book

Practical Malware Analysis

by Michael Sikorski, Andrew Honig

February 2012

Intermediate to advanced

800 pages

23h 55m

English

No Starch Press

Read now

Unlock full access

Basic Static AnalysisBasic Dynamic AnalysisAdvanced Static AnalysisAdvanced Dynamic Analysis
Packing FilesDetecting Packers with PEiD
Static, Runtime, and Dynamic LinkingExploring Dynamically Linked Functions with Dependency WalkerImported FunctionsExported Functions
PotentialKeylogger.exe: An Unpacked ExecutablePackedProgram.exe: A Dead End
Examining PE Files with PEviewViewing the Resource Section with Resource HackerUsing Other PE File ToolsPE Header Summary
Lab 1-1QuestionsLab 1-2QuestionsLab 1-3QuestionsLab 1-4Questions
Configuring VMwareDisconnecting the NetworkSetting Up Host-Only NetworkingUsing Multiple Virtual Machines
Connecting Malware to the InternetConnecting and Disconnecting Peripheral DevicesTaking SnapshotsTransferring Files from a Virtual Machine
Using a Malware SandboxSandbox Drawbacks
The Procmon DisplayFiltering in Procmon
The Process Explorer DisplayUsing the Verify OptionComparing StringsUsing Dependency WalkerAnalyzing Malicious Documents
Using ApateDNSMonitoring with Netcat
Lab 3-1QuestionsLab 3-2QuestionsLab 3-3QuestionsLab 3-4Questions
Main MemoryInstructionsOpcodes and EndiannessOperandsRegistersGeneral RegistersFlagsEIP, the Instruction PointerSimple InstructionsArithmeticNOPThe StackFunction CallsStack LayoutConditionalsBranchingRep InstructionsC Main Method and OffsetsMore Information: Intel x86 Architecture Manuals
Disassembly Window ModesGraph ModeText ModeUseful Windows for AnalysisReturning to the Default ViewNavigating IDA ProUsing Links and Cross-ReferencesExploring Your HistoryNavigation BandJump to LocationSearching
Code Cross-ReferencesData Cross-References
Renaming LocationsCommentsFormatting OperandsUsing Named ConstantsRedefining Code and Data
Using IDC ScriptsUsing IDAPythonUsing Commercial Plug-ins
Lab 5-1Questions
Analyzing Functions Graphically with IDA ProRecognizing Nested if Statements
Finding for LoopsFinding while Loops
cdeclstdcallfastcallPush vs. Move
If StyleJump Table
Lab 6-1QuestionsLab 6-2QuestionsLab 6-3QuestionsLab 6-4Questions
Types and Hungarian NotationHandlesFile System FunctionsSpecial FilesShared FilesFiles Accessible via NamespacesAlternate Data Streams
Registry Root KeysRegeditPrograms that Run AutomaticallyCommon Registry FunctionsAnalyzing Registry Code in PracticeRegistry Scripting with .reg Files
Berkeley Compatible SocketsThe Server and Client Sides of NetworkingThe WinINet API
DLLsHow Malware Authors Use DLLsBasic DLL StructureProcessesCreating a New ProcessThreadsThread ContextCreating a ThreadInterprocess Coordination with MutexesServicesThe Component Object ModelCLSIDs, IIDs, and the Use of COM ObjectsCOM Server MalwareExceptions: When Things Go Wrong
Lab 7-1QuestionsLab 7-2QuestionsLab 7-3Questions
Single-SteppingStepping-Over vs. Stepping-IntoPausing Execution with BreakpointsSoftware Execution BreakpointsHardware Execution BreakpointsConditional Breakpoints
First- and Second-Chance ExceptionsCommon Exceptions
Opening an ExecutableAttaching to a Running Process
RebasingBase AddressesAbsolute vs. Relative Addresses
Software BreakpointsConditional BreakpointsHardware BreakpointsMemory Breakpoints
Standard Back TraceCall StackRun TraceTracing Poison Ivy
OllyDumpHide DebuggerCommand LineBookmarks
Lab 9-1QuestionsLab 9-2QuestionsLab 9-3Questions
Reading from MemoryUsing Arithmetic OperatorsSetting BreakpointsListing Modules
Searching for SymbolsViewing Structure InformationConfiguring Windows Symbols
Looking at the User-Space CodeLooking at the Kernel-Mode CodeFinding Driver Objects
Rootkit Analysis in PracticeInterrupts
Lab 10-1QuestionsLab 10-2QuestionsLab 10-3Questions
Reverse ShellNetcat Reverse ShellsWindows Reverse ShellsRATsBotnetsRATs and Botnets Compared
GINA InterceptionHash DumpingKeystroke LoggingKernel-Based KeyloggersUser-Space KeyloggersIdentifying Keyloggers in Strings Listings
The Windows RegistryAppInit_DLLsWinlogon NotifySvcHost DLLsTrojanized System BinariesDLL Load-Order Hijacking
Using SeDebugPrivilege
IAT HookingInline Hooking
Lab 11-1QuestionsLab 11-2QuestionsLab 11-3Questions
DLL InjectionDirect Injection
Local and Remote HooksKeyloggers Using HooksUsing SetWindowsHookExThread Targeting
APC Injection from User SpaceAPC Injection from Kernel Space
Lab 12-1QuestionsLab 12-2QuestionsLab 12-3QuestionsLab 12-4Questions
Caesar CipherXORBrute-Forcing XOR EncodingBrute-Forcing Many FilesNULL-Preserving Single-Byte XOR EncodingIdentifying XOR Loops in IDA ProOther Simple Encoding SchemesBase64Transforming Data to Base64Identifying and Decoding Base64
Recognizing Strings and ImportsSearching for Cryptographic ConstantsUsing FindCrypt2Using Krypto ANALyzerSearching for High-Entropy Content
Identifying Custom EncodingAdvantages of Custom Encoding to the Attacker
Self-DecodingManual Programming of Decoding FunctionsUsing Instrumentation for Generic Decryption
Lab 13-1QuestionsLab 13-2QuestionsLab 13-3Questions
Observing the Malware in Its Natural HabitatIndications of Malicious ActivityOPSEC = Operations Security
Indirection TacticsGetting IP Address and Domain Information
Intrusion Detection with SnortTaking a Deeper Look
The Danger of OveranalysisHiding in Plain SightAttackers Mimic Existing ProtocolsAttackers Use Existing InfrastructureLeveraging Client-Initiated BeaconingUnderstanding Surrounding CodeFinding the Networking CodeKnowing the Sources of Network ContentHard-Coded Data vs. Ephemeral DataIdentifying and Leveraging the Encoding StepsCreating a SignatureAnalyze the Parsing RoutinesTargeting Multiple Elements
Lab 14-1QuestionsLab 14-2QuestionsLab 14-3Questions
Linear DisassemblyFlow-Oriented Disassembly
Jump Instructions with the Same TargetA Jump Instruction with a Constant ConditionImpossible DisassemblyNOP-ing Out Instructions with IDA Pro
The Function Pointer ProblemAdding Missing Code Cross-References in IDA ProReturn Pointer AbuseMisusing Structured Exception Handlers
Lab 15-1QuestionsLab 15-2QuestionsLab 15-3Questions
Using the Windows APIManually Checking StructuresChecking the BeingDebugged FlagChecking the ProcessHeap FlagChecking NTGlobalFlagChecking for System Residue
INT ScanningPerforming Code ChecksumsTiming ChecksUsing the rdtsc InstructionUsing QueryPerformanceCounter and GetTickCount
Using TLS CallbacksUsing ExceptionsInserting InterruptsInserting INT 3Inserting INT 2DInserting ICE
PE Header VulnerabilitiesThe OutputDebugString Vulnerability
Lab 16-1QuestionsLab 16-2QuestionsLab 16-3Questions
Bypassing VMware Artifact SearchingChecking for Memory Artifacts
Using the Red Pill Anti-VM TechniqueUsing the No Pill TechniqueQuerying the I/O Communication PortUsing the str InstructionAnti-VM x86 InstructionsHighlighting Anti-VM in IDA ProUsing ScoopyNG
Lab 17-1QuestionsLab 17-2QuestionsLab 17-3Questions
The Unpacking StubLoading the ExecutableResolving ImportsThe Tail JumpUnpacking Illustrated
Indicators of a Packed ProgramEntropy Calculation
Rebuilding the Import Table with Import ReconstructorFinding the OEPUsing Automated Tools to Find the OEPFinding the OEP ManuallyRepairing the Import Table Manually
UPXPECompactASPackPetiteWinUpackThemida
Using call/popUsing fnstenv
Finding kernel32.dll in MemoryParsing PE Export DataUsing Hashed Exported Names
Lab 19-1QuestionsLab 19-2QuestionsLab 19-3Questions
The this PointerOverloading and ManglingInheritance and Function Overriding
Use of VtablesRecognizing a Vtable
Lab 20-1QuestionsLab 20-2QuestionsLab 20-3Questions
Differences in the x64 Calling Convention and Stack UsageLeaf and Nonleaf FunctionsPrologue and Epilogue 64-Bit Code64-Bit Exception Handling
Lab 21-1QuestionsLab 21-2Questions
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisGraphical View of Command Character SwitchSwitch Options
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisAnalyzing the DLLAnalyzing the EXE
Short AnswersDetailed AnalysisCommand-Line Option AnalysisBackdoor AnalysisNetworking AnalysisMalware Summary
Short AnswersDetailed AnalysisDecoding Stack-Formed StringsFilename CheckDecoding XOR Encoded StringsReverse Shell Analysis
Short AnswersDetailed AnalysisUsing the Memory Map to Locate DLLsApplying a Structure in IDA ProSpecifying a New Image Base with IDA ProMalware Summary
Short AnswersDetailed AnalysisViewing Lab10-01.sys in IDA ProAnalyzing Lab10-01.sys in WinDbg
Short AnswersDetailed AnalysisFinding the RootkitExamining the Hook FunctionHiding FilesRecovering the Hidden File
Short AnswersDetailed AnalysisAnalyzing the Executable in IDA ProAnalyzing the DriverFinding the Driver in Memory with WinDbgAnalyzing the Functions of the Major Function Table
Short AnswersDetailed AnalysisAnalysis of msgina32.dllSummary
Short AnswersDetailed AnalysisLow-Level Hook Operation SummaryExamining the Hook in OllyDbgCapturing the Network TrafficSummary
Short AnswersDetailed AnalysisKeylogger AnalysisSummary
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisDecoding Using OllyDbgScripting the Solution
Short AnswersDetailed AnalysisModified Base64 DecodingDecrypting AESCrypto Pitfalls
Short AnswersDetailed AnalysisNetwork Signatures
Short AnswersDetailed AnalysisNetwork Signatures
Short AnswersDetailed AnalysisBeaconWeb Commands
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisThe BeingDebugged FlagThe ProcessHeap FlagThe NTGlobalFlag FlagSummary
Short AnswersDetailed AnalysisGetting the Correct Password
Short AnswersDetailed AnalysisThe QueryPerformanceCounter FunctionThe GetTickCount FunctionThe rdtsc InstructionSummary
Short AnswersDetailed AnalysisSearching for Vulnerable InstructionsThe sidt Instruction—Red PillThe str InstructionThe sldt Instruction—No Pill
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisSearching for Vulnerable InstructionsFinding Anti-VM Techniques Using StringsReviewing the Final CheckSummary
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed Analysis
Short AnswersDetailed AnalysisX86 Code PathX64 Code Path

Content preview from Practical Malware Analysis

Identifying Debugger Behavior

Recall that debuggers can be used to set breakpoints or to single-step through a process in order to aid the malware analyst in reverse-engineering. However, when these operations are performed in a debugger, they modify the code in the process. Several anti-debugging techniques are used by malware to detect this sort of debugger behavior: INT scanning, checksum checks, and timing checks.

INT Scanning

INT 3 is the software interrupt used by debuggers to temporarily replace an instruction in a running program and to call the debug exception handler—a basic mechanism to set a breakpoint. The opcode for INT 3 is 0xCC. Whenever you use a debugger to set a breakpoint, it modifies the code by inserting a 0xCC.

In addition ...