Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Windows APT Warfare
  • Table Of Contents Toc
Windows APT Warfare

Windows APT Warfare

By : Sheng-Hao Ma
5 (5)
Buy this Book
close
close
Windows APT Warfare

Windows APT Warfare

5 (5)
By: Sheng-Hao Ma
Buy this Book

Overview of this book

An Advanced Persistent Threat (APT) is a severe form of cyberattack that lies low in the system for a prolonged time and locates and then exploits sensitive information. Preventing APTs requires a strong foundation of basic security techniques combined with effective security monitoring. This book will help you gain a red team perspective on exploiting system design and master techniques to prevent APT attacks. Once you’ve understood the internal design of operating systems, you’ll be ready to get hands-on with red team attacks and, further, learn how to create and compile C source code into an EXE program file. Throughout this book, you’ll explore the inner workings of how Windows systems run and how attackers abuse this knowledge to bypass antivirus products and protection. As you advance, you’ll cover practical examples of malware and online game hacking, such as EXE infection, shellcode development, software packers, UAC bypass, path parser vulnerabilities, and digital signature forgery, gaining expertise in keeping your system safe from this kind of malware. By the end of this book, you’ll be well equipped to implement the red team techniques that you've learned on a victim's computer environment, attempting to bypass security and antivirus products, to test its defense against Windows APT attacks.
Table of Contents (17 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
1
Part 1 – Modern Windows Compiler
Icon
Part 1 – Modern Windows Compiler
Lock Free Chapter
2
Chapter 1: From Source to Binaries – The Journey of a C Program
Icon
Chapter 1: From Source to Binaries – The Journey of a C Program
Icon
The simplest Windows program in C
Icon
C compiler – assembly code generation
Icon
Assembler – transforming assembly code into machine code
Icon
Compiling code
Icon
Windows linker – packing binary data into PE format
Icon
Running static PE files as dynamic processes
Icon
Summary
3
Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing
Icon
Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing
Icon
Sample programs
Icon
The memory of the static contents of PE files
Icon
PE Parser example
Icon
Dynamic file mapping
Icon
PE infection (PE Patcher) example
Icon
tinyLinker example
Icon
Examples of process hollowing
Icon
PE files to HTML
Icon
Summary
4
Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information
chevron up
Icon
Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information
Icon
Sample programs
Icon
Function calling convention
Icon
Thread Environment Block (TEB)
Icon
Process Environment Block
Icon
Examples of process parameter forgery
Icon
Examples of enumerating loaded modules without an API
Icon
Examples of disguising and hiding loaded DLLs
Icon
Summary
5
Part 2 – Windows Process Internals
Icon
Part 2 – Windows Process Internals
6
Chapter 4: Shellcode Technique – Exported Function Parsing
Icon
Chapter 4: Shellcode Technique – Exported Function Parsing
Icon
Sample programs
Icon
EATs in PE
Icon
Examples of a DLL file analyzer
Icon
Examples of writing shellcode in x86
Icon
A shellcode generator in Python
Icon
Summary
7
Chapter 5: Application Loader Design
Icon
Chapter 5: Application Loader Design
Icon
Import Address Table in PE
Icon
Import API analyzer example
Icon
Examples of IAT hijack
Icon
DLL side-loading example
Icon
Summary
8
Chapter 6: PE Module Relocation
Icon
Chapter 6: PE Module Relocation
Icon
Relocation table of PE
Icon
tinyLoader example
Icon
Summary
9
Part 3 – Abuse System Design and Red Team Tips
Icon
Part 3 – Abuse System Design and Red Team Tips
10
Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode
Icon
Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode
Icon
The open source project pe_to_shellcode analysis
Icon
Summary
11
Chapter 8: Software Packer Design
Icon
Chapter 8: Software Packer Design
Icon
What is a software packer?
Icon
Packer builder
Icon
Stub – the main program of an unpacker
Icon
Examples of software packers
Icon
Summary
12
Chapter 9: Digital Signature – Authenticode Verification
Icon
Chapter 9: Digital Signature – Authenticode Verification
Icon
Authenticode digital signatures
Icon
Signature verification
Icon
Examples of mock signatures
Icon
Examples of bypassing hash verification
Icon
Examples of signature steganography
Icon
Getting signed by abusing path normalization
Icon
Summary
13
Chapter 10: Reversing User Account Control and Bypassing Tricks
Icon
Chapter 10: Reversing User Account Control and Bypassing Tricks
Icon
UAC overview
Icon
RAiLaunchAdminProcess callback
Icon
Two-level authentication mechanism
Icon
Elevated privilege conditions
Icon
Examples of bypassing UAC
Icon
Summary
14
Index
Icon
Index
Icon
Why subscribe?
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
1
Appendix – NTFS, Paths, and Symbols
Icon
Appendix – NTFS, Paths, and Symbols
Icon
Win32 and NT path specification

Function calling convention

In the previous chapters, we learned that the compiler saves chunks of code in different sections depending on the function of the source code. For example, the code is converted to machine code and stored in the .text section, the data is stored in the .data or .rdata section, and the import address table (IAT) is stored in the .idata section, as shown in Figure 3.1:

Figure 3.1 – Native code of msgbox.exe

Figure 3.1 – Native code of msgbox.exe

Shellcode is a concise machine code script. When we can hijack a thread’s program counter, such as the EIP or RIP registers or the return address, we can control it in shellcode to perform specific and precise tasks (calling a specific set of system APIs). Common behaviors (such as downloading and executing malware, reverse shell connections, pop-up windows, etc.) are all achieved by calling the system API.

However, unlike PE programs, shellcode does not run with the help of the kernel to do file mapping or...

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Windows APT Warfare
End of Section 4
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon