Download Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software PDF

TitlePractical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
File Size13.6 MB
Total Pages1128
Table of Contents
                            Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Praise for Practical Malware Analysis
Warning
About the Authors
	About the Technical Reviewer
	About the Contributing Authors
Foreword
Acknowledgments
	Individual Thanks
Introduction
	What Is Malware Analysis?
	Prerequisites
	Practical, Hands-On Learning
	What’s in the Book?
1. Malware Analysis Primer
	The Goals of Malware Analysis
	Malware Analysis Techniques
		Basic Static Analysis
		Basic Dynamic Analysis
		Advanced Static Analysis
		Advanced Dynamic Analysis
	Types of Malware
	General Rules for Malware Analysis
I. Basic Analysis
	2. Basic Static Techniques
		Antivirus Scanning: A Useful First Step
		Hashing: A Fingerprint for Malware
		Finding Strings
		Packed and Obfuscated Malware
			Packing Files
			Detecting Packers with PEiD
		Portable Executable File Format
		Linked Libraries and Functions
			Static, Runtime, and Dynamic Linking
			Exploring Dynamically Linked Functions with Dependency Walker
			Imported Functions
			Exported Functions
		Static Analysis in Practice
			PotentialKeylogger.exe: An Unpacked Executable
			PackedProgram.exe: A Dead End
		The PE File Headers and Sections
			Examining PE Files with PEview
			Viewing the Resource Section with Resource Hacker
			Using Other PE File Tools
			PE Header Summary
		Conclusion
		Labs
			Lab 1-1
				Questions
			Lab 1-2
				Questions
			Lab 1-3
				Questions
			Lab 1-4
				Questions
	3. Malware Analysis in Virtual Machines
		The Structure of a Virtual Machine
		Creating Your Malware Analysis Machine
			Configuring VMware
				Disconnecting the Network
				Setting Up Host-Only Networking
				Using Multiple Virtual Machines
		Using Your Malware Analysis Machine
			Connecting Malware to the Internet
			Connecting and Disconnecting Peripheral Devices
			Taking Snapshots
			Transferring Files from a Virtual Machine
		The Risks of Using VMware for Malware Analysis
		Record/Replay: Running Your Computer in Reverse
		Conclusion
	4. Basic Dynamic Analysis
		Sandboxes: The Quick-and-Dirty Approach
			Using a Malware Sandbox
			Sandbox Drawbacks
		Running Malware
		Monitoring with Process Monitor
			The Procmon Display
			Filtering in Procmon
		Viewing Processes with Process Explorer
			The Process Explorer Display
			Using the Verify Option
			Comparing Strings
			Using Dependency Walker
			Analyzing Malicious Documents
		Comparing Registry Snapshots with Regshot
		Faking a Network
			Using ApateDNS
			Monitoring with Netcat
		Packet Sniffing with Wireshark
		Using INetSim
		Basic Dynamic Tools in Practice
		Conclusion
		Labs
			Lab 3-1
				Questions
			Lab 3-2
				Questions
			Lab 3-3
				Questions
			Lab 3-4
				Questions
II. Advanced Static Analysis
	5. A Crash Course in x86 Disassembly
		Levels of Abstraction
		Reverse-Engineering
		The x86 Architecture
			Main Memory
			Instructions
			Opcodes and Endianness
			Operands
			Registers
				General Registers
				Flags
				EIP, the Instruction Pointer
			Simple Instructions
				Arithmetic
				NOP
			The Stack
				Function Calls
				Stack Layout
			Conditionals
			Branching
			Rep Instructions
			C Main Method and Offsets
			More Information: Intel x86 Architecture Manuals
		Conclusion
	6. IDA Pro
		Loading an Executable
		The IDA Pro Interface
			Disassembly Window Modes
				Graph Mode
				Text Mode
			Useful Windows for Analysis
			Returning to the Default View
			Navigating IDA Pro
				Using Links and Cross-References
				Exploring Your History
				Navigation Band
				Jump to Location
			Searching
		Using Cross-References
			Code Cross-References
			Data Cross-References
		Analyzing Functions
		Using Graphing Options
		Enhancing Disassembly
			Renaming Locations
			Comments
			Formatting Operands
			Using Named Constants
			Redefining Code and Data
		Extending IDA with Plug-ins
			Using IDC Scripts
			Using IDAPython
			Using Commercial Plug-ins
		Conclusion
		Labs
			Lab 5-1
				Questions
	7. Recognizing C Code Constructs in Assembly
		Global vs. Local Variables
		Disassembling Arithmetic Operations
		Recognizing if Statements
			Analyzing Functions Graphically with IDA Pro
			Recognizing Nested if Statements
		Recognizing Loops
			Finding for Loops
			Finding while Loops
		Understanding Function Call Conventions
			cdecl
			stdcall
			fastcall
			Push vs. Move
		Analyzing switch Statements
			If Style
			Jump Table
		Disassembling Arrays
		Identifying Structs
		Analyzing Linked List Traversal
		Conclusion
		Labs
			Lab 6-1
				Questions
			Lab 6-2
				Questions
			Lab 6-3
				Questions
			Lab 6-4
				Questions
	8. Analyzing Malicious Windows Programs
		The Windows API
			Types and Hungarian Notation
			Handles
			File System Functions
			Special Files
				Shared Files
				Files Accessible via Namespaces
				Alternate Data Streams
		The Windows Registry
			Registry Root Keys
			Regedit
			Programs that Run Automatically
			Common Registry Functions
			Analyzing Registry Code in Practice
			Registry Scripting with .reg Files
		Networking APIs
			Berkeley Compatible Sockets
			The Server and Client Sides of Networking
			The WinINet API
		Following Running Malware
			DLLs
				How Malware Authors Use DLLs
				Basic DLL Structure
			Processes
				Creating a New Process
			Threads
				Thread Context
				Creating a Thread
			Interprocess Coordination with Mutexes
			Services
			The Component Object Model
				CLSIDs, IIDs, and the Use of COM Objects
				COM Server Malware
			Exceptions: When Things Go Wrong
		Kernel vs. User Mode
		The Native API
		Conclusion
		Labs
			Lab 7-1
				Questions
			Lab 7-2
				Questions
			Lab 7-3
				Questions
III. Advanced Dynamic Analysis
	9. Debugging
		Source-Level vs. Assembly-Level Debuggers
		Kernel vs. User-Mode Debugging
		Using a Debugger
			Single-Stepping
			Stepping-Over vs. Stepping-Into
			Pausing Execution with Breakpoints
				Software Execution Breakpoints
				Hardware Execution Breakpoints
				Conditional Breakpoints
		Exceptions
			First- and Second-Chance Exceptions
			Common Exceptions
		Modifying Execution with a Debugger
		Modifying Program Execution in Practice
		Conclusion
	10. OllyDbg
		Loading Malware
			Opening an Executable
			Attaching to a Running Process
		The OllyDbg Interface
		Memory Map
			Rebasing
				Base Addresses
				Absolute vs. Relative Addresses
		Viewing Threads and Stacks
		Executing Code
		Breakpoints
			Software Breakpoints
			Conditional Breakpoints
			Hardware Breakpoints
			Memory Breakpoints
		Loading DLLs
		Tracing
			Standard Back Trace
			Call Stack
			Run Trace
			Tracing Poison Ivy
		Exception Handling
		Patching
		Analyzing Shellcode
		Assistance Features
		Plug-ins
			OllyDump
			Hide Debugger
			Command Line
			Bookmarks
		Scriptable Debugging
		Conclusion
		Labs
			Lab 9-1
				Questions
			Lab 9-2
				Questions
			Lab 9-3
				Questions
	11. Kernel Debugging with WinDbg
		Drivers and Kernel Code
		Setting Up Kernel Debugging
		Using WinDbg
			Reading from Memory
			Using Arithmetic Operators
			Setting Breakpoints
			Listing Modules
		Microsoft Symbols
			Searching for Symbols
			Viewing Structure Information
			Configuring Windows Symbols
		Kernel Debugging in Practice
			Looking at the User-Space Code
			Looking at the Kernel-Mode Code
			Finding Driver Objects
		Rootkits
			Rootkit Analysis in Practice
			Interrupts
		Loading Drivers
		Kernel Issues for Windows Vista, Windows 7, and x64 Versions
		Conclusion
		Labs
			Lab 10-1
				Questions
			Lab 10-2
				Questions
			Lab 10-3
				Questions
IV. Malware Functionality
	12. Malware Behavior
		Downloaders and Launchers
		Backdoors
			Reverse Shell
				Netcat Reverse Shells
				Windows Reverse Shells
			RATs
			Botnets
			RATs and Botnets Compared
		Credential Stealers
			GINA Interception
			Hash Dumping
			Keystroke Logging
				Kernel-Based Keyloggers
				User-Space Keyloggers
				Identifying Keyloggers in Strings Listings
		Persistence Mechanisms
			The Windows Registry
				AppInit_DLLs
				Winlogon Notify
				SvcHost DLLs
			Trojanized System Binaries
			DLL Load-Order Hijacking
		Privilege Escalation
			Using SeDebugPrivilege
		Covering Its Tracks—User-Mode Rootkits
			IAT Hooking
			Inline Hooking
		Conclusion
		Labs
			Lab 11-1
				Questions
			Lab 11-2
				Questions
			Lab 11-3
				Questions
	13. Covert Malware Launching
		Launchers
		Process Injection
			DLL Injection
			Direct Injection
		Process Replacement
		Hook Injection
			Local and Remote Hooks
			Keyloggers Using Hooks
			Using SetWindowsHookEx
			Thread Targeting
		Detours
		APC Injection
			APC Injection from User Space
			APC Injection from Kernel Space
		Conclusion
		Labs
			Lab 12-1
				Questions
			Lab 12-2
				Questions
			Lab 12-3
				Questions
			Lab 12-4
				Questions
	14. Data Encoding
		The Goal of Analyzing Encoding Algorithms
		Simple Ciphers
			Caesar Cipher
			XOR
				Brute-Forcing XOR Encoding
				Brute-Forcing Many Files
				NULL-Preserving Single-Byte XOR Encoding
				Identifying XOR Loops in IDA Pro
			Other Simple Encoding Schemes
			Base64
				Transforming Data to Base64
				Identifying and Decoding Base64
		Common Cryptographic Algorithms
			Recognizing Strings and Imports
			Searching for Cryptographic Constants
				Using FindCrypt2
				Using Krypto ANALyzer
			Searching for High-Entropy Content
		Custom Encoding
			Identifying Custom Encoding
			Advantages of Custom Encoding to the Attacker
		Decoding
			Self-Decoding
			Manual Programming of Decoding Functions
			Using Instrumentation for Generic Decryption
		Conclusion
		Labs
			Lab 13-1
				Questions
			Lab 13-2
				Questions
			Lab 13-3
				Questions
	15. Malware-Focused Network Signatures
		Network Countermeasures
			Observing the Malware in Its Natural Habitat
			Indications of Malicious Activity
			OPSEC = Operations Security
		Safely Investigate an Attacker Online
			Indirection Tactics
			Getting IP Address and Domain Information
		Content-Based Network Countermeasures
			Intrusion Detection with Snort
			Taking a Deeper Look
		Combining Dynamic and Static Analysis Techniques
			The Danger of Overanalysis
			Hiding in Plain Sight
				Attackers Mimic Existing Protocols
				Attackers Use Existing Infrastructure
				Leveraging Client-Initiated Beaconing
			Understanding Surrounding Code
			Finding the Networking Code
			Knowing the Sources of Network Content
			Hard-Coded Data vs. Ephemeral Data
			Identifying and Leveraging the Encoding Steps
			Creating a Signature
			Analyze the Parsing Routines
			Targeting Multiple Elements
		Understanding the Attacker’s Perspective
		Conclusion
		Labs
			Lab 14-1
				Questions
			Lab 14-2
				Questions
			Lab 14-3
				Questions
V. Anti-Reverse-Engineering
	16. Anti-Disassembly
		Understanding Anti-Disassembly
		Defeating Disassembly Algorithms
			Linear Disassembly
			Flow-Oriented Disassembly
		Anti-Disassembly Techniques
			Jump Instructions with the Same Target
			A Jump Instruction with a Constant Condition
			Impossible Disassembly
			NOP-ing Out Instructions with IDA Pro
		Obscuring Flow Control
			The Function Pointer Problem
			Adding Missing Code Cross-References in IDA Pro
			Return Pointer Abuse
			Misusing Structured Exception Handlers
		Thwarting Stack-Frame Analysis
		Conclusion
		Labs
			Lab 15-1
				Questions
			Lab 15-2
				Questions
			Lab 15-3
				Questions
	17. Anti-Debugging
		Windows Debugger Detection
			Using the Windows API
			Manually Checking Structures
				Checking the BeingDebugged Flag
				Checking the ProcessHeap Flag
				Checking NTGlobalFlag
			Checking for System Residue
		Identifying Debugger Behavior
			INT Scanning
			Performing Code Checksums
			Timing Checks
				Using the rdtsc Instruction
				Using QueryPerformanceCounter and GetTickCount
		Interfering with Debugger Functionality
			Using TLS Callbacks
			Using Exceptions
			Inserting Interrupts
				Inserting INT 3
				Inserting INT 2D
				Inserting ICE
		Debugger Vulnerabilities
			PE Header Vulnerabilities
			The OutputDebugString Vulnerability
		Conclusion
		Labs
			Lab 16-1
				Questions
			Lab 16-2
				Questions
			Lab 16-3
				Questions
	18. Anti-Virtual Machine Techniques
		VMware Artifacts
			Bypassing VMware Artifact Searching
			Checking for Memory Artifacts
		Vulnerable Instructions
			Using the Red Pill Anti-VM Technique
			Using the No Pill Technique
			Querying the I/O Communication Port
			Using the str Instruction
			Anti-VM x86 Instructions
			Highlighting Anti-VM in IDA Pro
			Using ScoopyNG
		Tweaking Settings
		Escaping the Virtual Machine
		Conclusion
		Labs
			Lab 17-1
				Questions
			Lab 17-2
				Questions
			Lab 17-3
				Questions
	19. Packers and Unpacking
		Packer Anatomy
			The Unpacking Stub
			Loading the Executable
			Resolving Imports
			The Tail Jump
			Unpacking Illustrated
		Identifying Packed Programs
			Indicators of a Packed Program
			Entropy Calculation
		Unpacking Options
		Automated Unpacking
		Manual Unpacking
			Rebuilding the Import Table with Import Reconstructor
			Finding the OEP
				Using Automated Tools to Find the OEP
				Finding the OEP Manually
			Repairing the Import Table Manually
		Tips and Tricks for Common Packers
			UPX
			PECompact
			ASPack
			Petite
			WinUpack
			Themida
		Analyzing Without Fully Unpacking
		Packed DLLs
		Conclusion
		Labs
VI. Special Topics
	20. Shellcode Analysis
		Loading Shellcode for Analysis
		Position-Independent Code
		Identifying Execution Location
			Using call/pop
			Using fnstenv
		Manual Symbol Resolution
			Finding kernel32.dll in Memory
			Parsing PE Export Data
			Using Hashed Exported Names
		A Full Hello World Example
		Shellcode Encodings
		NOP Sleds
		Finding Shellcode
		Conclusion
		Labs
			Lab 19-1
				Questions
			Lab 19-2
				Questions
			Lab 19-3
				Questions
	21. C++ Analysis
		Object-Oriented Programming
			The this Pointer
			Overloading and Mangling
			Inheritance and Function Overriding
		Virtual vs. Nonvirtual Functions
			Use of Vtables
			Recognizing a Vtable
		Creating and Destroying Objects
		Conclusion
		Labs
			Lab 20-1
				Questions
			Lab 20-2
				Questions
			Lab 20-3
				Questions
	22. 64-Bit Malware
		Why 64-Bit Malware?
		Differences in x64 Architecture
			Differences in the x64 Calling Convention and Stack Usage
				Leaf and Nonleaf Functions
				Prologue and Epilogue 64-Bit Code
			64-Bit Exception Handling
		Windows 32-Bit on Windows 64-Bit
		64-Bit Hints at Malware Functionality
		Conclusion
		Labs
			Lab 21-1
				Questions
			Lab 21-2
				Questions
A. Important Windows Functions
B. Tools for Malware Analysis
C. Solutions to Labs
	Lab 1-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 1-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 1-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 1-4 Solutions
		Short Answers
		Detailed Analysis
	Lab 3-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 3-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 3-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 3-4 Solutions
		Short Answers
		Detailed Analysis
	Lab 5-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 6-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 6-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 6-3 Solutions
		Short Answers
		Detailed Analysis
			Graphical View of Command Character Switch
			Switch Options
	Lab 6-4 Solutions
		Short Answers
		Detailed Analysis
	Lab 7-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 7-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 7-3 Solutions
		Short Answers
		Detailed Analysis
			Analyzing the DLL
			Analyzing the EXE
	Lab 9-1 Solutions
		Short Answers
		Detailed Analysis
			Command-Line Option Analysis
			Backdoor Analysis
			Networking Analysis
			Malware Summary
	Lab 9-2 Solutions
		Short Answers
		Detailed Analysis
			Decoding Stack-Formed Strings
			Filename Check
			Decoding XOR Encoded Strings
			Reverse Shell Analysis
	Lab 9-3 Solutions
		Short Answers
		Detailed Analysis
			Using the Memory Map to Locate DLLs
			Applying a Structure in IDA Pro
			Specifying a New Image Base with IDA Pro
			Malware Summary
	Lab 10-1 Solutions
		Short Answers
		Detailed Analysis
			Viewing Lab10-01.sys in IDA Pro
			Analyzing Lab10-01.sys in WinDbg
	Lab 10-2 Solutions
		Short Answers
		Detailed Analysis
			Finding the Rootkit
			Examining the Hook Function
			Hiding Files
			Recovering the Hidden File
	Lab 10-3 Solutions
		Short Answers
		Detailed Analysis
			Analyzing the Executable in IDA Pro
			Analyzing the Driver
			Finding the Driver in Memory with WinDbg
			Analyzing the Functions of the Major Function Table
	Lab 11-1 Solutions
		Short Answers
		Detailed Analysis
			Analysis of msgina32.dll
			Summary
	Lab 11-2 Solutions
		Short Answers
		Detailed Analysis
			Low-Level Hook Operation Summary
			Examining the Hook in OllyDbg
			Capturing the Network Traffic
			Summary
	Lab 11-3 Solutions
		Short Answers
		Detailed Analysis
			Keylogger Analysis
			Summary
	Lab 12-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 12-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 12-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 12-4 Solutions
		Short Answers
		Detailed Analysis
	Lab 13-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 13-2 Solutions
		Short Answers
		Detailed Analysis
			Decoding Using OllyDbg
			Scripting the Solution
	Lab 13-3 Solutions
		Short Answers
		Detailed Analysis
			Modified Base64 Decoding
			Decrypting AES
			Crypto Pitfalls
	Lab 14-1 Solutions
		Short Answers
		Detailed Analysis
			Network Signatures
	Lab 14-2 Solutions
		Short Answers
		Detailed Analysis
			Network Signatures
	Lab 14-3 Solutions
		Short Answers
		Detailed Analysis
			Beacon
			Web Commands
	Lab 15-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 15-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 15-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 16-1 Solutions
		Short Answers
		Detailed Analysis
			The BeingDebugged Flag
			The ProcessHeap Flag
			The NTGlobalFlag Flag
			Summary
	Lab 16-2 Solutions
		Short Answers
		Detailed Analysis
			Getting the Correct Password
	Lab 16-3 Solutions
		Short Answers
		Detailed Analysis
			The QueryPerformanceCounter Function
			The GetTickCount Function
			The rdtsc Instruction
			Summary
	Lab 17-1 Solutions
		Short Answers
		Detailed Analysis
			Searching for Vulnerable Instructions
			The sidt Instruction—Red Pill
			The str Instruction
			The sldt Instruction—No Pill
	Lab 17-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 17-3 Solutions
		Short Answers
		Detailed Analysis
			Searching for Vulnerable Instructions
			Finding Anti-VM Techniques Using Strings
			Reviewing the Final Check
			Summary
	Lab 18-1 Solutions
	Lab 18-2 Solutions
	Lab 18-3 Solutions
	Lab 18-4 Solutions
	Lab 18-5 Solutions
	Lab 19-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 19-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 19-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 20-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 20-2 Solutions
		Short Answers
		Detailed Analysis
	Lab 20-3 Solutions
		Short Answers
		Detailed Analysis
	Lab 21-1 Solutions
		Short Answers
		Detailed Analysis
	Lab 21-2 Solutions
		Short Answers
		Detailed Analysis
			X86 Code Path
			X64 Code Path
Index
About the Authors
                        

Similer Documents