- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Praise for Practical Malware Analysis
- Warning
- About the Authors
- Foreword
- Acknowledgments
- Introduction
- 0. Malware Analysis Primer
- I. Basic Analysis
- Conclusion
- Labs
- 2. Malware Analysis in Virtual Machines
- 3. Basic Dynamic Analysis
- Sandboxes: The Quick-and-Dirty Approach
- Running Malware
- Monitoring with Process Monitor
- Viewing Processes with Process Explorer
- Comparing Registry Snapshots with Regshot
- Faking a Network
- Packet Sniffing with Wireshark
- Using INetSim
- Basic Dynamic Tools in Practice
- Conclusion
- Labs
- Lab 3-1
- Lab 3-2
- Lab 3-3
- Lab 3-4
- Questions
- II. Advanced Static Analysis
- 4. A Crash Course in x86 Disassembly
- 5. IDA Pro
- Using Cross-References
- Analyzing Functions
- Using Graphing Options
- Enhancing Disassembly
- Extending IDA with Plug-ins
- Conclusion
- Labs
- 6. Recognizing C Code Constructs in Assembly
- 7. Analyzing Malicious Windows Programs
- The Windows API
- The Windows Registry
- Networking APIs
- Following Running Malware
- Kernel vs. User Mode
- The Native API
- Labs
- Lab 7-1
- Lab 7-2
- Lab 7-3
- Questions
- III. Advanced Dynamic Analysis
- 8. Debugging
- 9. OllyDbg
- 10. Kernel Debugging with WinDbg
- Rootkits
- Loading Drivers
- Kernel Issues for Windows Vista, Windows 7, and x64 Versions
- Conclusion
- Labs
- Lab 10-1
- Lab 10-2
- Lab 10-3
- Questions
- IV. Malware Functionality
- 11. Malware Behavior
- 12. Covert Malware Launching
- 13. Data Encoding
- 14. Malware-Focused Network Signatures
- Network Countermeasures
- Safely Investigate an Attacker Online
- Content-Based Network Countermeasures
- Combining Dynamic and Static Analysis Techniques
- The Danger of Overanalysis
- Hiding in Plain Sight
- Understanding Surrounding Code
- Finding the Networking Code
- Knowing the Sources of Network Content
- Hard-Coded Data vs. Ephemeral Data
- Identifying and Leveraging the Encoding Steps
- Creating a Signature
- Analyze the Parsing Routines
- Targeting Multiple Elements
- Understanding the Attacker’s Perspective
- Conclusion
- Labs
- Lab 14-1
- Lab 14-2
- Lab 14-3
- Questions
- V. Anti-Reverse-Engineering
- 15. Anti-Disassembly
- 16. Anti-Debugging
- 17. Anti-Virtual Machine Techniques
There are three options for unpacking a packed executable: automated static unpacking, automated dynamic unpacking, and manual dynamic unpacking. The automated unpacking techniques are faster and easier than manual dynamic unpacking, but automated techniques don’t always work. If you have identified the kind of packer used, you should determine if an automated unpacker is available. If not, you may be able to find information about how to unpack the packer manually.
When dealing with packed malware, remember that your goal is to analyze the behavior of the malware, which does not always require you to re-create the original malware. Most of the time, when you unpack malware, you create a new binary that is not identical to the original, but does all the same things as the original.
-
No Comment