Book Image

Learning Malware Analysis

By : Monnappa K A
5 (1)
Book Image

Learning Malware Analysis

5 (1)
By: Monnappa K A

Overview of this book

Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. With adversaries becoming sophisticated and carrying out advanced malware attacks on critical infrastructures, data centers, and private and public organizations, detecting, responding to, and investigating such intrusions is critical to information security professionals. Malware analysis and memory forensics have become must-have skills to fight advanced malware, targeted attacks, and security breaches. This book teaches you the concepts, techniques, and tools to understand the behavior and characteristics of malware through malware analysis. It also teaches you techniques to investigate and hunt malware using memory forensics. This book introduces you to the basics of malware analysis, and then gradually progresses into the more advanced concepts of code analysis and memory forensics. It uses real-world malware samples, infected memory images, and visual diagrams to help you gain a better understanding of the subject and to equip you with the skills required to analyze, investigate, and respond to malware-related incidents.

Related Content you might be interested in

Current Title:

Small book image
Learning Malware Analysis
Monnappa K A
Jun, 2018 | 510 pages
Small book image
Mastering Malware Analysis
Alexey Kleymenov | Amr Thabet
Sep, 2022 | 572 pages
Small book image
Mastering Reverse Engineering
Reginald Wong
Oct, 2018 | 436 pages
Small book image
Antivirus Bypass Techniques
Uriel Kosayev | Nir Yehoshua
Jul, 2021 | 242 pages
Table of Contents (19 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
Dedication
Dedication
Packt Upsell
Packt Upsell
Contributors
Contributors
Preface
Preface
Free Chapter
1
Introduction to Malware Analysis
Introduction to Malware Analysis
1. What Is Malware?
2. What Is Malware Analysis?
3. Why Malware Analysis?
4. Types Of Malware Analysis
5. Setting Up The Lab Environment
6. Malware Sources
Summary
2
Static Analysis
Static Analysis
1. Determining the File Type
2. Fingerprinting the Malware
3. Multiple Anti-Virus Scanning
4. Extracting Strings
5. Determining File Obfuscation
6. Inspecting PE Header Information
7. Comparing And Classifying The Malware
Summary
3
Dynamic Analysis
Dynamic Analysis
1. Lab Environment Overview
2. System And Network Monitoring
3. Dynamic Analysis (Monitoring) Tools
4. Dynamic Analysis Steps
5. Putting it All Together: Analyzing a Malware Executable
6. Dynamic-Link Library (DLL) Analysis
Summary
4
Assembly Language and Disassembly Primer
Assembly Language and Disassembly Primer
1. Computer Basics
2. CPU Registers
3. Data Transfer Instructions
4. Arithmetic Operations
5. Bitwise Operations
6. Branching And Conditionals
7. Loops
8. Functions
9. Arrays And Strings
10. Structures
11. x64 Architecture
12. Additional Resources
Summary
5
Disassembly Using IDA
Disassembly Using IDA
1. Code Analysis Tools
2. Static Code Analysis (Disassembly) Using IDA
3. Disassembling Windows API
4. Patching Binary Using IDA
5. IDA Scripting and Plugins
Summary
6
Debugging Malicious Binaries
Debugging Malicious Binaries
1. General Debugging Concepts
2. Debugging a Binary Using x64dbg
3. Debugging a Binary Using IDA
4. Debugging a .NET Application
Summary
7
Malware Functionalities and Persistence
Malware Functionalities and Persistence
1. Malware Functionalities
2. Malware Persistence Methods
Summary
8
Code Injection and Hooking
Code Injection and Hooking
1. Virtual Memory
2. User Mode And Kernel Mode
3. Code Injection Techniques
4. Hooking Techniques
5. Additional Resources
Summary
9
Malware Obfuscation Techniques
Malware Obfuscation Techniques
1. Simple Encoding
2. Malware Encryption
3. Custom Encoding/Encryption
4. Malware Unpacking
Summary
10
Hunting Malware Using Memory Forensics
Hunting Malware Using Memory Forensics
1. Memory Forensics Steps
2. Memory Acquisition
3. Volatility Overview
4. Enumerating Processes
5. Listing Process Handles
6. Listing DLLs
7. Dumping an Executable and DLL
8. Listing Network Connections and Sockets
9. Inspecting Registry
10. Investigating Service
11. Extracting Command History
Summary
11
Detecting Advanced Malware Using Memory Forensics
Detecting Advanced Malware Using Memory Forensics
1. Detecting Code Injection
2. Investigating Hollow Process Injection
3. Detecting API Hooks
4. Kernel Mode Rootkits
5. Listing Kernel Modules
6. I/O Processing
7. Displaying Device Trees
8. Detecting Kernel Space Hooking
9. Kernel Callbacks And Timers
Summary
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

3. Custom Encoding/Encryption

Sometimes, attackers use custom encoding/encryption schemes, which makes it difficult to identify the crypto (and the key), and it also makes reverse engineering harder. One of the custom encoding methods is to use a combination of encoding and encryption to obfuscate the data; an example of such a malware is Etumbot (https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/). The Etumbot malware sample, when executed, obtains the RC4 key from the C2 server; it then uses the obtained RC4 key to encrypt the system information (such as hostname, username, and IP address), and the encrypted content is further encoded using custom Base64 and exfiltrated to the C2. The C2 communication containing the obfuscated content is shown in the following screenshot. For reverse engineering details of this sample, refer to the Author's presentation and the video demo (https://cysinfo.com/12th-meetup-reversing-decrypting-malware-communications/):

To deobfuscate...

Previous Section
End of Section 4
Next Section