Conclusion
In this chapter, we’ve explored the common covert methods through which malware
launches, ranging from the simple to advanced. Many of the techniques involve manipulating live
memory on the system, as with DLL injection, process replacement, and hook injection. Other
techniques involve modifying binaries on disk, as in the case of adding a .detour
section to a PE file. Although these techniques are all very different, they
achieve the same goal.
A malware analyst must be able to recognize launching techniques in order to know how to find malware on a live system. Recognizing and analyzing launching techniques is really only part of the full analysis, since all launchers do only one thing: they get the malware running.
In the next two ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.