The advancement of the computer and internet technology has changed our lives, and it has revolutionized the way the organizations conduct businesses. However, technology evolution and digitization has given rise to cybercriminal activities. The growing threat of cyberattacks on critical infrastructure, data centers, private/public, defence, energy, government, and financial sectors pose a unique challenge for everyone from an individual to large corporations. These cyberattacks make use of malicious software (also known as Malware ) for financial theft, espionage, sabotage, intellectual property theft, and political motives.
With adversaries becoming sophisticated and carrying out advanced malware attacks, detecting and responding to such intrusions is critical for cybersecurity professionals. Malware analysis has become a must-have skill for fighting advanced malware and targeted attacks. Malware analysis requires a well-balanced knowledge of many different skills and subjects. In other words, learning malware analysis demands time and requires patience.
This book teaches the concepts, tools, and techniques to understand the behavior and characteristics of Windows malware using malware analysis. This book starts by introducing you to basic concepts of malware analysis. It then gradually progresses deep into more advanced concepts of code analysis and memory forensics. To help you understand the concepts better, various real-world malware samples, infected memory images, and visual diagrams are used in the examples throughout the book. In addition to this, enough information is given to help you understand the required concepts, and wherever possible, references to additional resources are provided for further reading.
If you are new to the field of malware analysis, this book should help you get started, or if you are experienced in this field, this book will help enhance your knowledge further. Whether you are learning malware analysis to perform a forensic investigation, to respond to an incident, or for fun, this book enables you to accomplish your goals.
If you're an incident responder, cybersecurity investigator, system administrator, malware analyst, forensic practitioner, student, or a curious security professional interested in learning or enhancing your malware analysis skills, then this book is for you.
Chapter 1, Introduction to Malware Analysis, introduces readers to the concept of malware analysis, types of malware analysis, and setting up an isolated malware analysis lab environment.
Chapter 2, Static Analysis, teaches the tools and techniques to extract metadata information from the malicious binary. It shows you how to compare and classify malware samples. You'll learn how to determine various aspects of the binary without executing it.
Chapter 3, Dynamic Analysis, teaches the tools and techniques to determine the behavior of the malware and its interaction with the system. You'll learn how to obtain the network and host-based indicators associated with the malware.
Chapter 4, Assembly Language and Disassembly Primer, gives a basic understanding of assembly language and teaches the necessary skills required to perform code analysis.
Chapter 5, Disassembly Using IDA, covers the features of IDA Pro Disassembler, and you will learn how to use IDA Pro to perform static code analysis (Disassembly ).
Chapter 6, Debugging Malicious Binaries, teaches the technique of debugging a binary using x64dbg and IDA Pro debugger. You will learn how to use a debugger to control the execution of a program and to manipulate a program's behavior.
Chapter 7, Malware Functionalities and Persistence, describes various functionalities of malware using reverse engineering. It also covers various persistence methods used by the malicious programs.
Chapter 8, Code Injection and Hooking, teaches common code injection techniques used by the malicious programs to execute malicious code within the context of a legitimate process. It also describes the hooking techniques used by the malware to redirect control to the malicious code to monitor, block, or filter an API's output. You will learn how to analyze malicious programs that use code injection and hooking techniques.
Chapter 9, Malware Obfuscation Techniques, covers encoding, encryption, and packing techniques used by the malicious programs to conceal and hide information. It teaches different strategies to decode/decrypt the data and unpack the malicious binary.
Chapter 10, Hunting Malware Using Memory Forensics, teaches techniques to detect malicious components using memory forensics. You will learn various Volatility plugins to detect and identify forensic artifacts in memory.
Chapter 11, Detecting Advanced Malware Using Memory Forensics, teaches the stealth techniques used by advanced malware to hide from forensic tools. You will learn to investigate and detect user mode and kernel mode rootkit components.
Knowledge of programming languages such as C and Python would be helpful (especially to understand the concepts covered in chapters 5, 6, 7, 8, and 9). If you have written a few lines of code and have a basic understanding of programming concepts, you’ll be able to get the most out of this book.
If you have no programming knowledge, you will still be able to get the basic malware analysis concepts covered in chapters 1, 2, and 3. However, you may find it slightly difficult to understand the concepts covered in the rest of the chapters. To get you to speed, sufficient information and additional resources are provided in each chapter. You may need to do some additional reading to fully understand the concepts.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/LearningMalwareAnalysis_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: used for code examples, folder names, filenames, registry key and values, file extensions, pathnames, dummy URLs, user input, function names, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."
Any command-line input is highlighted in bold, and the example is as follows:
$ sudo inetsim
INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas Hungenberg
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/When we wish to draw your attention to a particular part of code or output, the relevant lines or items are set in bold:
$ python vol.py -f tdl3.vmem --profile=WinXPSP3x86 ldrmodules -p 880 Volatility Foundation Volatility Framework 2.6 Pid Process Base InLoad InInit InMem MappedPath --- ----------- -------- ----- ------- ----- ---------------------------- 880 svchost.exe 0x10000000 False False False \WINDOWS\system32\TDSSoiqh.dll 880 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe 880 svchost.exe 0x76d30000 True True True \WINDOWS\system32\wmi.dll 880 svchost.exe 0x76f60000 True True True \WINDOWS\system32\wldap32.dll
Italics: Used for a new term, an important word, or words, malware name, and keyboard combinations. Here is an example: press Ctrl + C to copy
Screen Text: Words in menus or dialog boxes appear in the text like this. Here is an example: Select System info from the Administration panel.
Feedback from our readers is always welcome.
General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packtpub.com.