Index
A
- accessibility programs / 2.6 Accessibility Programs
- adware / 1. What Is Malware?
- APC Injection / 3.2 DLL Injection Using APC (APC Injection)
- API Hooks
- detecting / 3. Detecting API Hooks
- AppInit_DLLs feature / 2.7 AppInit_DLLs
- Application Compatibility Shim
- using, for DLL Injection / 3.4 DLL Injection Using The Application Compatibility Shim
- shim, creating / 3.4.1 Creating A Shim
- artifacts / 3.4.2 Shim Artifacts
- shims, using / 3.4.3 How Attackers Use Shims
- database, analyzing / 3.4.4 Analyzing The Shim Database
- APT1 group
- arithmetic operations
- about / 4. Arithmetic Operations
- disassembly challenge / 4.1 Disassembly Challenge
- disassembly solution / 4.2 Disassembly Solution
- arrays
- about / 9. Arrays And Strings
- disassembly challenge / 9.1 Disassembly Challenge
- disassembly solution / 9.2 Disassembly Solution
- Automated Unpacking / 4.2 Automated Unpacking
- AVCaesar
- URL / 6. Malware Sources
B
- 32-bit Malware
- debugging / 2.6 Debugging 32-bit Malware
- 64-bit Malware
- debugging / 2.7 Debugging 64-bit Malware
- Base64 Encoding
- about / 1.2 Base64 Encoding
- data, translating / 1.2.1 Translating Data To Base64
- data, encoding / 1.2.2 Encoding And Decoding Base64
- data, decoding / 1.2.2 Encoding And Decoding Base64
- custom Base64, decoding / 1.2.3 Decoding Custom Base64
- identifying / 1.2.4 Identifying Base64
- Behavioral Analysis / 4. Types Of Malware Analysis
- binary
- debugging, with x64dbg / 2. Debugging a Binary Using x64dbg
- debugging, with IDA / 3. Debugging a Binary Using IDA
- bits / 1. Computer Basics
- bitwise operations / 5. Bitwise Operations
- bitwise operators
- URL / 5. Bitwise Operations
- block tracing / 3.8 Tracing Execution Using IDA
- botnet / 1. What Is Malware?
- branching instructions
- about / 6. Branching And Conditionals
- unconditional jumps / 6.1 Unconditional Jumps
- conditional jumps / 6.2 Conditional Jumps
- if statement / 6.3 If Statement
- if/else statement / 6.4 If-Else Statement
- disassembly challenge / 6.6 Disassembly Challenge
- disassembly solution / 6.7 Disassembly Solution
- breakpoints
- program, interrupting / 1.3 Interrupting a Program with Breakpoints
- software breakpoints / 1.3 Interrupting a Program with Breakpoints
- hardware breakpoints / 1.3 Interrupting a Program with Breakpoints
- memory breakpoints / 1.3 Interrupting a Program with Breakpoints
- conditional breakpoints / 1.3 Interrupting a Program with Breakpoints
- setting, in x64dbg / 2.5 Setting a Breakpoint in x64dbg
- setting, in IDA / 3.5 Setting a Breakpoint in IDA
- byte / 1. Computer Basics
C
- Caesar Cipher
- about / 1.1 Caesar Cipher
- working / 1.1.1 Working Of Caesar Cipher
- decrypting, in Python / 1.1.2 Decrypting Caesar Cipher In Python
- callback, Kernel
- creating / 9. Kernel Callbacks And Timers
- URL / 9. Kernel Callbacks And Timers
- code analysis / 4. Types Of Malware Analysis
- Code Analysis Tools / 1. Code Analysis Tools
- Code Injection
- techniques / 3. Code Injection Techniques
- Remote DLL Injection / 3.1 Remote DLL Injection
- DLL injection, with APC / 3.2 DLL Injection Using APC (APC Injection)
- DLL Injection, with SetWindowsHookEx() / 3.3 DLL Injection Using SetWindowsHookEx()
- Application Compatibility Shim, using for DLL Injection / 3.4 DLL Injection Using The Application Compatibility Shim
- Remote Executable Injection / 3.5 Remote Executable/Shellcode Injection
- Remote Shellcode Injection / 3.5 Remote Executable/Shellcode Injection
- Hollow Process Injection / 3.6 Hollow Process Injection (Process Hollowing)
- references / 5. Additional Resources
- detecting / 1. Detecting Code Injection
- VAD information, obtaining / 1.1 Getting VAD Information
- detecting, with VAD / 1.2 Detecting Injected Code Using VAD
- Process Memory region, dumping / 1.3 Dumping The Process Memory Region
- detecting, with malfind / 1.4 Detecting Injected Code Using malfind
- Comae memory toolkit
- Command and Control (C2)
- about / 1.5 Malware Command and Control (C2)
- HTTP, using / 1.5.1 HTTP Command and Control
- customizing / 1.5.2 Custom Command and Control
- Command History
- extracting / 11. Extracting Command History
- Component Object Model (COM)
- hijacking / 2.9 COM hijacking
- computer
- about / 1. Computer Basics
- memory / 1.1 Memory
- CPU / 1.2 CPU
- program execution / 1.3 Program Basics
- conditional breakpoints
- conditional jumps / 6.2 Conditional Jumps
- Contagio malware dump
- URL / 6. Malware Sources
- ConverterNET
- CPU
- about / 1.2 CPU
- machine language / 1.2.1 Machine Language
- CPU registers
- about / 2. CPU Registers
- general purpose registers / 2.1 General-Purpose Registers
- instruction pointer (EIP) / 2.2 Instruction Pointer (EIP)
- EFLAGS register / 2.3 EFLAGS Register
- Crypto Constants
- detecting, with FindCrypt2 / 2.2 Detecting Crypto Constants Using FindCrypt2
- cryptographic hash
- generating, with tools / 2.1 Generating Cryptographic Hash Using Tools
- determining, in Python / 2.2 Determining Cryptographic Hash in Python
- Cryptor / 5.1 Packers and Cryptors, 4. Malware Unpacking
- Crypto Signatures
- identifying, with Signsrch / 2.1 Identifying Crypto Signatures Using Signsrch
- detecting, with YARA / 2.3 Detecting Crypto Signatures Using YARA
- custom encoding/encryption / 3. Custom Encoding/Encryption
D
- data transfer instructions
- about / 3. Data Transfer Instructions
- constant, migrating to register / 3.1 Moving a Constant Into Register
- values, migrating from register to register / 3.2 Moving Values From Register To Register
- values, migrating from memory to registers / 3.3 Moving Values From Memory To Registers
- values, migrating from registers to memory / 3.4 Moving Values From Registers To Memory
- disassembly / 3.5 Disassembly Challenge
- disassembly solution / 3.6 Disassembly Solution
- debugger interface
- Disassembly Window (CPU Window) / 2.3 x64dbg Debugger Interface
- Registers Window / 2.3 x64dbg Debugger Interface
- Stack Window / 2.3 x64dbg Debugger Interface
- Dump Window / 2.3 x64dbg Debugger Interface
- Memory Map Window / 2.3 x64dbg Debugger Interface
- Symbols Window / 2.3 x64dbg Debugger Interface
- References Windows / 2.3 x64dbg Debugger Interface
- Handles Window / 2.3 x64dbg Debugger Interface
- Threads Window / 2.3 x64dbg Debugger Interface
- debugging
- concepts / 1. General Debugging Concepts
- processes, launching / 1.1 Launching And Attaching To Process
- processes, attaching / 1.1 Launching And Attaching To Process
- process exhibition, controlling / 1.2 Controlling Process Execution
- program, interrupting with breakpoints / 1.3 Interrupting a Program with Breakpoints
- URL / 4.1.1 Examining the _EPROCESS Structure
- Device Trees
- displaying / 7. Displaying Device Trees
- Direct Kernel Object Manipulation (DKOM) / 4.2.1 Direct Kernel Object Manipulation (DKOM)
- dnSpy
- DNS tunneling
- downloader / 1. What Is Malware?, 1.1 Downloader
- driverscan
- used, for listing Kernel Modules / 5.1 Listing Kernel Modules Using driverscan
- dropper
- about / 1. What Is Malware?, 1.2 Dropper
- 64-bit dropper, reversing / 1.2.1 Reversing a 64-bit Dropper
- DumpIt
- using, for memory acquisition / 2.1 Memory Acquisition Using DumpIt
- Dynamic-Link Library (DLL)
- analysis / 6. Dynamic-Link Library (DLL) Analysis
- using, by attackers / 6.1 Why Attackers Use DLLs
- analyzing, with rundll32.exe / 6.2 Analyzing the DLL Using rundll32.exe
- analyzing, without exports / Example 1 – Analyzing a DLL With No Exports
- analyzing, with exports / Example 2 – Analyzing a DLL Containing Exports
- export arguments, analyzing / Example 3 – Analyzing a DLL Accepting Export Arguments
- analyzing, with Process Checks / 6.3 Analyzing a DLL with Process Checks
- about / 1.3.3 Program In Memory
- listing / 6. Listing DLLs
- Hidden DLL, detecting with ldrmodules / 6.1 Detecting a Hidden DLL Using ldrmodules
- Dynamic-Link Library Search Order
- dynamic analysis
- about / 4. Types Of Malware Analysis
- lab environment, overview / 1. Lab Environment Overview
- steps / 4. Dynamic Analysis Steps
- implementing / 5. Putting it All Together: Analyzing a Malware Executable
- using, on sample / 5.2 Dynamic Analysis of the Sample
- dynamic analysis tools
- about / 3. Dynamic Analysis (Monitoring) Tools
- process inspection, with Process Hacker / 3.1 Process Inspection with Process Hacker
- System Interaction, determining with Process Monitor / 3.2 Determining System Interaction with Process Monitor
- System Activities, logging with Noriben / 3.3 Logging System Activities Using Noriben
- Network Traffic, capturing with Wireshark / 3.4 Capturing Network Traffic With Wireshark
- services, simulating with INetSim / 3.5 Simulating Services with INetSim
E
- eflags register / 2.3 EFLAGS Register
- encoding
- about / 1. Simple Encoding
- Caesar Cipher / 1.1 Caesar Cipher
- Base64 encoding / 1.2 Base64 Encoding
- XOR encoding / 1.3 XOR Encoding
- Etumbot
- executable DLL
- dumping / 7. Dumping an Executable and DLL
- execution control
- options, for debuggers / 1.2 Controlling Process Execution
- Exeinfo PE
- used, for detecting File Obfuscation / 5.2 Detecting File Obfuscation Using Exeinfo PE
- URL / 5.2 Detecting File Obfuscation Using Exeinfo PE
- Explorer Suite
- expression
F
- File Obfuscation
- determining / 5. Determining File Obfuscation
- Packers / 5.1 Packers and Cryptors
- Cryptors / 5.1 Packers and Cryptors
- detecting, with Exeinfo PE / 5.2 Detecting File Obfuscation Using Exeinfo PE
- file system monitoring / 2. System And Network Monitoring
- file type
- determining / 1. Determining the File Type
- identifying, with manual method / 1.1 Identifying File Type Using Manual Method
- identifying, with tools / 1.2 Identifying File Type Using Tools
- determining, with Python / 1.3 Determining File Type Using Python
- Findcrypt2
- URL / 2.2 Detecting Crypto Constants Using FindCrypt2
- used, for detecting Crypto Constants / 2.2 Detecting Crypto Constants Using FindCrypt2
- fingerprinting
- using, for malware / 2. Fingerprinting the Malware
- cryptographic hash, generating with tools / 2.1 Generating Cryptographic Hash Using Tools
- cryptographic hash, determining in Python / 2.2 Determining Cryptographic Hash in Python
- FLOSS
- used, for decoding Obfuscated Strings / 4.2 Decoding Obfuscated Strings Using FLOSS
- URL / 4.2 Decoding Obfuscated Strings Using FLOSS
- functions
- about / 8. Functions
- stack / 8.1 Stack
- calling / 8.2 Calling Function
- returning from / 8.3 Returning From Function
- parameters / 8.4 Function Parameters And Return Values
- return values / 8.4 Function Parameters And Return Values
- function tracing / 2.9.2 Function Tracing, 3.8 Tracing Execution Using IDA
- Fuzzy hashing
- used, for classifying malware / 7.1 Classifying Malware Using Fuzzy Hashing
G
- general purpose registers / 2.1 General-Purpose Registers
- Graphviz
H
- HashMyFiles
- Hex-Rays Decompiler
- URL / 5.3 IDA Plugins
- Hikit Rootkit
- Hollow Process Injection
- about / 3.6 Hollow Process Injection (Process Hollowing)
- investigating / 2. Investigating Hollow Process Injection
- URL / 2. Investigating Hollow Process Injection
- steps / 2.1 Hollow Process Injection Steps
- detecting / 2.2 Detecting Hollow Process Injection
- variations / 2.3 Hollow Process Injection Variations
- hooking techniques
- about / 4. Hooking Techniques
- IAT Hooking / 4.1 IAT Hooking
- inline hooking / 4.2 Inline Hooking (Inline Patching)
- in-memory patching, with Shim / 4.3 In-memory Patching Using Shim
- HxD hex editor
- Hybrid Analysis
- URL / 6. Malware Sources
I
- I/O Processing
- about / 6. I/O Processing
- device driver, using / 6.1 The Role Of The Device Driver
- I/O Manager, using / 6.2 The Role Of The I/O Manager
- device driver, communicating / 6.3 Communicating With The Device Driver
- I/O requests, to layered drivers / 6.4 I/O Requests To Layered Drivers
- IAT hooking / 4.1 IAT Hooking
- IDA
- URL / 2. Static Code Analysis (Disassembly) Using IDA
- using, for Static Code Analysis / 2. Static Code Analysis (Disassembly) Using IDA
- binary, loading / 2.1 Loading Binary in IDA
- displays, exploring / 2.2 Exploring IDA Displays
- disassembly window / 2.2.1 Disassembly Window
- functions window / 2.2.2 Functions Window
- output window / 2.2.3 Output Window
- Hex View Window / 2.2.4 Hex View Window
- Structures window / 2.2.5 Structures Window
- imports windows / 2.2.6 Imports Window
- exports window / 2.2.7 Exports Window
- strings window / 2.2.8 Strings Window
- segments window / 2.2.9 Segments Window
- used, for enhancing disassembly / 2.3 Improving Disassembly Using IDA
- locations, renaming / 2.3.1 Renaming Locations
- commenting / 2.3.2 Commenting in IDA
- database / 2.3.3 IDA Database
- operands, formatting / 2.3.4 Formatting Operands
- locations, navigating / 2.3.5 Navigating Locations
- cross-references / 2.3.6 Cross-References
- Cross-References, listing / 2.3.7 Listing All Cross-References
- proximity view / 2.3.8 Proximity View And Graphs
- proximity graphs / 2.3.8 Proximity View And Graphs
- used, for patching binary / 4. Patching Binary Using IDA
- program bytes, patching / 4.1 Patching Program Bytes
- instructions, patching / 4.2 Patching Instructions
- scripting / 5. IDA Scripting and Plugins
- plugins / 5. IDA Scripting and Plugins, 5.3 IDA Plugins
- scripts, executing / 5.1 Executing IDA Scripts
- IDAPython / 5.2 IDAPython
- CreateFile API presence, checking / 5.2.1 Checking The Presence Of CreateFile API
- IDAPython, used for coding cross-references to CreateFile / 5.2.2 Code Cross-References to CreateFile Using IDAPython
- used, for binary debugging / 3. Debugging a Binary Using IDA
- process, launching / 3.1 Launching a New Process in IDA
- used, for attaching process / 3.2 Attaching to an Existing Process Using IDA
- debugger interface / 3.3 IDA's Debugger Interface
- used, for controlling process execution / 3.4 Controlling Process Execution Using IDA
- breakpoint, setting / 3.5 Setting a Breakpoint in IDA
- malware executables, debugging / 3.6 Debugging Malware Executables
- used, for debugging malicious DLL / 3.7 Debugging a Malicious DLL Using IDA
- DLL, debugging in specific process / 3.7.1 Debugging a DLL in a Specific Process
- used, for tracing execution / 3.8 Tracing Execution Using IDA
- IDAPython, used for debugger scripting / 3.9 Debugger Scripting Using IDAPython
- IDAPython
- URL / 5.2 IDAPython
- used, for debugger scripting / 3.9 Debugger Scripting Using IDAPython
- references / 3.9 Debugger Scripting Using IDAPython
- malware files accessed, determining / 3.9.1 Example – Determining Files Accessed by Malware
- IDA Scriptable Debugger
- if-else statement / 6.4 If-Else Statement
- if-EsleIf-else statement / 6.5 If-Elseif-Else Statement
- If Statement / 6.3 If Statement
- Image File Execution Options (IFEO) / 2.5 Image File Execution Options
- import hash
- used, for classifying malware / 7.2 Classifying Malware Using Import Hash
- in-memory patching
- shim, using / 4.3 In-memory Patching Using Shim
- INetSim
- references / 5.3 Setting Up And Configuring Linux VM
- services, simulating / 3.5 Simulating Services with INetSim
- information stealer / 1. What Is Malware?
- inline hooking / 4.2 Inline Hooking (Inline Patching)
- Inline Kernel Hooks
- identifying / 8.3 Identifying Inline Kernel Hooks
- instruction pointer (EIP) / 2.2 Instruction Pointer (EIP)
- instruction tracing / 2.9.1 Instruction Tracing, 3.8 Tracing Execution Using IDA
- Interrupt Descriptor Table (IDT) / 8.2 Detecting IDT Hooking
- IRP Function Hooks
- detecting / 8.4 Detecting IRP Function Hooks
K
- Kernel-Mode Code Signing (KMCS) / 4. Kernel Mode Rootkits
- kernel memory
- hal.dll / 1.2 Kernel Memory Contents (Kernel Space)
- ntoskrnl.exe / 1.2 Kernel Memory Contents (Kernel Space)
- Win32k.sys / 1.2 Kernel Memory Contents (Kernel Space)
- Kernel Memory Contents / 1.2 Kernel Memory Contents (Kernel Space)
- Kernel Mode / 2. User Mode And Kernel Mode
- KernelMode.info
- URL / 6. Malware Sources
- Kernel Mode Rootkits / 4. Kernel Mode Rootkits
- Kernel Modules
- listing / 5. Listing Kernel Modules
- listing, with driverscan / 5.1 Listing Kernel Modules Using driverscan
- Kernel Patch Protection (KPP) mechanism / 4. Kernel Mode Rootkits, 8.1 Detecting SSDT Hooking
- Kernel Space Hooking
- detecting / 8. Detecting Kernel Space Hooking
- SSDT Hooking, detection / 8.1 Detecting SSDT Hooking
- IDT hooking, detection / 8.2 Detecting IDT Hooking
- Inline Kernel Hooks, identifying / 8.3 Identifying Inline Kernel Hooks
- IRP Function Hooks, detecting / 8.4 Detecting IRP Function Hooks
- keylogger
- about / 1.3 Keylogger
- GetAsyncKeyState(), using / 1.3.1 Keylogger Using GetAsyncKeyState()
- SetWindowsHookEx, using / 1.3.2 Keylogger Using SetWindowsHookEx()
L
- lab, Virtual Machine (VM)
- setting up / 5. Setting Up The Lab Environment
- prerequisites / 5.1 Lab Requirements
- architecture, overview / 5.2 Overview Of Lab Architecture
- Linux VM, setting up / 5.3 Setting Up And Configuring Linux VM
- Linux VM, configuring / 5.3 Setting Up And Configuring Linux VM
- Windows VM, setting up / 5.4 Setting Up And Configuring Windows VM
- Windows VM, configuring / 5.4 Setting Up And Configuring Windows VM
- ldrmodules
- used, for detecting hidden DLL / 6.1 Detecting a Hidden DLL Using ldrmodules
- Linux VM
- setting up / 5.3 Setting Up And Configuring Linux VM
- configuring / 5.3 Setting Up And Configuring Linux VM
- loops
- about / 7. Loops
- disassembly challenge / 7.1 Disassembly Challenge
- disassembly solution / 7.2 Disassembly Solution
M
- Magic Lantern Wiki
- malfind
- used, for detecting injected code / 1.4 Detecting Injected Code Using malfind
- malicious DLL
- debugging, with x64dbg / 2.8 Debugging a Malicious DLL Using x64dbg
- malware
- about / 1. What Is Malware?
- virus / 1. What Is Malware?
- worm / 1. What Is Malware?
- Trojan / 1. What Is Malware?
- backdoor / 1. What Is Malware?
- Remote Access Trojan (RAT) / 1. What Is Malware?
- adware / 1. What Is Malware?
- botnet / 1. What Is Malware?
- information stealer / 1. What Is Malware?
- ransomware / 1. What Is Malware?
- rootkit / 1. What Is Malware?
- downloader / 1. What Is Malware?
- dropper / 1. What Is Malware?
- references / 6. Malware Sources
- fingerprinting / 2. Fingerprinting the Malware
- comparing / 7. Comparing And Classifying The Malware
- classifying / 7. Comparing And Classifying The Malware
- classifying, with Fuzzy hashing / 7.1 Classifying Malware Using Fuzzy Hashing
- classifying, with Import hash / 7.2 Classifying Malware Using Import Hash
- classifying, with Section hash / 7.3 Classifying Malware Using Section Hash
- classifying, with YARA / 7.4 Classifying Malware Using YARA
- malware, functionalities
- about / 1. Malware Functionalities
- downloader / 1.1 Downloader
- dropper / 1.2 Dropper
- keylogger / 1.3 Keylogger
- replication, via removable media / 1.4 Malware Replication Via Removable Media
- command and control (C2) / 1.5 Malware Command and Control (C2)
- PowerShell-based execution / 1.6 PowerShell-Based Execution
- malware analysis
- about / 2. What Is Malware Analysis?
- performing / 3. Why Malware Analysis?
- types / 4. Types Of Malware Analysis
- malware encryption
- about / 2. Malware Encryption
- Crypto Signatures, identifying with Signsrch / 2.1 Identifying Crypto Signatures Using Signsrch
- Crypto Constants, detecting with FindCrypt2 / 2.2 Detecting Crypto Constants Using FindCrypt2
- Crypto Signatures, detecting with YARA / 2.3 Detecting Crypto Signatures Using YARA
- decrypting, in Python / 2.4 Decrypting In Python
- Malware Executable
- analyzing / 5. Putting it All Together: Analyzing a Malware Executable
- sample, static analysis / 5.1 Static Analysis of the Sample
- Malware Executables
- debugging / 3.6 Debugging Malware Executables
- malware terminologies
- URL / 1. What Is Malware?
- malware unpacking
- about / 4. Malware Unpacking
- manual unpacking / 4.1 Manual Unpacking
- OEP, identifying / 4.1.1 Identifying The OEP
- Process Memory, dumping with Scylla / 4.1.2 Dumping Process Memory With Scylla
- Import Table, fixing / 4.1.3 Fixing The Import Table
- Malwr
- URL / 6. Malware Sources
- memory
- about / 1.1 Memory
- data storage / 1.1.1 How Data Resides In Memory
- memory acquisition
- about / 2. Memory Acquisition
- DumpIt, using / 2.1 Memory Acquisition Using DumpIt
- memory analysis / 4. Types Of Malware Analysis
- memory forensics
- memory acquisition / 1. Memory Forensics Steps
- memory analysis / 1. Memory Forensics Steps
- methods, service
- sc utility / 2.10 Service
- batch script / 2.10 Service
- Windows API / 2.10 Service
- PowerShell / 2.10 Service
- WMI / 2.10 Service
- Mimikatz
- Multi Anti-Virus Scanning
- about / 3. Multiple Anti-Virus Scanning
- suspect binary, scanning with VirusTotal / 3.1 Scanning the Suspect Binary with VirusTotal
- hash values, querying with Virustotal Public API / 3.2 Querying Hash Values Using VirusTotal Public API
N
- .NET Application
- debugging / 4. Debugging a .NET Application
- Network Connections
- network monitoring / 2. System And Network Monitoring
- Network Traffic
- capturing, with Wireshark / 3.4 Capturing Network Traffic With Wireshark
- non-paged pool / 4.2.2 Understanding Pool Tag Scanning
- Noriben
- used, for logging system activities / 3.3 Logging System Activities Using Noriben
- URL / 3.3 Logging System Activities Using Noriben
O
- Obfuscated Strings
- decoding, with FLOSS / 4.2 Decoding Obfuscated Strings Using FLOSS
- object manager / 4.2.2 Understanding Pool Tag Scanning
- Operation Groundbait
P
- Packer / 5.1 Packers and Cryptors
- PatchGuard
- PE file structure
- references / 6. Inspecting PE Header Information
- PE Header Information
- inspecting / 6. Inspecting PE Header Information
- file dependencies, inspecting / 6.1 Inspecting File Dependencies and Imports
- imports, inspecting / 6.1 Inspecting File Dependencies and Imports
- exports, inspecting / 6.2 Inspecting Exports
- table, examining / 6.3 Examining PE Section Table And Sections
- sections, examining / 6.3 Examining PE Section Table And Sections
- Compilation Timestamp, examining / 6.4 Examining the Compilation Timestamp
- resources, examining / 6.5 Examining PE Resources
- PE internal tool
- URL / 1.3.2 Program On Disk
- persistence methods
- about / 2. Malware Persistence Methods
- Registry Key, executing / 2.1 Run Registry Key
- scheduled tasks / 2.2 Scheduled Tasks
- startup folder / 2.3 Startup Folder
- Winlogon registry entries / 2.4 Winlogon Registry Entries
- Image File Execution Options / 2.5 Image File Execution Options
- accessibility programs / 2.6 Accessibility Programs
- AppInit_DLLs feature / 2.7 AppInit_DLLs
- DLL Search Order Hijacking / 2.8 DLL Search Order Hijacking
- COM hijacking / 2.9 COM hijacking
- service / 2.10 Service
- pestudio
- PowerShell
- URL / 2.10 Service
- PowerShell-Based Execution
- about / 1.6 PowerShell-Based Execution
- command / 1.6.1 PowerShell Command Basics
- scripts / 1.6.2 PowerShell Scripts And Execution Policy
- policy / 1.6.2 PowerShell Scripts And Execution Policy
- analyzing / 1.6.2 Analyzing PowerShell Commands/Scripts
- using, by attackers / 1.6.3 How Attackers Use PowerShell
- PowerShell downloader
- PowerSploit
- processes
- enumerating / 4. Enumerating Processes
- overview / 4.1 Process Overview
- _EPROCESS Structure, examining / 4.1.1 Examining the _EPROCESS Structure
- ActiveProcessLinks / 4.1.2 Understanding ActiveProcessLinks
- listing, with psscan / 4.2 Listing Processes Using psscan
- Process Relationships, determining / 4.3 Determining Process Relationships
- listing, with psxview / 4.4 Process Listing Using psxview
- process execution
- controlling / 1.2 Controlling Process Execution
- Process Hacker
- Process Handles
- listing / 5. Listing Process Handles
- process memory
- about / 1.1 Process Memory Components (User Space)
- process executable / 1.1 Process Memory Components (User Space)
- Dynamic Linked Libraries (DLLs) / 1.1 Process Memory Components (User Space)
- process environment variables / 1.1 Process Memory Components (User Space)
- process heap / 1.1 Process Memory Components (User Space)
- thread stacks / 1.1 Process Memory Components (User Space)
- Process Environment Block (PEB) / 1.1 Process Memory Components (User Space)
- Process Monitor
- System Interaction, determining / 3.2 Determining System Interaction with Process Monitor
- URL / 3.2 Determining System Interaction with Process Monitor
- process monitoring / 2. System And Network Monitoring
- Process Relationships
- determining / 4.3 Determining Process Relationships
- program
- about / 1.3 Program Basics
- compilation process / 1.3.1 Program Compilation
- appearance on disk / 1.3.2 Program On Disk
- in memory / 1.3.3 Program In Memory
- disassembly / 1.3.4 Program Disassembly (From Machine code To Assembly code)
- Program Execution
- tracing / 1.4 Tracing Program Execution
- psscan
- used, for listing processes / 4.2 Listing Processes Using psscan
- Direct Kernel Object Manipulation (DKOM) / 4.2.1 Direct Kernel Object Manipulation (DKOM)
- Pool Tag Scanning / 4.2.2 Understanding Pool Tag Scanning
- psxview
- used, for listing process / 4.4 Process Listing Using psxview
- PyCrypto
- URL / 2.4 Decrypting In Python
- Python
- used, for determining file type / 1.3 Determining File Type Using Python
- cryptographic hash, determining / 2.2 Determining Cryptographic Hash in Python
- python-sdb
R
- ransomware / 1. What Is Malware?
- registry
- inspecting / 9. Inspecting Registry
- registry keys
- executing / 2.1 Run Registry Key
- registry monitoring / 2. System And Network Monitoring
- Remote Access Trojan (RAT) / 1. What Is Malware?
- RemoteDLL
- Remote DLL Injection / 3.1 Remote DLL Injection
- Remote Executable Injection / 3.5 Remote Executable/Shellcode Injection
- Remote Shellcode Injection / 3.5 Remote Executable/Shellcode Injection
- resource hacker
- ReversingLabs
- URL / 4.2 Automated Unpacking
- rootkit / 1. What Is Malware?
- rundll32.exe
- used, for analyzing DLL / 6.2 Analyzing the DLL Using rundll32.exe
- working / 6.2.1 Working of rundll32.exe
- URL / 6.2.1 Working of rundll32.exe
- used, for launching DLL / 6.2.2 Launching the DLL Using rundll32.exe
S
- sbd-explorer
- scheduled tasks / 2.2 Scheduled Tasks
- Scylla
- used, for dumping Process Memory / 4.1.2 Dumping Process Memory With Scylla
- section hash
- used, for classifying malware / 7.3 Classifying Malware Using Section Hash
- service
- simulating, with INetSim / 3.5 Simulating Services with INetSim
- about / 2.10 Service
- investigating / 10. Investigating Service
- service, malicious programs
- Win32OwnProcess / 2.10 Service
- Win32ShareProcess / 2.10 Service
- Kernel Driver Service / 2.10 Service
- SetWindowsHookEx()
- using, for DLL Injection / 3.3 DLL Injection Using SetWindowsHookEx()
- Signsrch
- used, for identifying Crypto Signatures / 2.1 Identifying Crypto Signatures Using Signsrch
- sockets
- ssdeep
- stack / 8.1 Stack
- startup folder / 2.3 Startup Folder
- static analysis / 4. Types Of Malware Analysis
- Static Code Analysis
- IDA, using / 2. Static Code Analysis (Disassembly) Using IDA
- string formatting
- strings
- extracting / 4. Extracting Strings
- extraction, with tools / 4.1 String Extraction Using Tools
- Obfuscated Strings, decoding with FLOSS / 4.2 Decoding Obfuscated Strings Using FLOSS
- about / 9. Arrays And Strings, 9.3 Strings
- disassembly challenge / 9.1 Disassembly Challenge
- disassembly solution / 9.2 Disassembly Solution
- instructions / 9.3.1 String Instructions
- movsx instructions, using / 9.3.2 Moving From Memory To Memory (movsx)
- Repeat Instructions (rep) / 9.3.3 Repeat Instructions (rep)
- value, storing from register to memory (stosx) / 9.3.4 Storing Value From Register to Memory (stosx)
- loading, from memory to register (iodsx) / 9.3.5 Loading From Memory to Register (lodsx)
- memory scanning (scasx) / 9.3.6 Scanning Memory (scasx)
- values, comparing in memory (cmpsx) / 9.3.7 Comparing Values in Memory (cmpsx)
- structures / 10. Structures
- System Service Descriptor Table (SSDT)
- detection / 8.1 Detecting SSDT Hooking
T
- T9000 backdoor
- URL / 2.7 AppInit_DLLs
- theZoo
- URL / 6. Malware Sources
- timer, Kernel
- creating / 9. Kernel Callbacks And Timers
- URL / 9. Kernel Callbacks And Timers
- types, malware analysis
- static analysis / 4. Types Of Malware Analysis
- dynamic analysis / 4. Types Of Malware Analysis
- code analysis / 4. Types Of Malware Analysis
- memory analysis / 4. Types Of Malware Analysis
U
- unconditional jump / 6.1 Unconditional Jumps
- UPX packer
- URL / 4.1 Manual Unpacking
- User Mode / 2. User Mode And Kernel Mode
V
- Virtual Address Descriptors (VADs)
- about / 1. Detecting Code Injection
- information, obtaining / 1.1 Getting VAD Information
- used, for detecting injected code / 1.2 Detecting Injected Code Using VAD
- Virtual Machine (VM)
- lab environment, setting up / 5. Setting Up The Lab Environment
- about / 2.1 Memory Acquisition Using DumpIt
- virtual memory
- about / 1. Virtual Memory
- Process Memory Components / 1.1 Process Memory Components (User Space)
- Kernel Memory Contents / 1.2 Kernel Memory Contents (Kernel Space)
- virus / 1. What Is Malware?
- VirusBay
- URL / 6. Malware Sources
- VirusShare
- URL / 6. Malware Sources
- VirusTotal
- suspect binary, scanning / 3.1 Scanning the Suspect Binary with VirusTotal
- URL / 3.1 Scanning the Suspect Binary with VirusTotal
- VirusTotal Public API
- volatility
- overview / 3. Volatility Overview
- URL / 3. Volatility Overview, 3.1 Installing Volatility
- installing / 3.1 Installing Volatility
- standalone executable / 3.1.1 Volatility Standalone Executable
- source package / 3.1.2 Volatility Source Package
- using / 3.2 Using Volatility
W
- Window Management Instrumentation (WMI)
- URL / 2.10 Service
- Windows API
- disassembling / 3. Disassembling Windows API
- about / 3.1 Understanding Windows API
- ANSI / 3.1.1 ANSI and Unicode API Functions
- unicode AIP functions / 3.1.1 ANSI and Unicode API Functions
- extended API functions / 3.1.2 Extended API Functions
- 32-bit, versus 64-bit / 3.2 Windows API 32-Bit and 64-Bit Comparison
- Windows API Call Flow / 2.1 Windows API Call Flow
- Windows Driver Kit (WDK) / 9. Kernel Callbacks And Timers
- Windows VM
- configuring / 5.4 Setting Up And Configuring Windows VM
- setting up / 5.4 Setting Up And Configuring Windows VM
- Winlogon registry entries / 2.4 Winlogon Registry Entries
- WinObj tool
- URL / 4.1 Process Overview
- Wireshark
- Network Traffic, capturing / 3.4 Capturing Network Traffic With Wireshark
- worm / 1. What Is Malware?
X
- x64dbg
- used, for debugging binary / 2. Debugging a Binary Using x64dbg
- references / 2. Debugging a Binary Using x64dbg
- process, launching / 2.1 Launching a New Process in x64dbg
- used, for attaching process / 2.2 Attaching to an Existing Process Using x64dbg
- debugger interface / 2.3 x64dbg Debugger Interface
- used, for controlling process execution / 2.4 Controlling Process Execution Using x64dbg
- breakpoint, setting / 2.5 Setting a Breakpoint in x64dbg
- URL / 2.5 Setting a Breakpoint in x64dbg
- 32-bit Malware, debugging / 2.6 Debugging 32-bit Malware
- 64-bit Malware, debugging / 2.7 Debugging 64-bit Malware
- used, for debugging malicious DLL / 2.8 Debugging a Malicious DLL Using x64dbg
- DLL, debugging with rundll32.exe / 2.8.1 Using rundll32.exe to Debug the DLL in x64dbg
- DLL, debugging in specific process / 2.8.2 Debugging a DLL in a Specific Process
- execution, tracing / 2.9 Tracing Execution in x64dbg
- instruction tracing / 2.9.1 Instruction Tracing
- function tracing / 2.9.2 Function Tracing
- patching / 2.10 Patching in x64dbg
- x86 architecture
- about / 11. x64 Architecture
- 32-bit executable, analyzing on 64-but Windows / 11.1 Analyzing 32-bit Executable On 64-bit Windows
- XOR encoding
- about / 1.3 XOR Encoding
- single byte XOR / 1.3.1 Single Byte XOR
- key, searching through brute-force / 1.3.2 Finding XOR Key Through Brute-Force
- NULL, ignoring / 1.3.3 NULL Ignoring XOR Encoding
- multi-byte XOR, using / 1.3.4 Multi-byte XOR Encoding
- identifying / 1.3.5 Identifying XOR Encoding
Y
- YARA
- used, for classifying malware / 7.4 Classifying Malware Using YARA
- references / 7.4 Classifying Malware Using YARA, 7.4.1 Installing YARA
- installing / 7.4.1 Installing YARA
- rules / 7.4.2 YARA Rule Basics
- executing / 7.4.3 Running YARA
- applications / 7.4.4 Applications of YARA
- used, for detecting Crypto Signatures / 2.3 Detecting Crypto Signatures Using YARA