You are previewing Windows Malware Analysis Essentials.
O'Reilly logo
Windows Malware Analysis Essentials

Book Description

Master the fundamentals of malware analysis for the Windows platform and enhance your anti-malware skill set

About This Book

  • Set the baseline towards performing malware analysis on the Windows platform and how to use the tools required to deal with malware

  • Understand how to decipher x86 assembly code from source code inside your favourite development environment

  • A step-by-step based guide that reveals malware analysis from an industry insider and demystifies the process

  • In Detail

    Windows OS is the most used operating system in the world and hence is targeted by malware writers. There are strong ramifications if things go awry. Things will go wrong if they can, and hence we see a salvo of attacks that have continued to disrupt the normal scheme of things in our day to day lives. This book will guide you on how to use essential tools such as debuggers, disassemblers, and sandboxes to dissect malware samples. It will expose your innards and then build a report of their indicators of compromise along with detection rule sets that will enable you to help contain the outbreak when faced with such a situation.

    We will start with the basics of computing fundamentals such as number systems and Boolean algebra. Further, you'll learn about x86 assembly programming and its integration with high level languages such as C++.You'll understand how to decipher disassembly code obtained from the compiled source code and map it back to its original design goals.

    By delving into end to end analysis with real-world malware samples to solidify your understanding, you'll sharpen your technique of handling destructive malware binaries and vector mechanisms. You will also be encouraged to consider analysis lab safety measures so that there is no infection in the process.

    Finally, we'll have a rounded tour of various emulations, sandboxing, and debugging options so that you know what is at your disposal when you need a specific kind of weapon in order to nullify the malware.

    What You Will Learn

  • Use the positional number system for clear conception of Boolean algebra, that applies to malware research purposes.

  • Get introduced to static and dynamic analysis methodologies and build your own malware lab

  • Analyse destructive malware samples from the real world (ITW) from fingerprinting and static/dynamic analysis to the final debrief

  • Understand different modes of linking and how to compile your own libraries from assembly code and integrate the codein your final program

  • Get to know about the various emulators, debuggers and their features, and sandboxes and set them up effectively depending on the required scenario

  • Deal with other malware vectors such as pdf and MS-Office based malware as well as scripts and shellcode

  • Who This Book Is For

    This book is best for someone who has prior experience with reverse engineering Windows executables and wants to specialize in malware analysis. The book presents the malware analysis thought process using a show-and-tell approach, and the examples included will give any analyst confidence in how to approach this task on their own the next time around.

    Style and approach

    An easy to follow, hands-on guide with descriptions and screenshots that will help you execute effective malicious software investigations and conjure up solutions creatively and confidently.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the files e-mailed directly to you.

    Table of Contents

    1. Windows Malware Analysis Essentials
      1. Table of Contents
      2. Windows Malware Analysis Essentials
      3. Credits
      4. About the Author
      5. Acknowledgments
      6. About the Reviewer
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
          3. Instant updates on new Packt books
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      9. 1. Down the Rabbit Hole
        1. Number systems
          1. Base conversion
            1. Binary to hexadecimal (and vice versa)
            2. Decimal to binary (and vice versa)
            3. Octal base conversion
        2. Signed numbers and complements
          1. A signed data type overflow conditions table
        3. Boolean logic and bit masks
          1. Bit masking
        4. Breathing in the ephemeral realm
        5. Sharpening the scalpel
        6. Performing binary reconnaissance
          1. Scanning malware on the web
          2. Getting a great view with PEView
          3. Know the ins and outs with PEInsider
          4. Identifying with PEiD
          5. Walking on frozen terrain with DeepFreeze
          6. Meeting the rex of HexEditors
          7. Digesting string theory with strings
          8. Hashish, pot, and stashing with hashing tools
          9. Getting resourceful with XNResource Editor
          10. Too much leech with Dependency Walker
          11. Getting dumped by Dumpbin
        7. Exploring the universe of binaries on PE Explorer
        8. Getting to know IDA Pro
          1. Knowing your bearings in IDA Pro
          2. Hooking up with IDA Pro
        9. Entropy
        10. Summary
      10. 2. Dancing with the Dead
        1. Motivation
        2. Registers
          1. Special-purpose registers
        3. The initiation ritual
        4. Preparing the alter
          1. The static library generator
        5. Code constructs in x86 disassembly
          1. The for loop
          2. The while loop
          3. The do-while loop
          4. The if-then-else loop
          5. A switch case
          6. Structs
          7. Linked lists
        6. Summary
      11. 3. Performing a Séance Session
        1. Fortifying your debrief
        2. Debriefing – seeing the forest for the trees
        3. Preparing for D-Day – lab setup
        4. Whippin' out your arsenal
          1. Fingerprinting
          2. User mode sandboxing
          3. Debugging and disassembly
          4. Monitoring
          5. MISC
          6. Next steps and prerequisites
        5. Summoning the demon!
          1. Step 1 – fingerprinting
          2. Step 2 – static and dynamic analysis
          3. Obfuscation – a dynamic in-memory function pointers table
          4. The PEB traversal code
          5. Section object creation
          6. Temp file check
          7. Taskkill invocation for antivirus services
          8. New thread creation
          9. MBR reading
          10. MBR infection
          11. Payload
          12. Verifying MBR integrity
        6. Post infection
          1. Network activity
          2. Registry activity
          3. Yara signatures
        7. Exorcism and the aftermath – debrief finale!
          1. Executive synopsis
          2. Mitigation
        8. Summary
      12. 4. Traversing Across Parallel Dimensions
        1. Compression sacks and straps
          1. Releasing the Jack-in-the-Box
        2. Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
          1. Syscalls
          2. WDK procurement
          3. Setting up IDA Pro for kernel debugging
          4. Finding symbols in WINDBG/IDA PRO
          5. Getting help
          6. Windbg 'G' command in IDA Pro
          7. Command types
          8. Enumerating Running Processes
          9. Enumerating Loaded Modules
          10. Data Type Inspection and Display
          11. Display headers
          12. Pocket calculator
          13. Base converter
          14. Unassembly and disassembly
          15. Debugger Interaction-Step-In, Step Over, Execute till Return
          16. Registers
          17. Call trace and walking the stack
          18. Breakpoints
          19. First chance and second chance debugging
          20. A debugger implementation overview
          21. Examine symbols
          22. Objects
        3. Summary
      13. 5. Good versus Evil – Ogre Wars
        1. Wiretapping Linux for network traffic analysis
        2. Encoding/decoding – XOR Deobfuscation
        3. Malicious Web Script Analysis
          1. Taking apart JS/Dropper
          2. Preliminary dumping and analysis
          3. Static and dynamic analysis:
          4. Embedded exploits
        4. Byte code decompilers
        5. Document analysis
        6. Redline – malware memory forensics
          1. Volatility
        7. Malware intelligence
          1. Monitoring and visualization
          2. Malware Control Monitor
          3. Sandboxing and reporting
        8. Summary
      14. Index