Practical Malware Analysis begins with easy methods that can be used to get information from relatively unsophisticated malicious programs, and proceeds with increasingly complicated techniques that can be used to tackle even the most sophisticated malicious programs. Here’s what you’ll find in each chapter:
Chapter 0, establishes the overall process and methodology of analyzing malware.
Chapter 1, teaches ways to get information from an executable without running it.
Chapter 2, walks you through setting up virtual machines to use as a safe environment for running malware.
Chapter 3, teaches easy-to-use but effective techniques for analyzing a malicious program by running it.
Chapter 4, “A Crash Course in x86 Assembly,” is an introduction to the x86 assembly language, which provides a foundation for using IDA Pro and performing in-depth analysis of malware.
Chapter 5, shows you how to use IDA Pro, one of the most important malware analysis tools. We’ll use IDA Pro throughout the remainder of the book.
Chapter 6, provides examples of C code in assembly and teaches you how to understand the high-level functionality of assembly code.
Chapter 7, covers a wide range of Windows-specific concepts that are necessary for understanding malicious Windows programs.
Chapter 8, explains the basics of debugging and how to use a debugger for malware analysts.
Chapter 9, shows you how to use OllyDbg, the most popular debugger for malware analysts.
Chapter 10, covers how to use the WinDbg debugger to analyze kernel-mode malware and rootkits.
Chapter 11, describes common malware functionality and shows you how to recognize that functionality when analyzing malware.
Chapter 12, discusses how to analyze a particularly stealthy class of malicious programs that hide their execution within another process.
Chapter 13, demonstrates how malware may encode data in order to make it harder to identify its activities in network traffic or on the victim host.
Chapter 14, teaches you how to use malware analysis to create network signatures that outperform signatures made from captured traffic alone.
Chapter 15, explains how some malware authors design their malware so that it is hard to disassemble, and how to recognize and defeat these techniques.
Chapter 16, describes the tricks that malware authors use to make their code difficult to debug and how to overcome those roadblocks.
Chapter 17, demonstrates techniques used by malware to make it difficult to analyze in a virtual machine and how to bypass those techniques.
Chapter 18, teaches you how malware uses packing to hide its true purpose, and then provides a step-by-step approach for unpacking packed programs.
Chapter 19, explains what shellcode is and presents tips and tricks specific to analyzing malicious shellcode.
Chapter 20, instructs you on how C++ code looks different once it is compiled and how to perform analysis on malware created using C++.
Chapter 21, discusses why malware authors may use 64-bit malware and what you need to know about the differences between x86 and x64.
Appendix A, briefly describes Windows functions commonly used in malware.
Appendix B, lists useful tools for malware analysts.
Appendix C, provides the solutions for the labs included in the chapters throughout the book.
Our goal throughout this book is to arm you with the skills to analyze and defeat malware of all types. As you’ll see, we cover a lot of material and use labs to reinforce the material. By the time you’ve finished this book, you will have learned the skills you need to analyze any malware, including simple techniques for quickly analyzing ordinary malware and complex, sophisticated ones for analyzing even the most enigmatic malware.
Let’s get started.