Mastering Malware Analysis

• Explore widely used assembly languages to strengthen your reverse-engineering skills
• Master different executable file formats, programming languages, and relevant APIs used by attackers
• Perform static and dynamic analysis for multiple platforms and file types
• Get to grips with handling sophisticated malware cases
• Understand real advanced attacks, covering all stages from infiltration to hacking the system
• Learn to bypass anti-reverse engineering techniques

With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches. You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Moving forward, you will cover all aspects of malware analysis for the Windows platform in detail. Next, you will get to grips with obfuscation and anti-disassembly, anti-debugging, as well as anti-virtual machine techniques. This book will help you deal with modern cross-platform malware. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. Finally, this book will help you strengthen your defenses and prevent malware breaches for IoT devices and mobile platforms. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.

• Set up and model solutions, investigate malware, and prevent it from occurring in future
• Learn core concepts of dynamic malware analysis, memory forensics, decryption, and much more
• A practical guide to developing innovative solutions to numerous malware incidents

Table of contents

1 A Crash Course in CISC/RISC and Programming Basics
Basic concepts
Assembly languages
Becoming familiar with x86 (IA-32 and x64)
Exploring ARM assembly
Basics of MIPS
Covering the SuperH assembly
Working with SPARC
From assembly to high-level programming languages
Summary

2 Basic Static and Dynamic Analysis for x86/x64
Working with the PE header structure
Static and dynamic linking
Using PE header information for static analysis
PE loading and process creation
Dynamic analysis with OllyDbg/immunity debugger
Debugging malicious services
Summary

3 Unpacking, Decryption, and Deobfuscation
Exploring packers
Identifying a packed sample
Automatically unpacking packed samples
Manual unpacking using OllyDbg
Dumping the unpacked sample and fixing the import table
Identifying different encryption algorithms and functions
String search detection techniques for simple algorithms
Identifying the RC4 encryption algorithm
Standard symmetric and asymmetric encryption algorithms
Applications of encryption in modern malware – Vawtrak banking Trojan
Using IDA for decryption and unpacking
Summary

4 Inspecting Process Injection and API Hooking
Understanding process injection
DLL injection
Working with process injection
Dynamic analysis of code injection
Memory forensics techniques for process injection
Understanding API hooking
Working with API hooking
Exploring IAT hooking
Summary

5 Bypassing Anti-Reverse Engineering Techniques
Exploring debugger detection
Handling debugger breakpoints evasion
Escaping the debugger
Obfuscation and anti-disassemblers
Detecting and evading behavioral analysis tools
Detecting sandboxes and virtual machines
Summary

6 Understanding Kernel-Mode Rootkits
Kernel mode versus user mode
Windows internals
Rootkits and device drivers
Hooking mechanisms
DKOM
Process injection in kernel mode
KPP in x64 systems (PatchGuard)
Static and dynamic analysis in kernel mode
Summary

7 Handling Exploits and Shellcode
Getting familiar with vulnerabilities and exploits
Cracking the shellcode
Exploring bypasses for exploit mitigation technologies
Analyzing Microsoft Office exploits
Studying malicious PDFs
Summary

8 Reversing Bytecode Languages: .NET, Java, and More
Exploring the theory of bytecode languages
.NET explained
.NET malware analysis
The essentials of Visual Basic
Dissecting Visual Basic samples
The internals of Java samples
Python—script language internals
Analyzing compiled Python
Summary

9 Scripts and Macros: Reversing, Deobfuscation, and Debugging
Classic shell script languages
VBScript explained
Those evil macros inside documents
The power of PowerShell
Handling JavaScript
Behind C&C—even malware has its own backend
Other script languages
Summary

10 Dissecting Linux and IoT Malware
Explaining ELF files 
Exploring common behavioral patterns
Static and dynamic analysis of x86 (32- and 64-bit) samples
Learning Mirai, its clones, and more
Static and dynamic analysis of RISC samples
Handling other architectures
Summary

11 Introduction to macOS and iOS Threats
Understanding the role of the security model
File formats and APIs
Static and dynamic analyses of macOS and iOS samples
Attack stages
Advanced techniques
Analysis workflow
Summary

12 Analyzing Android Malware Samples
(Ab)using Android internals 
Understanding Dalvik and ART 
Malware behavior patterns
Static and dynamic analysis of threats
Summary