Book Image

Mastering Malware Analysis - Second Edition

By : Alexey Kleymenov, Amr Thabet
5 (2)
Book Image

Mastering Malware Analysis - Second Edition

5 (2)
By: Alexey Kleymenov, Amr Thabet

Overview of this book

New and developing technologies inevitably bring new types of malware with them, creating a huge demand for IT professionals that can keep malware at bay. With the help of this updated second edition of Mastering Malware Analysis, you’ll be able to add valuable reverse-engineering skills to your CV and learn how to protect organizations in the most efficient way. This book will familiarize you with multiple universal patterns behind different malicious software types and teach you how to analyze them using a variety of approaches. You'll learn how to examine malware code and determine the damage it can possibly cause to systems, along with ensuring that the right prevention or remediation steps are followed. As you cover all aspects of malware analysis for Windows, Linux, macOS, and mobile platforms in detail, you’ll also get to grips with obfuscation, anti-debugging, and other advanced anti-reverse-engineering techniques. The skills you acquire in this cybersecurity book will help you deal with all types of modern malware, strengthen your defenses, and prevent or promptly mitigate breaches regardless of the platforms involved. By the end of this book, you will have learned how to efficiently analyze samples, investigate suspicious activity, and build innovative solutions to handle malware incidents.

Related Content you might be interested in

Current Title:

Small book image
Mastering Malware Analysis - Second Edition
Alexey Kleymenov | Amr Thabet
Sep, 2022 | 572 pages
Small book image
Mastering Reverse Engineering
Reginald Wong
Oct, 2018 | 436 pages
Small book image
Learning Malware Analysis
Monnappa K A
Jun, 2018 | 510 pages
Small book image
Antivirus Bypass Techniques
Nir Yehoshua | Uriel Kosayev
Jul, 2021 | 242 pages
Table of Contents (20 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1 Fundamental Theory
Part 1 Fundamental Theory
Free Chapter
2
Chapter 1: Cybercrime, APT Attacks, and Research Strategies
Chapter 1: Cybercrime, APT Attacks, and Research Strategies
Why malware analysis?
Exploring types of malware
The MITRE ATT&CK framework explained
APT and zero-day attacks and fileless malware
Choosing your analysis strategy
Setting up the environment
Summary
3
Chapter 2: A Crash Course in Assembly and Programming Basics
Chapter 2: A Crash Course in Assembly and Programming Basics
Basics of informatics
Architectures and their assembly
Becoming familiar with x86 (IA-32 and x64)
Exploring ARM assembly
Basics of MIPS
Diving deep into PowerPC
Covering the SuperH assembly
Working with SPARC
Moving from assembly to high-level programming languages
Summary
4
Part 2 Diving Deep into Windows Malware
Part 2 Diving Deep into Windows Malware
5
Chapter 3: Basic Static and Dynamic Analysis for x86/x64
Chapter 3: Basic Static and Dynamic Analysis for x86/x64
Working with the PE header structure
Static and dynamic linking
Using PE header information for static analysis
PE loading and process creation
Basics of dynamic analysis using OllyDbg and x64dbg
Debugging malicious services
Essentials of behavioral analysis
Summary
6
Chapter 4: Unpacking, Decryption, and Deobfuscation
Chapter 4: Unpacking, Decryption, and Deobfuscation
Exploring packers
Identifying a packed sample
Automatically unpacking packed samples
Manual unpacking techniques
Dumping the unpacked sample and fixing the import table
Identifying simple encryption algorithms and functions
Advanced symmetric and asymmetric encryption algorithms
Applications of encryption in modern malware – Vawtrak banking Trojan
Using IDA for decryption and unpacking
Summary
7
Chapter 5: Inspecting Process Injection and API Hooking
Chapter 5: Inspecting Process Injection and API Hooking
Understanding process injection
DLL injection
Diving deeper into process injection
A dynamic analysis of code injection
Memory forensics techniques for process injection
Understanding API hooking
Exploring IAT hooking
Summary
8
Chapter 6: Bypassing Anti-Reverse Engineering Techniques
Chapter 6: Bypassing Anti-Reverse Engineering Techniques
Exploring debugger detection
Handling the evasion of debugger breakpoints
Escaping the debugger
Understanding obfuscation and anti-disassemblers
Detecting and evading behavioral analysis tools
Detecting sandboxes and VMs
Summary
9
Chapter 7: Understanding Kernel-Mode Rootkits
Chapter 7: Understanding Kernel-Mode Rootkits
Kernel mode versus user mode
Windows internals
Rootkits and device drivers
Hooking mechanisms
DKOM
Process injection in kernel mode
KPP in x64 systems (PatchGuard)
Static and dynamic analysis in kernel mode
Summary
10
Part 3 Examining Cross-Platform and Bytecode-Based Malware
Part 3 Examining Cross-Platform and Bytecode-Based Malware
11
Chapter 8: Handling Exploits and Shellcode
Chapter 8: Handling Exploits and Shellcode
Getting familiar with vulnerabilities and exploits
Cracking the shellcode
Exploring bypasses for exploit mitigation technologies
Analyzing Microsoft Office exploits
Studying malicious PDFs
Summary
12
Chapter 9: Reversing Bytecode Languages – .NET, Java, and More
Chapter 9: Reversing Bytecode Languages – .NET, Java, and More
The basic theory of bytecode languages
.NET explained
.NET malware analysis
The essentials of Visual Basic
Dissecting Visual Basic samples
The internals of Java samples
Analyzing compiled Python threats
Summary
13
Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging
Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging
Classic shell script languages
VBScript explained
VBA and Excel 4.0 (XLM) macros and more
The power of PowerShell
Handling JavaScript
Behind C&C – even malware has its own backend
Other script languages
Summary
14
Part 4 Looking into IoT and Other Platforms
Part 4 Looking into IoT and Other Platforms
15
Chapter 11: Dissecting Linux and IoT Malware
Chapter 11: Dissecting Linux and IoT Malware
Explaining ELF files
Exploring common behavioral patterns
Static and dynamic analysis of x86 (32- and 64-bit) samples
Learning about Mirai, its clones, and more
Static and dynamic analysis of RISC samples
Handling other architectures
Summary
16
Chapter 12: Introduction to macOS and iOS Threats
Chapter 12: Introduction to macOS and iOS Threats
Understanding the role of the security model
File formats and APIs
Attack stages
Advanced techniques
Static and dynamic analysis of macOS and iOS samples
The analysis workflow
Summary
17
Chapter 13: Analyzing Android Malware Samples
Chapter 13: Analyzing Android Malware Samples
(Ab)using the Android internals
Understanding Dalvik and ART
File formats and APIs
Malware behavior patterns
Static and dynamic analysis of threats
Summary
18
Index
Index
Why subscribe?
19
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you

Exploring IAT hooking

Import Address Table hooking (IAT hooking) is another form of API hooking that is not used as often. This hooking technique doesn’t require any disassembler, code patching, or trampoline. The idea behind it is to modify the import table’s addresses so that they point to the malicious hooking functions rather than the actual API. In this case, the hooking function executes jmp on the actual API address (or the call after pushing the API arguments to the stack), and then returns to the actual program, as shown in the following diagram:

Figure 5.20 – The IAT hooking mechanism

This hooking is not effective against the dynamic loading of APIs (using GetProcAddress and LoadLibrary), but it’s still effective against many legitimate applications that have most of their required APIs in the import table.

Previous Section
End of Section 8
Next Section