- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Praise for Practical Malware Analysis
- Warning
- About the Authors
- Foreword
- Acknowledgments
- Introduction
- 0. Malware Analysis Primer
- I. Basic Analysis
- Conclusion
- Labs
- 2. Malware Analysis in Virtual Machines
- 3. Basic Dynamic Analysis
- Sandboxes: The Quick-and-Dirty Approach
- Running Malware
- Monitoring with Process Monitor
- Viewing Processes with Process Explorer
- Comparing Registry Snapshots with Regshot
- Faking a Network
- Packet Sniffing with Wireshark
- Using INetSim
- Basic Dynamic Tools in Practice
- Conclusion
- Labs
- Lab 3-1
- Lab 3-2
- Lab 3-3
- Lab 3-4
- Questions
- II. Advanced Static Analysis
- 4. A Crash Course in x86 Disassembly
- 5. IDA Pro
- Using Cross-References
- Analyzing Functions
- Using Graphing Options
- Enhancing Disassembly
- Extending IDA with Plug-ins
- Conclusion
- Labs
- 6. Recognizing C Code Constructs in Assembly
- 7. Analyzing Malicious Windows Programs
- The Windows API
- The Windows Registry
- Networking APIs
- Following Running Malware
- Kernel vs. User Mode
- The Native API
- Labs
- Lab 7-1
- Lab 7-2
- Lab 7-3
- Questions
- III. Advanced Dynamic Analysis
- 8. Debugging
- 9. OllyDbg
- 10. Kernel Debugging with WinDbg
- Rootkits
- Loading Drivers
- Kernel Issues for Windows Vista, Windows 7, and x64 Versions
- Conclusion
- Labs
- Lab 10-1
- Lab 10-2
- Lab 10-3
- Questions
- IV. Malware Functionality
- 11. Malware Behavior
- 12. Covert Malware Launching
- 13. Data Encoding
- 14. Malware-Focused Network Signatures
- Network Countermeasures
- Safely Investigate an Attacker Online
- Content-Based Network Countermeasures
- Combining Dynamic and Static Analysis Techniques
- The Danger of Overanalysis
- Hiding in Plain Sight
- Understanding Surrounding Code
- Finding the Networking Code
- Knowing the Sources of Network Content
- Hard-Coded Data vs. Ephemeral Data
- Identifying and Leveraging the Encoding Steps
- Creating a Signature
- Analyze the Parsing Routines
- Targeting Multiple Elements
- Understanding the Attacker’s Perspective
- Conclusion
- Labs
- Lab 14-1
- Lab 14-2
- Lab 14-3
- Questions
- V. Anti-Reverse-Engineering
- 15. Anti-Disassembly
- 16. Anti-Debugging
- 17. Anti-Virtual Machine Techniques
Debugging is a critical tool for obtaining information about a malicious program that would be difficult to obtain through disassembly alone. You can use a debugger to single-step through a program to see exactly what’s happening internally or to set breakpoints to get information about particular sections of code. You can also use a debugger to modify the execution of a program in order to gain additional information.
It takes practice to be able to analyze malware effectively with a debugger. The next two chapters cover the specifics of using the OllyDbg and WinDbg debuggers.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.