book

Evasive Malware

by Kyle Cucci

September 2024

Intermediate to advanced

488 pages

13h 29m

English

No Starch Press

Read now

Unlock full access

What Is Malware?What Is Malware Analysis?Why Does Malware Use Evasion?Why I Wrote This BookWho Should Read This BookHow This Book Is OrganizedMalware Samples for This Book
Windows Architecture OverviewUser and Kernel ModesProcesses and ThreadsObjects and HandlesThe Windows APIProcess InternalsEPROCESS StructuresProcess Environment BlocksThread Environment BlocksStacks and HeapsVirtual MemoryThe PE File FormatHeaders and SectionsImports and ExportsThe Windows PE Loading ProcessThe RegistrySummary
The Analysis EnvironmentThe Malware Analysis ProcessInitial Malware TriageIdentifying the File TypeObtaining the File’s HashTriaging with VirusTotalQuerying Search Engines and Other ResourcesIdentifying and Classifying Unknown Malware with YaraAnalyzing Static PropertiesAutomated Malware Triage with SandboxesInteractive Behavioral AnalysisMonitoring Malware BehaviorsInspecting Malware Network TrafficSummary
Introduction to Assembly CodeCPU Registersx64 and x86 InstructionsStatic Code AnalysisChoosing a DisassemblerAnalyzing with IDAAnalyzing with CAPADynamic Code AnalysisChoosing a DebuggerStarting a Debugging Session in x64dbgAnalyzing with x64dbgPatching and Modifying CodeTracing API Calls with API MonitorSummary

ProcessesDirectories and FilesShared FoldersThe RegistryServicesInstalled SoftwareMutexesPipesDevices and DriversUsernames and HostnamesLocale and Language SettingsOperating System Version InformationSummary
Browser Cookies, Cache, and Browsing HistoryRecent Office FilesUser Files and DirectoriesDesktop WallpaperDesktop WindowsMouse and Keyboard InteractionSystem UptimeSummary
Hardware and Device ConfigurationsCPURAMHard DisksMonitor ConfigurationsUSB ControllersFirmware TablesOther Hardware DevicesNetworking-Related ArtifactsIP Address ConfigurationsDomain ConfigurationsMAC Address ConfigurationsExternal IP Address and Internet ConnectivityTCP Connection StatesSummary
Detecting Analysis and Runtime AnomaliesRun Paths, Filenames, and ArgumentsLoaded ModulesAnomalous Strings in MemoryHooked Functions and Acceleration ChecksUsing Performance and Timing IndicatorsThe rdtsc InstructionFunction Execution TimingPerformance CountersAbusing the Virtual ProcessorThe Red Pill and No Pill TechniquesIO PortsThe cpuid InstructionUnsupported Instruction SetsThe Trap Flag and Other TechniquesThe Risks of Using Detection TechniquesSummary
Self-TerminationDelayed ExecutionSleep Function CallsTimeoutsTime and Logic BombsDummy Code and Infinite LoopsForcing Reboots and LogoutsDecoys and NoiseAPI HammeringUnnecessary Process SpawningDecoy Network CommunicationAnti-hookingHook DetectionHook Removal (Unhooking)Hook CircumventionAnti-hooking ToolsetsCircumventing Sandbox AnalysisDisrupting Manual InvestigationHypervisor Exploits and VM EscapingEvasion CountermeasuresSummary
Breaking DisassemblersControl Flow ObfuscationUnnecessary JumpsUnnecessary CodeControl Flow FlatteningOpaque PredicatesReturn Pointer AbuseSEH Handler AbuseFunction Pointer AbuseControl Flow Obfuscation CountermeasuresAPI Call and String ObfuscationDynamic API Function ResolutionJump Tables and Indirect API CallsStack StringsData HashingSummary
Using Windows API Functions to Access the PEBIsDebuggerPresent and CheckRemoteDebuggerPresentNtQueryInformationProcessNtQuerySystemInformationOutputDebugStringCloseHandle and NtCloseNtQueryObjectHeap FlagsDirectly Accessing the PEBTiming ChecksSystem ArtifactsHunting for Debugger WindowsEnumerating Loaded ModulesSearching for Debugger ProcessesChecking Parent ProcessesBreakpoint Detection and TrapsDetecting Debuggers with BreakpointsDetecting and Circumventing Software BreakpointsDetecting and Circumventing Hardware and Memory BreakpointsUsing Memory Page Guards for Breakpoint DetectionUsing Breakpoint TrapsUnhandled ExceptionsChecksums, Section Hashing, and Self-HealingExploiting, Crashing, and Interfering with the DebuggerDebug Blocking and Anti-attach TechniquesOther Anti-debugging TechniquesCountering Anti-debugging TechniquesSummary
Callback FunctionsTLS CallbacksStructured Exception HandlingVEH and 64-Bit SEHHidden ThreadsSummary
Process InjectionRandom vs. Specific Target ProcessesShellcode InjectionDLL InjectionReflective DLL InjectionProcess HollowingThread HijackingAPC InjectionAtom BombingProcess Injection Wrap-upProcess Image ManipulationProcess HerpaderpingProcess DoppelgangingProcess Reimaging and GhostingDLL and Shim HijackingDLL HijackingShim HijackingHookingSetWindowsHookEx Hooking and InjectionInline HookingMitigations for Process and Hook InjectionSummary
An Endpoint Defense PrimerA Brief History of Endpoint Defense TechnologyAnti-malwareEndpoint Detection and ResponseIdentifying Endpoint DefensesActively Circumventing Endpoint DefensesDisabling Host DefensesAdding Anti-malware ExclusionsDisabling Other Security ControlsBlinding Defenses by UnhookingExploiting Vulnerabilities in Host Defense ToolingPassively Circumventing Endpoint DefensesCircumventing MonitoringCircumventing Signature-Based DetectionUsing Uncommon Programming LanguagesAbusing Certificate Trust and SigningAbusing Engine LimitationsMasquerading as a Safe FilePrivilege Elevation for Defense EvasionBypassing User Account ControlImpersonating and Manipulating Access TokensExtracting and Reusing CredentialsExploiting Vulnerabilities for Privilege ElevationCircumventing Network DefensesIntroducing Modern Network DefensesObfuscating and Obscuring Network TrafficConcealing Infrastructure Using GeofencingGenerating New Infrastructure Using DGAsExecuting the Fast-Flux TechniqueMultistage and Complex AttacksSummary
Rootkit FundamentalsKernel Modules and DriversRootkit ComponentsRootkit InstallationBYOVD AttacksDirect Kernel Object Manipulation“Legacy” Kernel HookingSSDT HooksInline Kernel HooksIRP HooksIRP Interception by FilteringAbusing Kernel CallbacksBootkitsDefenses Against RootkitsSummary
How Fileless Attacks WorkPersistence and Registry-Resident MalwareLiving Off The Land BinariesVBA Macro-Based MalwareSystem Binary Proxy ExecutionWindows Command Line and Other UtilitiesPowerShellDynamically Compiled CodeAnti-forensicsHiding Artifacts and CodeTampering with Logs and EvidenceDestroying the SystemSummary
Basic EncodingData HashingEncryption and DecryptionSymmetric and Asymmetric EncryptionWindows CryptoAPIWindows Cryptographic API: Next GenerationPractical Tips for Overcoming Encryption in MalwareLocating and Identifying Cryptographic RoutinesDecrypting Encrypted Malware DataSummary
Types of PackersPacker Architecture and FunctionalityUnpacking the Malware PayloadResolving ImportsTransferring Execution to the OEPHow to Identify Packed MalwareViewing ImportsInspecting StringsCalculating the Entropy ValueChecking PE SectionsUsing Automated Packer DetectionAutomated UnpackingFully Automated UnpackingSandbox-Assisted UnpackingManual Dynamic UnpackingThe Quick-and-Dirty Option: Letting the Malware Do the WorkMemory Operation MonitoringProcess Injection MonitoringProcess Injection Tracing with API MonitorLibrary Loading and Address ResolutionOEP LocationUnpacked Malware ExtractionUnpacked Executable RepairGeneral Tips for Dynamic UnpackingHelpful Tools for Dynamic UnpackingManual Static UnpackingAnalyzing Without UnpackingAnti-unpacking TechniquesSummaryClosing Thoughts
Lab ArchitectureThe Host MachineThe HypervisorVictim Windows VMsServices Windows VMsLinux VMsBuilding Your LabChoosing a HypervisorVerifying Hypervisor Network SettingsObtaining a Windows ImageCreating the Windows Victim VMTuning VM Settings for Concealment and IsolationInstalling Windows Malware Analysis ToolsInstalling VM ToolsInstalling and Configuring a Linux VMManually Installing Linux VM ToolsConfiguring and Verifying Network SettingsTaking and Restoring VM SnapshotsWindows Configurations for ConcealmentRegistry DataHostname and Domain NameAdditional Tips and TricksAdvanced VM and Hypervisor HardeningHardening VMwareHardening VirtualBoxStress-Testing Your VMTips for Operational Security and EffectivenessSimulating Network ServicesConcealing Your IPShared Folders and File TransferringUpdating SoftwareBare-Metal AnalysisBinary Instrumentation and EmulationSummary

Content preview from Evasive Malware

`4` `ENUMERATING OPERATING SYSTEM ARTIFACTS`

A normal, “real” user environment looks much different from a malware sandbox or lab environment. A typical user will likely have installed common applications, such as Microsoft Office, email clients, multiple web browsers, and so on. They probably wouldn’t be using a VM, Wireshark, or Procmon, nor are they likely to have installed malware analysis tools such as IDA Pro or sandboxing tools like Cuckoo. A sandbox or lab environment, on the other hand, typically has analysis software installed in a VM.

This is indicated by references to the hypervisor in the names and properties of various operating ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098182236Errata Page

Evasive Malware

by Kyle Cucci

`4` `ENUMERATING OPERATING SYSTEM ARTIFACTS`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Practical Malware Analysis

Malware Development for Ethical Hackers

Security in Computing, 6th Edition

Metasploit, 2nd Edition

Publisher Resources

4 ENUMERATING OPERATING SYSTEM ARTIFACTS

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Practical Malware Analysis

Malware Development for Ethical Hackers

Security in Computing, 6th Edition

Metasploit, 2nd Edition

Publisher Resources

`4` `ENUMERATING OPERATING SYSTEM ARTIFACTS`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.