You are previewing Practical Malware Analysis.
O'Reilly logo
Practical Malware Analysis

Book Description

For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way.

Table of Contents

  1. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  2. Praise for Practical Malware Analysis
  3. Warning
  4. About the Authors
    1. About the Technical Reviewer
    2. About the Contributing Authors
  5. Foreword
  6. Acknowledgments
    1. Individual Thanks
  7. Introduction
    1. What Is Malware Analysis?
    2. Prerequisites
    3. Practical, Hands-On Learning
    4. What’s in the Book?
  8. 0. Malware Analysis Primer
    1. The Goals of Malware Analysis
    2. Malware Analysis Techniques
      1. Basic Static Analysis
      2. Basic Dynamic Analysis
      3. Advanced Static Analysis
      4. Advanced Dynamic Analysis
    3. Types of Malware
    4. General Rules for Malware Analysis
  9. I. Basic Analysis
    1. 1. Basic Static Techniques
      1. Antivirus Scanning: A Useful First Step
      2. Hashing: A Fingerprint for Malware
      3. Finding Strings
      4. Packed and Obfuscated Malware
        1. Packing Files
        2. Detecting Packers with PEiD
      5. Portable Executable File Format
      6. Linked Libraries and Functions
        1. Static, Runtime, and Dynamic Linking
        2. Exploring Dynamically Linked Functions with Dependency Walker
        3. Imported Functions
        4. Exported Functions
      7. Static Analysis in Practice
        1. PotentialKeylogger.exe: An Unpacked Executable
        2. PackedProgram.exe: A Dead End
      8. The PE File Headers and Sections
        1. Examining PE Files with PEview
        2. Viewing the Resource Section with Resource Hacker
        3. Using Other PE File Tools
        4. PE Header Summary
      9. Conclusion
      10. Labs
        1. Lab 1-1
          1. Questions
        2. Lab 1-2
          1. Questions
        3. Lab 1-3
          1. Questions
        4. Lab 1-4
          1. Questions
    2. 2. Malware Analysis in Virtual Machines
      1. The Structure of a Virtual Machine
      2. Creating Your Malware Analysis Machine
        1. Configuring VMware
          1. Disconnecting the Network
          2. Setting Up Host-Only Networking
          3. Using Multiple Virtual Machines
      3. Using Your Malware Analysis Machine
        1. Connecting Malware to the Internet
        2. Connecting and Disconnecting Peripheral Devices
        3. Taking Snapshots
        4. Transferring Files from a Virtual Machine
      4. The Risks of Using VMware for Malware Analysis
      5. Record/Replay: Running Your Computer in Reverse
      6. Conclusion
    3. 3. Basic Dynamic Analysis
      1. Sandboxes: The Quick-and-Dirty Approach
        1. Using a Malware Sandbox
        2. Sandbox Drawbacks
      2. Running Malware
      3. Monitoring with Process Monitor
        1. The Procmon Display
        2. Filtering in Procmon
      4. Viewing Processes with Process Explorer
        1. The Process Explorer Display
        2. Using the Verify Option
        3. Comparing Strings
        4. Using Dependency Walker
        5. Analyzing Malicious Documents
      5. Comparing Registry Snapshots with Regshot
      6. Faking a Network
        1. Using ApateDNS
        2. Monitoring with Netcat
      7. Packet Sniffing with Wireshark
      8. Using INetSim
      9. Basic Dynamic Tools in Practice
      10. Conclusion
      11. Labs
        1. Lab 3-1
          1. Questions
        2. Lab 3-2
          1. Questions
        3. Lab 3-3
          1. Questions
        4. Lab 3-4
          1. Questions
  10. II. Advanced Static Analysis
    1. 4. A Crash Course in x86 Disassembly
      1. Levels of Abstraction
      2. Reverse-Engineering
      3. The x86 Architecture
        1. Main Memory
        2. Instructions
        3. Opcodes and Endianness
        4. Operands
        5. Registers
          1. General Registers
          2. Flags
          3. EIP, the Instruction Pointer
        6. Simple Instructions
          1. Arithmetic
          2. NOP
        7. The Stack
          1. Function Calls
          2. Stack Layout
        8. Conditionals
        9. Branching
        10. Rep Instructions
        11. C Main Method and Offsets
        12. More Information: Intel x86 Architecture Manuals
      4. Conclusion
    2. 5. IDA Pro
      1. Loading an Executable
      2. The IDA Pro Interface
        1. Disassembly Window Modes
          1. Graph Mode
          2. Text Mode
        2. Useful Windows for Analysis
        3. Returning to the Default View
        4. Navigating IDA Pro
          1. Using Links and Cross-References
          2. Exploring Your History
          3. Navigation Band
          4. Jump to Location
        5. Searching
      3. Using Cross-References
        1. Code Cross-References
        2. Data Cross-References
      4. Analyzing Functions
      5. Using Graphing Options
      6. Enhancing Disassembly
        1. Renaming Locations
        2. Comments
        3. Formatting Operands
        4. Using Named Constants
        5. Redefining Code and Data
      7. Extending IDA with Plug-ins
        1. Using IDC Scripts
        2. Using IDAPython
        3. Using Commercial Plug-ins
      8. Conclusion
      9. Labs
        1. Lab 5-1
          1. Questions
    3. 6. Recognizing C Code Constructs in Assembly
      1. Global vs. Local Variables
      2. Disassembling Arithmetic Operations
      3. Recognizing if Statements
        1. Analyzing Functions Graphically with IDA Pro
        2. Recognizing Nested if Statements
      4. Recognizing Loops
        1. Finding for Loops
        2. Finding while Loops
      5. Understanding Function Call Conventions
        1. cdecl
        2. stdcall
        3. fastcall
        4. Push vs. Move
      6. Analyzing switch Statements
        1. If Style
        2. Jump Table
      7. Disassembling Arrays
      8. Identifying Structs
      9. Analyzing Linked List Traversal
      10. Conclusion
      11. Labs
        1. Lab 6-1
          1. Questions
        2. Lab 6-2
          1. Questions
        3. Lab 6-3
          1. Questions
        4. Lab 6-4
          1. Questions
    4. 7. Analyzing Malicious Windows Programs
      1. The Windows API
        1. Types and Hungarian Notation
        2. Handles
        3. File System Functions
        4. Special Files
          1. Shared Files
          2. Files Accessible via Namespaces
          3. Alternate Data Streams
      2. The Windows Registry
        1. Registry Root Keys
        2. Regedit
        3. Programs that Run Automatically
        4. Common Registry Functions
        5. Analyzing Registry Code in Practice
        6. Registry Scripting with .reg Files
      3. Networking APIs
        1. Berkeley Compatible Sockets
        2. The Server and Client Sides of Networking
        3. The WinINet API
      4. Following Running Malware
        1. DLLs
          1. How Malware Authors Use DLLs
          2. Basic DLL Structure
        2. Processes
          1. Creating a New Process
        3. Threads
          1. Thread Context
          2. Creating a Thread
        4. Interprocess Coordination with Mutexes
        5. Services
        6. The Component Object Model
          1. CLSIDs, IIDs, and the Use of COM Objects
          2. COM Server Malware
        7. Exceptions: When Things Go Wrong
      5. Kernel vs. User Mode
      6. The Native API
      7. Conclusion
      8. Labs
        1. Lab 7-1
          1. Questions
        2. Lab 7-2
          1. Questions
        3. Lab 7-3
          1. Questions
  11. III. Advanced Dynamic Analysis
    1. 8. Debugging
      1. Source-Level vs. Assembly-Level Debuggers
      2. Kernel vs. User-Mode Debugging
      3. Using a Debugger
        1. Single-Stepping
        2. Stepping-Over vs. Stepping-Into
        3. Pausing Execution with Breakpoints
          1. Software Execution Breakpoints
          2. Hardware Execution Breakpoints
          3. Conditional Breakpoints
      4. Exceptions
        1. First- and Second-Chance Exceptions
        2. Common Exceptions
      5. Modifying Execution with a Debugger
      6. Modifying Program Execution in Practice
      7. Conclusion
    2. 9. OllyDbg
      1. Loading Malware
        1. Opening an Executable
        2. Attaching to a Running Process
      2. The OllyDbg Interface
      3. Memory Map
        1. Rebasing
          1. Base Addresses
          2. Absolute vs. Relative Addresses
      4. Viewing Threads and Stacks
      5. Executing Code
      6. Breakpoints
        1. Software Breakpoints
        2. Conditional Breakpoints
        3. Hardware Breakpoints
        4. Memory Breakpoints
      7. Loading DLLs
      8. Tracing
        1. Standard Back Trace
        2. Call Stack
        3. Run Trace
        4. Tracing Poison Ivy
      9. Exception Handling
      10. Patching
      11. Analyzing Shellcode
      12. Assistance Features
      13. Plug-ins
        1. OllyDump
        2. Hide Debugger
        3. Command Line
        4. Bookmarks
      14. Scriptable Debugging
      15. Conclusion
      16. Labs
        1. Lab 9-1
          1. Questions
        2. Lab 9-2
          1. Questions
        3. Lab 9-3
          1. Questions
    3. 10. Kernel Debugging with WinDbg
      1. Drivers and Kernel Code
      2. Setting Up Kernel Debugging
      3. Using WinDbg
        1. Reading from Memory
        2. Using Arithmetic Operators
        3. Setting Breakpoints
        4. Listing Modules
      4. Microsoft Symbols
        1. Searching for Symbols
        2. Viewing Structure Information
        3. Configuring Windows Symbols
      5. Kernel Debugging in Practice
        1. Looking at the User-Space Code
        2. Looking at the Kernel-Mode Code
        3. Finding Driver Objects
      6. Rootkits
        1. Rootkit Analysis in Practice
        2. Interrupts
      7. Loading Drivers
      8. Kernel Issues for Windows Vista, Windows 7, and x64 Versions
      9. Conclusion
      10. Labs
        1. Lab 10-1
          1. Questions
        2. Lab 10-2
          1. Questions
        3. Lab 10-3
          1. Questions
  12. IV. Malware Functionality
    1. 11. Malware Behavior
      1. Downloaders and Launchers
      2. Backdoors
        1. Reverse Shell
          1. Netcat Reverse Shells
          2. Windows Reverse Shells
        2. RATs
        3. Botnets
        4. RATs and Botnets Compared
      3. Credential Stealers
        1. GINA Interception
        2. Hash Dumping
        3. Keystroke Logging
          1. Kernel-Based Keyloggers
          2. User-Space Keyloggers
          3. Identifying Keyloggers in Strings Listings
      4. Persistence Mechanisms
        1. The Windows Registry
          1. AppInit_DLLs
          2. Winlogon Notify
          3. SvcHost DLLs
        2. Trojanized System Binaries
        3. DLL Load-Order Hijacking
      5. Privilege Escalation
        1. Using SeDebugPrivilege
      6. Covering Its Tracks—User-Mode Rootkits
        1. IAT Hooking
        2. Inline Hooking
      7. Conclusion
      8. Labs
        1. Lab 11-1
          1. Questions
        2. Lab 11-2
          1. Questions
        3. Lab 11-3
          1. Questions
    2. 12. Covert Malware Launching
      1. Launchers
      2. Process Injection
        1. DLL Injection
        2. Direct Injection
      3. Process Replacement
      4. Hook Injection
        1. Local and Remote Hooks
        2. Keyloggers Using Hooks
        3. Using SetWindowsHookEx
        4. Thread Targeting
      5. Detours
      6. APC Injection
        1. APC Injection from User Space
        2. APC Injection from Kernel Space
      7. Conclusion
      8. Labs
        1. Lab 12-1
          1. Questions
        2. Lab 12-2
          1. Questions
        3. Lab 12-3
          1. Questions
        4. Lab 12-4
          1. Questions
    3. 13. Data Encoding
      1. The Goal of Analyzing Encoding Algorithms
      2. Simple Ciphers
        1. Caesar Cipher
        2. XOR
          1. Brute-Forcing XOR Encoding
          2. Brute-Forcing Many Files
          3. NULL-Preserving Single-Byte XOR Encoding
          4. Identifying XOR Loops in IDA Pro
        3. Other Simple Encoding Schemes
        4. Base64
          1. Transforming Data to Base64
          2. Identifying and Decoding Base64
      3. Common Cryptographic Algorithms
        1. Recognizing Strings and Imports
        2. Searching for Cryptographic Constants
          1. Using FindCrypt2
          2. Using Krypto ANALyzer
        3. Searching for High-Entropy Content
      4. Custom Encoding
        1. Identifying Custom Encoding
        2. Advantages of Custom Encoding to the Attacker
      5. Decoding
        1. Self-Decoding
        2. Manual Programming of Decoding Functions
        3. Using Instrumentation for Generic Decryption
      6. Conclusion
      7. Labs
        1. Lab 13-1
          1. Questions
        2. Lab 13-2
          1. Questions
        3. Lab 13-3
          1. Questions
    4. 14. Malware-Focused Network Signatures
      1. Network Countermeasures
        1. Observing the Malware in Its Natural Habitat
        2. Indications of Malicious Activity
        3. OPSEC = Operations Security
      2. Safely Investigate an Attacker Online
        1. Indirection Tactics
        2. Getting IP Address and Domain Information
      3. Content-Based Network Countermeasures
        1. Intrusion Detection with Snort
        2. Taking a Deeper Look
      4. Combining Dynamic and Static Analysis Techniques
        1. The Danger of Overanalysis
        2. Hiding in Plain Sight
          1. Attackers Mimic Existing Protocols
          2. Attackers Use Existing Infrastructure
          3. Leveraging Client-Initiated Beaconing
        3. Understanding Surrounding Code
        4. Finding the Networking Code
        5. Knowing the Sources of Network Content
        6. Hard-Coded Data vs. Ephemeral Data
        7. Identifying and Leveraging the Encoding Steps
        8. Creating a Signature
        9. Analyze the Parsing Routines
        10. Targeting Multiple Elements
      5. Understanding the Attacker’s Perspective
      6. Conclusion
      7. Labs
        1. Lab 14-1
          1. Questions
        2. Lab 14-2
          1. Questions
        3. Lab 14-3
          1. Questions
  13. V. Anti-Reverse-Engineering
    1. 15. Anti-Disassembly
      1. Understanding Anti-Disassembly
      2. Defeating Disassembly Algorithms
        1. Linear Disassembly
        2. Flow-Oriented Disassembly
      3. Anti-Disassembly Techniques
        1. Jump Instructions with the Same Target
        2. A Jump Instruction with a Constant Condition
        3. Impossible Disassembly
        4. NOP-ing Out Instructions with IDA Pro
      4. Obscuring Flow Control
        1. The Function Pointer Problem
        2. Adding Missing Code Cross-References in IDA Pro
        3. Return Pointer Abuse
        4. Misusing Structured Exception Handlers
      5. Thwarting Stack-Frame Analysis
      6. Conclusion
      7. Labs
        1. Lab 15-1
          1. Questions
        2. Lab 15-2
          1. Questions
        3. Lab 15-3
          1. Questions
    2. 16. Anti-Debugging
      1. Windows Debugger Detection
        1. Using the Windows API
        2. Manually Checking Structures
          1. Checking the BeingDebugged Flag
          2. Checking the ProcessHeap Flag
          3. Checking NTGlobalFlag
        3. Checking for System Residue
      2. Identifying Debugger Behavior
        1. INT Scanning
        2. Performing Code Checksums
        3. Timing Checks
          1. Using the rdtsc Instruction
          2. Using QueryPerformanceCounter and GetTickCount
      3. Interfering with Debugger Functionality
        1. Using TLS Callbacks
        2. Using Exceptions
        3. Inserting Interrupts
          1. Inserting INT 3
          2. Inserting INT 2D
          3. Inserting ICE
      4. Debugger Vulnerabilities
        1. PE Header Vulnerabilities
        2. The OutputDebugString Vulnerability
      5. Conclusion
      6. Labs
        1. Lab 16-1
          1. Questions
        2. Lab 16-2
          1. Questions
        3. Lab 16-3
          1. Questions
    3. 17. Anti-Virtual Machine Techniques
      1. VMware Artifacts
        1. Bypassing VMware Artifact Searching
        2. Checking for Memory Artifacts
      2. Vulnerable Instructions
        1. Using the Red Pill Anti-VM Technique
        2. Using the No Pill Technique
        3. Querying the I/O Communication Port
        4. Using the str Instruction
        5. Anti-VM x86 Instructions
        6. Highlighting Anti-VM in IDA Pro
        7. Using ScoopyNG
      3. Tweaking Settings
      4. Escaping the Virtual Machine
      5. Conclusion
      6. Labs
        1. Lab 17-1
          1. Questions
        2. Lab 17-2
          1. Questions
        3. Lab 17-3
          1. Questions
    4. 18. Packers and Unpacking
      1. Packer Anatomy
        1. The Unpacking Stub
        2. Loading the Executable
        3. Resolving Imports
        4. The Tail Jump
        5. Unpacking Illustrated
      2. Identifying Packed Programs
        1. Indicators of a Packed Program
        2. Entropy Calculation
      3. Unpacking Options
      4. Automated Unpacking
      5. Manual Unpacking
        1. Rebuilding the Import Table with Import Reconstructor
        2. Finding the OEP
          1. Using Automated Tools to Find the OEP
          2. Finding the OEP Manually
        3. Repairing the Import Table Manually
      6. Tips and Tricks for Common Packers
        1. UPX
        2. PECompact
        3. ASPack
        4. Petite
        5. WinUpack
        6. Themida
      7. Analyzing Without Fully Unpacking
      8. Packed DLLs
      9. Conclusion
      10. Labs
  14. VI. Special Topics
    1. 19. Shellcode Analysis
      1. Loading Shellcode for Analysis
      2. Position-Independent Code
      3. Identifying Execution Location
        1. Using call/pop
        2. Using fnstenv
      4. Manual Symbol Resolution
        1. Finding kernel32.dll in Memory
        2. Parsing PE Export Data
        3. Using Hashed Exported Names
      5. A Full Hello World Example
      6. Shellcode Encodings
      7. NOP Sleds
      8. Finding Shellcode
      9. Conclusion
      10. Labs
        1. Lab 19-1
          1. Questions
        2. Lab 19-2
          1. Questions
        3. Lab 19-3
          1. Questions
    2. 20. C++ Analysis
      1. Object-Oriented Programming
        1. The this Pointer
        2. Overloading and Mangling
        3. Inheritance and Function Overriding
      2. Virtual vs. Nonvirtual Functions
        1. Use of Vtables
        2. Recognizing a Vtable
      3. Creating and Destroying Objects
      4. Conclusion
      5. Labs
        1. Lab 20-1
          1. Questions
        2. Lab 20-2
          1. Questions
        3. Lab 20-3
          1. Questions
    3. 21. 64-Bit Malware
      1. Why 64-Bit Malware?
      2. Differences in x64 Architecture
        1. Differences in the x64 Calling Convention and Stack Usage
          1. Leaf and Nonleaf Functions
          2. Prologue and Epilogue 64-Bit Code
        2. 64-Bit Exception Handling
      3. Windows 32-Bit on Windows 64-Bit
      4. 64-Bit Hints at Malware Functionality
      5. Conclusion
      6. Labs
        1. Lab 21-1
          1. Questions
        2. Lab 21-2
          1. Questions
  15. A. Important Windows Functions
  16. B. Tools for Malware Analysis
  17. C. Solutions to Labs
    1. Lab 1-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    2. Lab 1-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    3. Lab 1-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    4. Lab 1-4 Solutions
      1. Short Answers
      2. Detailed Analysis
    5. Lab 3-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    6. Lab 3-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    7. Lab 3-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    8. Lab 3-4 Solutions
      1. Short Answers
      2. Detailed Analysis
    9. Lab 5-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    10. Lab 6-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    11. Lab 6-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    12. Lab 6-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Graphical View of Command Character Switch
        2. Switch Options
    13. Lab 6-4 Solutions
      1. Short Answers
      2. Detailed Analysis
    14. Lab 7-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    15. Lab 7-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    16. Lab 7-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Analyzing the DLL
        2. Analyzing the EXE
    17. Lab 9-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Command-Line Option Analysis
        2. Backdoor Analysis
        3. Networking Analysis
        4. Malware Summary
    18. Lab 9-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Decoding Stack-Formed Strings
        2. Filename Check
        3. Decoding XOR Encoded Strings
        4. Reverse Shell Analysis
    19. Lab 9-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Using the Memory Map to Locate DLLs
        2. Applying a Structure in IDA Pro
        3. Specifying a New Image Base with IDA Pro
        4. Malware Summary
    20. Lab 10-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Viewing Lab10-01.sys in IDA Pro
        2. Analyzing Lab10-01.sys in WinDbg
    21. Lab 10-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Finding the Rootkit
        2. Examining the Hook Function
        3. Hiding Files
        4. Recovering the Hidden File
    22. Lab 10-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Analyzing the Executable in IDA Pro
        2. Analyzing the Driver
        3. Finding the Driver in Memory with WinDbg
        4. Analyzing the Functions of the Major Function Table
    23. Lab 11-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Analysis of msgina32.dll
        2. Summary
    24. Lab 11-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Low-Level Hook Operation Summary
        2. Examining the Hook in OllyDbg
        3. Capturing the Network Traffic
        4. Summary
    25. Lab 11-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Keylogger Analysis
        2. Summary
    26. Lab 12-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    27. Lab 12-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    28. Lab 12-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    29. Lab 12-4 Solutions
      1. Short Answers
      2. Detailed Analysis
    30. Lab 13-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    31. Lab 13-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Decoding Using OllyDbg
        2. Scripting the Solution
    32. Lab 13-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Modified Base64 Decoding
        2. Decrypting AES
        3. Crypto Pitfalls
    33. Lab 14-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Network Signatures
    34. Lab 14-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Network Signatures
    35. Lab 14-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Beacon
        2. Web Commands
    36. Lab 15-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    37. Lab 15-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    38. Lab 15-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    39. Lab 16-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. The BeingDebugged Flag
        2. The ProcessHeap Flag
        3. The NTGlobalFlag Flag
        4. Summary
    40. Lab 16-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Getting the Correct Password
    41. Lab 16-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. The QueryPerformanceCounter Function
        2. The GetTickCount Function
        3. The rdtsc Instruction
        4. Summary
    42. Lab 17-1 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Searching for Vulnerable Instructions
        2. The sidt Instruction—Red Pill
        3. The str Instruction
        4. The sldt Instruction—No Pill
    43. Lab 17-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    44. Lab 17-3 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. Searching for Vulnerable Instructions
        2. Finding Anti-VM Techniques Using Strings
        3. Reviewing the Final Check
        4. Summary
    45. Lab 18-1 Solutions
    46. Lab 18-2 Solutions
    47. Lab 18-3 Solutions
    48. Lab 18-4 Solutions
    49. Lab 18-5 Solutions
    50. Lab 19-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    51. Lab 19-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    52. Lab 19-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    53. Lab 20-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    54. Lab 20-2 Solutions
      1. Short Answers
      2. Detailed Analysis
    55. Lab 20-3 Solutions
      1. Short Answers
      2. Detailed Analysis
    56. Lab 21-1 Solutions
      1. Short Answers
      2. Detailed Analysis
    57. Lab 21-2 Solutions
      1. Short Answers
      2. Detailed Analysis
        1. X86 Code Path
        2. X64 Code Path
  18. Index
  19. About the Authors