Day – lab setup
- networking modes / Preparing for D-Day – lab setup
- URL / User mode sandboxing
- VX Vault
- URL / Sandboxing and reporting
W
- WDK procurement
- about / WDK procurement
- web
- malware, scanning on / Scanning malware on the web
- Wepawet
- URL / Document analysis
- while loop
- about / The while loop
- Win32Override
- URL / Monitoring
- Windbg
- about / Next steps and prerequisites
- command types / Command types
- WINDBG/IDA PRO
- Symbols, finding in / Finding symbols in WINDBG/IDA PRO
- Windows help file / Getting help
- WinHex
- about / Meeting the rex of HexEditors
- URL / MISC
- word (computer architecture)
X
- x86 disassembly
- code constructs / Code constructs in x86 disassembly
- XNResourceEditor
- XOR Boolean operation
- XORSearch
- reference link / Encoding/decoding – XOR Deobfuscation
- XORStrings
- reference link / Encoding/decoding – XOR Deobfuscation
Y
- Yara
- Yara signatures
- about / Yara signatures
- meta section / Yara signatures
- strings section / Yara signatures
- condition section / Yara signatures
Z
- zero flag
- about / Special-purpose registers
- ZeusTracker
- URL / Sandboxing and reporting