book

Evasive Malware

by Kyle Cucci

September 2024

Intermediate to advanced

488 pages

13h 29m

English

No Starch Press

Read now

Unlock full access

What Is Malware?What Is Malware Analysis?Why Does Malware Use Evasion?Why I Wrote This BookWho Should Read This BookHow This Book Is OrganizedMalware Samples for This Book
Windows Architecture OverviewUser and Kernel ModesProcesses and ThreadsObjects and HandlesThe Windows APIProcess InternalsEPROCESS StructuresProcess Environment BlocksThread Environment BlocksStacks and HeapsVirtual MemoryThe PE File FormatHeaders and SectionsImports and ExportsThe Windows PE Loading ProcessThe RegistrySummary
The Analysis EnvironmentThe Malware Analysis ProcessInitial Malware TriageIdentifying the File TypeObtaining the File’s HashTriaging with VirusTotalQuerying Search Engines and Other ResourcesIdentifying and Classifying Unknown Malware with YaraAnalyzing Static PropertiesAutomated Malware Triage with SandboxesInteractive Behavioral AnalysisMonitoring Malware BehaviorsInspecting Malware Network TrafficSummary
Introduction to Assembly CodeCPU Registersx64 and x86 InstructionsStatic Code AnalysisChoosing a DisassemblerAnalyzing with IDAAnalyzing with CAPADynamic Code AnalysisChoosing a DebuggerStarting a Debugging Session in x64dbgAnalyzing with x64dbgPatching and Modifying CodeTracing API Calls with API MonitorSummary

ProcessesDirectories and FilesShared FoldersThe RegistryServicesInstalled SoftwareMutexesPipesDevices and DriversUsernames and HostnamesLocale and Language SettingsOperating System Version InformationSummary
Browser Cookies, Cache, and Browsing HistoryRecent Office FilesUser Files and DirectoriesDesktop WallpaperDesktop WindowsMouse and Keyboard InteractionSystem UptimeSummary
Hardware and Device ConfigurationsCPURAMHard DisksMonitor ConfigurationsUSB ControllersFirmware TablesOther Hardware DevicesNetworking-Related ArtifactsIP Address ConfigurationsDomain ConfigurationsMAC Address ConfigurationsExternal IP Address and Internet ConnectivityTCP Connection StatesSummary
Detecting Analysis and Runtime AnomaliesRun Paths, Filenames, and ArgumentsLoaded ModulesAnomalous Strings in MemoryHooked Functions and Acceleration ChecksUsing Performance and Timing IndicatorsThe rdtsc InstructionFunction Execution TimingPerformance CountersAbusing the Virtual ProcessorThe Red Pill and No Pill TechniquesIO PortsThe cpuid InstructionUnsupported Instruction SetsThe Trap Flag and Other TechniquesThe Risks of Using Detection TechniquesSummary
Self-TerminationDelayed ExecutionSleep Function CallsTimeoutsTime and Logic BombsDummy Code and Infinite LoopsForcing Reboots and LogoutsDecoys and NoiseAPI HammeringUnnecessary Process SpawningDecoy Network CommunicationAnti-hookingHook DetectionHook Removal (Unhooking)Hook CircumventionAnti-hooking ToolsetsCircumventing Sandbox AnalysisDisrupting Manual InvestigationHypervisor Exploits and VM EscapingEvasion CountermeasuresSummary
Breaking DisassemblersControl Flow ObfuscationUnnecessary JumpsUnnecessary CodeControl Flow FlatteningOpaque PredicatesReturn Pointer AbuseSEH Handler AbuseFunction Pointer AbuseControl Flow Obfuscation CountermeasuresAPI Call and String ObfuscationDynamic API Function ResolutionJump Tables and Indirect API CallsStack StringsData HashingSummary
Using Windows API Functions to Access the PEBIsDebuggerPresent and CheckRemoteDebuggerPresentNtQueryInformationProcessNtQuerySystemInformationOutputDebugStringCloseHandle and NtCloseNtQueryObjectHeap FlagsDirectly Accessing the PEBTiming ChecksSystem ArtifactsHunting for Debugger WindowsEnumerating Loaded ModulesSearching for Debugger ProcessesChecking Parent ProcessesBreakpoint Detection and TrapsDetecting Debuggers with BreakpointsDetecting and Circumventing Software BreakpointsDetecting and Circumventing Hardware and Memory BreakpointsUsing Memory Page Guards for Breakpoint DetectionUsing Breakpoint TrapsUnhandled ExceptionsChecksums, Section Hashing, and Self-HealingExploiting, Crashing, and Interfering with the DebuggerDebug Blocking and Anti-attach TechniquesOther Anti-debugging TechniquesCountering Anti-debugging TechniquesSummary
Callback FunctionsTLS CallbacksStructured Exception HandlingVEH and 64-Bit SEHHidden ThreadsSummary
Process InjectionRandom vs. Specific Target ProcessesShellcode InjectionDLL InjectionReflective DLL InjectionProcess HollowingThread HijackingAPC InjectionAtom BombingProcess Injection Wrap-upProcess Image ManipulationProcess HerpaderpingProcess DoppelgangingProcess Reimaging and GhostingDLL and Shim HijackingDLL HijackingShim HijackingHookingSetWindowsHookEx Hooking and InjectionInline HookingMitigations for Process and Hook InjectionSummary
An Endpoint Defense PrimerA Brief History of Endpoint Defense TechnologyAnti-malwareEndpoint Detection and ResponseIdentifying Endpoint DefensesActively Circumventing Endpoint DefensesDisabling Host DefensesAdding Anti-malware ExclusionsDisabling Other Security ControlsBlinding Defenses by UnhookingExploiting Vulnerabilities in Host Defense ToolingPassively Circumventing Endpoint DefensesCircumventing MonitoringCircumventing Signature-Based DetectionUsing Uncommon Programming LanguagesAbusing Certificate Trust and SigningAbusing Engine LimitationsMasquerading as a Safe FilePrivilege Elevation for Defense EvasionBypassing User Account ControlImpersonating and Manipulating Access TokensExtracting and Reusing CredentialsExploiting Vulnerabilities for Privilege ElevationCircumventing Network DefensesIntroducing Modern Network DefensesObfuscating and Obscuring Network TrafficConcealing Infrastructure Using GeofencingGenerating New Infrastructure Using DGAsExecuting the Fast-Flux TechniqueMultistage and Complex AttacksSummary
Rootkit FundamentalsKernel Modules and DriversRootkit ComponentsRootkit InstallationBYOVD AttacksDirect Kernel Object Manipulation“Legacy” Kernel HookingSSDT HooksInline Kernel HooksIRP HooksIRP Interception by FilteringAbusing Kernel CallbacksBootkitsDefenses Against RootkitsSummary
How Fileless Attacks WorkPersistence and Registry-Resident MalwareLiving Off The Land BinariesVBA Macro-Based MalwareSystem Binary Proxy ExecutionWindows Command Line and Other UtilitiesPowerShellDynamically Compiled CodeAnti-forensicsHiding Artifacts and CodeTampering with Logs and EvidenceDestroying the SystemSummary
Basic EncodingData HashingEncryption and DecryptionSymmetric and Asymmetric EncryptionWindows CryptoAPIWindows Cryptographic API: Next GenerationPractical Tips for Overcoming Encryption in MalwareLocating and Identifying Cryptographic RoutinesDecrypting Encrypted Malware DataSummary
Types of PackersPacker Architecture and FunctionalityUnpacking the Malware PayloadResolving ImportsTransferring Execution to the OEPHow to Identify Packed MalwareViewing ImportsInspecting StringsCalculating the Entropy ValueChecking PE SectionsUsing Automated Packer DetectionAutomated UnpackingFully Automated UnpackingSandbox-Assisted UnpackingManual Dynamic UnpackingThe Quick-and-Dirty Option: Letting the Malware Do the WorkMemory Operation MonitoringProcess Injection MonitoringProcess Injection Tracing with API MonitorLibrary Loading and Address ResolutionOEP LocationUnpacked Malware ExtractionUnpacked Executable RepairGeneral Tips for Dynamic UnpackingHelpful Tools for Dynamic UnpackingManual Static UnpackingAnalyzing Without UnpackingAnti-unpacking TechniquesSummaryClosing Thoughts
Lab ArchitectureThe Host MachineThe HypervisorVictim Windows VMsServices Windows VMsLinux VMsBuilding Your LabChoosing a HypervisorVerifying Hypervisor Network SettingsObtaining a Windows ImageCreating the Windows Victim VMTuning VM Settings for Concealment and IsolationInstalling Windows Malware Analysis ToolsInstalling VM ToolsInstalling and Configuring a Linux VMManually Installing Linux VM ToolsConfiguring and Verifying Network SettingsTaking and Restoring VM SnapshotsWindows Configurations for ConcealmentRegistry DataHostname and Domain NameAdditional Tips and TricksAdvanced VM and Hypervisor HardeningHardening VMwareHardening VirtualBoxStress-Testing Your VMTips for Operational Security and EffectivenessSimulating Network ServicesConcealing Your IPShared Folders and File TransferringUpdating SoftwareBare-Metal AnalysisBinary Instrumentation and EmulationSummary

Content preview from Evasive Malware

`9` `ANTI-DISASSEMBLY`

Because disassemblers break down binary files into assembly code based on their own (often very complex) algorithms, there’s some room for error. Malware authors are aware of this vulnerability and can actively exploit it. They may also attempt to obfuscate the malware’s control flow or string and API function call references, making the code especially difficult to navigate statically. These are examples of anti-disassembly techniques, or ways in which malware complicates the process of reverse engineering code with a disassembler. In this chapter, we’ll look at these tactics in depth and what malware analysts can do ...