Welcome to Windows Malware Analysis Essentials. This book will help you demystify the process of analyzing Windows-specific malware, and it will show you how to work with the weapons in the malware analysts' arsenal. It will also help you develop skills to analyze malware on your own with informed confidence.
Malware is a big and global business—with malware fighters a relatively reclusive and closed community since the inception of the antivirus industry. This also means that anti-malware technologies are a relative mystery to most regular folk with a dichotomy existing perpetually. Only recently have extensive steps been taken to alleviate this problem, which is becoming more and more visible and pervasive. Even gaining knowledge has become an expensive affair with training and courses running into many thousands of dollars for relatively foundational information. The training market does have value and an audience, but the IT masses do not have much access to it, even if the interest is there. Malware has moved on from being a sport or hobby to organized crime and even though the hacker community shares between them, the IT crowd is not very initiated or well informed. Skilled manpower is required, and right now, demand exceeds supply. Working in an anti-malware firm is not the only way to fight malware, and with signature-based detection slowly becoming an unwieldy technology, more minds are required to innovate or invent new solutions to existing challenges. This has to be a multipronged approach taking from data analytics, mathematics, biology, law enforcement, and of course, computers, among a host of other requirements. Getting up to speed with the fundamentals of malware analysis makes things more manageable when the proverbial stuff hits the fan.
The book will commence with the essentials of computing where you get a foothold for the challenges ahead. It will show you how to decipher disassembly text obtained from analysis of compiled binary code and acclimatize you to the battery of tools at your disposal. It will also give you an unprecedented look at the myriad ways that an analyst can approach analyses of real-world malware and points you in the right direction in order to start building your own malware lab, gathering intelligence, and revealing maleficent agents through thorough investigation. This book will, as a rite of passage, effectively prepare you to be the anti-malware warrior you always wanted to be.
Chapter 1, Down the Rabbit Hole, prepares you for the challenges ahead by reviewing some essential computing concepts, which must be mastered before you commence analysis of malware. You will explore number bases, binary arithmetic, and boolean algebra. This chapter also covers the malware analysts' toolkit and introduces IDA Pro, the Portable Executable format, and instances of reverse engineering program binaries on the Windows platform. This will set the pace for the activities in the chapters ahead.
Chapter 2, Dancing with the Dead, covers x86 assembly programming using VC++ 2008 and MASM32. You will then proceed with x86 disassembly of compiled code binary and analysis thereof in VC++ IDE. Finally, you will explore the myriad configurations in order to do assembly programming in the VC++ environment and end with a detailed overview of common data structures and code constructs in the C and x86 assembly.
Chapter 3, Performing a Séance Session, demonstrates a complete end-to-end malware analysis of real-world destructive malware. You will get unprecedented insight into an analysis session along with configurations, tips and tricks, and step-by-step progression towards a full analysis, right up to signature generation and report creation for the entire set of malware samples.
Chapter 4, Traversing Across Parallel Dimensions, delves into kernel-mode concepts and the fundamentals of Windows internals, which will help you with your analysis and understanding of the overall framework you are dealing with. You will work with IDA Pro and Windbg as the primary weapons for kernel mode analysis.
Chapter 5, Good versus Evil – Ogre Wars, rounds off the earlier excursions with a general set of devices—from the configuration of the Linux virtual machine guest for wiretapping the network activity of malware, to exploring XOR deobfuscations programmatically. Thereafter, you will revisit malware analysis with a different target—malicious web scripts, and you will learn how the innards are picked one by one, gathering information about the exploits used, the various infection vectors, dealing with obfuscated JavaScript and working with a rather familiar set of new tools. You will also be introduced to Mandiant Redline for malware forensics, and finally end the tour with a discussion of bytecode decompilation utilities and open source tools for malware intelligence gathering.
Apart from a working brain (which is not optional), you will need:
Any x86/x64 PC/Laptop (recent Mac hardware too) which is any system you have purchased in the past 5 years minimum with a version of Windows XP/7/ 8 or above. You can additionally use virtualization software like VMWare Fusion/Parallels if you are on MacOS to run the examples in Windows OS versions. Please refer to the respective software manuals for the installation procedures.
Some commercial tools that also have free versions from the vendor website (for instance IDA Pro).
Visual C++ 2008, which is the minimum version you will need in order to work with the programming examples and exercises in this book.
VMWare and VirtualBox, which are two software solutions to virtualization that will be instrumental in keeping your system safe and completing the malware analysis-specific workflows discussed in this book.
Most of the analysis tools are available as free downloads from the links included as they are mentioned in the chapters ahead.
This book is best for someone who has interest and aptitude for reverse engineering Windows executables and wants to specialise in malware analysis. Prior experience is recommended but not mandatory as the reader is introduced to the topic step by step. The book presents the malware analysis thought process using a very hands-on approach with complete and thorough walkthroughs, which will give any analyst confidence in approaching this task on their own the next time around.
"Ideally a book would have no order to it, and the reader would have to discover his own" - Mark Twain.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Insert your data type of choice inside the sizeof() operator."
A block of code is set as follows:
#include <stdio.h>
int main() {
printf("%d",sizeof(double));
return 0;
}When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
mov edi,ds:__imp__printf ; store address of printf to edi from imports
xor esi, esi ;set value of int i=0 using esi register
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Clicking the Next button moves you to the next screen."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.