Index
A
Accelerating disassembly analysis
blocks/flowcharts
compiler stub
condensing instructions
decompilers
XREF
SeeReference /XREF
Active instrumentation technique
Address space layout randomization (ASLR)
Advanced persistent threat (APT)
Adware
Analysis VM
APIMiner
ASLR
autoruns
BinNet
bulk extractor
CFF Explorer
CurrProcess
disable hidden extensions
disable windows defender
disable windows firewall
DocFileViewerEx
DriverView
end-user system
FakeNet
fiddler
file type identification tools
FTK Imager Lite
GMER
HashMyFiles
host system
IDA Pro
malware creation
malware sandboxes
Malzilla
network requirements
Notepad++
NTTrace
oledump.py
OllyDbg
OllyDumpEx
PEiD
portable executable binary
physical machine
Process Explorer
process hacker
ProcMon
registry viewer
regshot
Ring3 API Hook Scanner
rundll32
show hidden files/folders
snapshots
SSDTView
Suricata
Sysinternals Strings
volatility
Wireshark
x64dbg/immunity debugger
YARA
Anti-analysis armoring techniques
Anti-debugging
debugger detection
EPROCESS
identifying breakpoints
PEB-based detection
Windows API
Anti-detection armoring techniques
Anti-malware products
detection solutions
firewalls
NACs
sandbox
static signatures
Anti-malware teams
Antiviruses
coding
components
PE files
signatures
assembly code
caveats
generic
hash
optimization
risk
user-mode components
API hooking
APIMiner
DeleteFile()
intercept calls
internet explorer
placing hooks
SeePlacing hooks
point or location
scanning tools
security software
steps
APIMiner
Arithmetic logic unit (ALU)
Armoring mechanisms
anti-debugging
anti-disassembly, garbage code
anti-dynamic analysis
communication port
identifying environment
open source anti-projects
steps
tool identification
virtual machine identification
static analysis
Asynchronous procedure call (APC) queue
Automated teller machines (ATMs)
components
msxfs.dll
peripherals
XFS
Automatic unpacking
Autoruns
Autostart extensibility points (ASEP)
B
Banking malware
API logs/hook scanners
InternetReadFile file API
second-factor authentication
string analysis
trojans
Banking trojan
Behavior-based antivirus
Behavior-based signatures
Binary file
Binary instrumentation
BinText tool
Botnet
Breakpoints
hardware
memory locations
software
Brute force authentication
Bus drivers
C
CALL instruction
Carry flag (CF)
Chief information security officers (CISOs))
Classical DLL injection
CreateRemoteThread()/QueueUserAPC()
image base
kernel32.dll
LoadLibrary() API
Notepad.exe’s memory
rundll32.exe
target process
Classification
API calls
creator
debug information
hooks
CnC communication channels
DGA
domain flux
domain/IP address
fixed IP address
malware network
P2P
proxies/relays
Code hooking
Code injection
altering functionality
APIMiner
debugging
SeeDebuggers
GMER/Ring3 API Hook Scanner
process piggybacking
ProcMon
stealth/hiding
steps
target process
techniques
user/kernel mode
Code polymorphism
Combat teams
blog
detection teams
honeypots
hunters
incident responders/forensics
IoC
underground market
web crawlers
Command-and-Control (C2C)
Command-and-control (C2CnCC&C)
Command-and-control (CnC) communication
Common packet capture frameworks
Common Vulnerabilities and Exposures (CVE)
Component Object Model (COM)
ContextStruct
Control flow instructions
conditional branch
loop
unconditional branch
Control unit
Correct remediation
CreateRemoteThread
API logging tool
APIMiner
breakpoint
Buffer parameter
injector process
Notepad.exe
NtOpenProcess
OllyDbg
StartAddress
VirtualAllocEx API
WriteProcessMemory
CreateRemoteThread, APIMiner
Cryptominers
Cryptors
Cyber Kill Chain
action on objectives
APT attack
command-and-control
delivery mechanism
exploitation
installation
reconnaissance
weaponization
Cyberwarfare
Cygwin
D
Data exfiltration methods
fingerprints
FTP protocols
HTTP
IDS/IPS
IRC
Data Loss and Prevention (DLP)
Data movement instructions
CLD
immediate value
MOV
MOVS
REP
SCAS
STOS/LODS
XCHG
Debuggers
API logs
breakpoints
call stack
conditional breakpoints
EBFE technique
events
IDA Pro
IEP
SeeInjected entry point (IEP
OllyDbg
patching
troubleshoots
types
VirtualAlloc APIs
Win32 APIs
Deception mechanisms
Decompilation
Decompression algorithm
Deep packet inspection (DPI)
Deobfuscating
definition
dynamic
embedded script debuggers
keywords/functions
static
Detecting network communication
anomaly baselines
IP/domain reputation feed
networking APIs
static signatures
string analysis
Direct kernel object manipulation (DKOM)
APIMiner
CreateService API
kernel-mode
malware process
process environment block
Disassembly readable
color coding schemes
labels/comments
tracking variables
Distribution mechanisms
categories
CVE
downloaders
drive-by download
infected storage devices
input validation
malvertising
malware
patches
shared folders
spam
weak authentication
zero-day vulnerabilities
Diverse transport system
.dll extension
dlllist command
DocFileViewer
Document Object Model (DOM)
Domain generation algorithm (DGA)
data exfiltration methods
SeeData exfiltration methods
domain names
identifying methods
slmrtok.dw
techniques
Driver development kit (DDK)
DriverView
Dumping
Dynamic analysis
administrator privileges
API log files
APIMiner/Cuckoo Sandbox
code injection
SeeCode injection
CreateMutant API
ProcMon
SeeProcMon
public/explicit behavior
Read___ME.html
SDK/framework
snapshot
string
SeeString analysis
svchost.exe
Dynamic analysis, YARA rules
Dynamic based signatures
Dynamic behavior-based detection
Dynamic binary instrumentation (DBI)
blocks and traces
code
malware analysis
terminologies/intervals
tool writing
branch bypass
code modification
JNE instruction
logging all instructions
PIN setting up
Win32 API logging
Dynamic-Link Library (DLL)
characteristics
dependency chaining
.exe extension
export
HelperFunction()
import table
memory blocks
module
Dynamic unpacking
E
e_magic field
Emotet
Emulators
Encryption
Endian
Endianness
Endpoint Detection and Response (EDR)
Entry point (EP)
EPROCESS
eval() functions
Evasion techniques
antivirus
network security
sandboxes
eve.json
Exfiltration
Exploit kits
case duty
components
flow
malware delivery mechanism
waiting game
Extensions for financial services (XFS)
F
FakeNet
Fake process names
Fiddler
File
Command-Line tools
hex form
Notepad
single byte
unique identifier
File extension
association
default file view
default program
extension faking
fake thumbnails
.jpeg /.png image file
.pptx extension
suffix
thumbnail faking techniques
types
File formats
command-line tools
header
magic bytes
manual identification
structures/headers
TriD/TriDNet
File infection
Fileless malware
PE executable
Powershell
WMI
File scanners
Filter drivers
FindWindow API
Fooling malware armoring
Forensic team
FTK Imager Lite
Function drivers
G
GandCrab detection rule
GandCrab ransomware
Generic signatures
GMER
H
Handles
commands
malware process
mutex/mutants
Volatility commands
Hard disk drive (HDD)
Hardware malware sandbox
Hash-based signatures
generation process
HelperFunction() function
Heuristics signatures
hivelist command
HoneyProcs technology
Hooking
I
IAT hooking
IDA debugger
disassembler
functionalities
opcode bytes
PE executable
starting pause point
IDA Pro
Identifying code constructs
array on stack
branch conditions
EBP, stack frame
function call parameter
function epilogue/prologue
global variables
higher-level language
local variables
loops
pointers
stack frame
structures on stack
Identifying packers
custom packers
entry point
PEiD
section names
side-effect
tools/techniques
IDPS
components
app layer
detection engine
logging module
packet capture module
packet layer decoding
rule engine
TCP protocol
deployment
IDS vs. IPS
Image File Execution Option (IFEO)
ImpHash
Import address table (IAT)
Incident response
Indicator of Attack (IOA)
Indicator of compromise (IOC)
Indicators of compromise (IoC)
Industrial control systems (ICS)
Infected storage devices
Information stealers (PWS)
credentials
dynamic events/API logs
moz_logins
string analysis
InfoStealers
Injected entry point (IEP)
CreateRemoteThread API
SeeCreateRemoteThread
injection process
remote thread
SeeThread context
Injector process
Installers
Instructions, x86
ADD and SUB
address loading
arithmetic
categories
comparison
control flow
SeeControl flow instructions
data movement
SeeData movement instructions
INC/DEC
interrupt handler
logical
NOP
rotate
shift
stack
Internet of Things (IoT)
Intrusion detection system (IDS)
traffic feed mechanisms
SPAN
SPAN vs. TAP
TAP
Intrusion prevention system (IPS)
traffic feed
iptables
Netfilter
peer mode/bridging
pseudo inline mode
I/O request packets (IRP)
J
Java Runtime Engine (JRE)
K
Kernel-mode rootkits
component
drivers
features
injecting code
IRP filtering
modules/drivers
request flow
SSDT
Win32 APIs
Kernel-module monitoring agent module
Keylogger
GetAsynckeyState Win32 API
hooking keyboard messages
information-stealing malware
L
Last in, first out (LIFO)
Lateral movement
credential stealing/exploit preparation
misconfiguration
vulnerabilities
weak passwords
east-west traffic
gaining access
reconnaissance
shared folders
SMB
Linux VM
APIMiner and Cuckoo Monitor
hardware settings
installation process
Suricata
Ubuntu 16.04
Loader code
M
Machine-language debuggers
malfind command
Malicious APIs
Malicious behavior
disappearing executables
features
number of process instances
process session IDs
stealing system files names, stealth
weird files/process names
Malvertising
Malware
Adware
backdoor
botnet
clusters
computing platforms
cryptominer
cyberattack
Cyber Kill chain
data protection laws
downloader
emotet
exploit
family
format strings
hunters
IP addresses, domain names and URL
keylogger
library dependencies
mutex
platform diversity
PoS
ransomware
RAT
reused code
rootkit
security professionals
spammers
spyware/InfoStealer
target diversity
trojan
type
virus
weapon
worm
Malware artifacts
Malware-as-a-service (MaaS)
Malware attack life cycle
business model
Cyberwarfare
development phase
adaptive/deceptive nature
mass production
self-defense
different phases
distribution phase
infection phase
post-infection phase
Malware components
armoring
communication
high-level description
packer
payload
persistence
propagation
stealth
Malware hook
browser attacks
data stealing
intercept network communication
operations
rootkits/stealth
self-protection
Malware sandbox
API log
need
security design
VM
Malzilla
Man-in-the-browser (MITB)
Manual unpacking
API logs/APIMiner
back tracing
compiler stub
debugging tricks
dumping
ESP trick
memory permission/string analysis
Process Hacker
Memory acquisition
dump
kernel-mode memory
NtQueryDirectoryFile/NTCreateFile service functions
tools
Memory analysis/forensics
command format
detecting API hooks
directory structure
>> operator
handles
ImageInfo value
kernel modules, scanning
malfind plugin
network communication
Notepad++ editor
process modules
pslist command
psscan command
pstree command
psxview command
SSDT scanning
systeminfo command
virtual memory inspection
Volatility tool
Memory analysis/forensics
Memory Dumper module
Memory forensics
anti-analysis armoring
dump
incident response team
malware artifacts
RAM
reverse-engineering
steps
techniques
volatile data
Memory scanner
PID
proof-of-concept
Win32 APIs
Microsoft Office malware
documents
extracting streams
macros
OLE
MOVS instruction
Mutants/mutex
N
Network access controls (NACs)
Network analysis
Network communication
C2C
cyberattacks
data filtration
downloader/droppers
IoT
lateral movement
malware types
purpose
RATs
zones
Network interface cards (NICs)
Network security monitoring (NSM)
Network traffic
east-west traffic
north-south traffic
zones
nocase keyword
Nomenclature
Notations, OllyDbg/IDA
beautification process
debugger analysis
local variable/parameter names
Notepad++
NT/COFF header
characteristics
data directories
machine
name field
NumberOfSections field
optional
raw size
section data/headers
signature
virtual address
Windows Loader
NtGlobalFlags
NTTrace
O
Obfuscation
definition
encryption algorithms
expression evaluation, eval
Hex equalent
inserting Junk
Malzilla
splits/joins
Object Linking and Embedding (OLE)
OllyDbg
OllyDbg 2.0 debugger
access buttons
breakpoints
SeeBreakpoints
disassembly window
execute till return
go/jump
pause/break execution
PE file
run to cursor
SFX settings
stack window
stepping
user code
OllyDumpEx
One-time passwords (OTP)
Opcodes/operands
action/operation
addressing mode
breakup
endianness
implicit vs. explicit
Open Information Security Foundation (OISF)
OpenProcess
Original entry point (OEP)
P
Packed binary
APIMiner
decompressed payload
decompression algorithms
import resolution
memory allocation
OEP
payload execution
stages
Win32 Wrapper APIs
Packer/cryptors
Packers
compress executables
compression
cryptors
entropy
high-level visualization
installers
obfuscation
packed/unpacked samples, comparing
PE file
protectors
sections
strings
dynamic observation
malware
static observation
unpacking stub
UPX command
Packet capture file (PCAP)
Payloads
malware
PEiD
PE/machine code
Persistence mechanisms
autoruns
debugger
IFEO
SilentProcessExit
DLL hijacking
file infector
keylogger
ProcMon
resources
RUN registry
startup shell directories
task scheduler
Windows services
Winlogon.exe process
pin_callback_call_instr callback function
Placing hooks
IAT
inline
techniques
Pointer registers
Point-of-sale (POS)
devices
identification/classification
payment cards
software
strings
track format
Polymorphic engines
Polymorphic packers/cryptors
Portable Executable(PE) file
catch
CFF explorer
DOS header
Dos header fields
endianness
file format
high-level structure
IAT
image base
Notepad++ hex-editor
NT/COFF header
SeeNT/COFF header
RVA
Windows loader
Port mirroring
.pptx file extension
Primary account number (PAN)
Privilege escalation
Proactive detection
Process creation
Command Line option
hacker
printf() function
program execution
while loop
Process Environment Block (PEB)
Process hollowing
calc.exe process
injected code
ResumeThread()API
system/clean process
technique
VirtualAllocEx()/WriteProcessMemory()
Process ID (PID)
Process modules
dlllist command
ldrmodules
ProcMon
AutoRuns tool
.exe file
RUN persistence keys
SVOHOST.EXE
ProcMon
Proof-of-concept memory scanner
Q
Quality assurance (QA)
R
Ransomware
identification
malware
strings
ReadProcessMemory
Read timestamp counter {RTDSC)
Reconnaissance
References (XREF)
DECRYPT-txt
GandCrab malware
IDA
Setup strings window
Win32 APIs
References (XREF), IDA
Reflective DLL injection
Registers
categories
data
debug
flags
index
pointers
x86
Registry Viewer
RegQueryValueExA API
Regshot
Relative Virtual Address (RVA)
Remediation module
Remote administration tool (RAT)
APT attacks
features
identification
strings
Remote process, execution
APC queues
CONTEXT struct
EIP/instruction pointer
thread creation
Remote thread creation API
injector process
malware creation
target process
REP instructions
Reversing/disassemblers
Ring3 API Hook Scanner
Rootkits
advanced stealth techniques
detection module
kernel-mode
user-mode
Rotate instruction
RunPe technique
S
Sandbox design
communication
deception
detection
files vs. streaming
guest
agent
end-user systems, VM
setup
host agent
machine learning
monitoring agent
API logger
kernel-module
Memory Dumper module
ProcMon
workflow
Sandbox evasion
detecting agents
timer attacks
well-known
Security operations center (SoC)
Service provider interfaces (SPIs)
Services
DLLs
malware
SVCHOST.EXE
tools
user logs
Shellcode injection
Shift instruction
Signature database
Signature-driven detection
SimpleWMIView
Single element/reference point
Snort/Suricata rule
Software piracy
Source instrumentation
Source-level debuggers
SSDTView
Stack frame
Static analysis
behavior-based detection
code signer information
dynamic analysis, feeder
file formats
filename/extension faking
file type/file extension mismatch
hash generation
infection context
Internet, blogs and analysis reports
properties
setup/environment
strings
techniques
thumbnail faking
version information/details
VirusTotal
YARA
Static-based signatures
Static binary instrumentation
Static unpacking
Stealth
code injection
feature
filename/extension faking
file properties/permissions
APIMiner tool
methods
ProcMon
SetFileAttributes API
hiding process window
kernel component
psycholinguistic technique
stealing system file names
thumbnail faking
Strict signatures
String analysis
BinText
dynamic observation
file type
PEiD
static observation
version information/details
Suricata
app layer buffers
case matters
cd
content keyword
download
IP-only rules
keyword modifier
rule writing
ACTIONS
basic structure
DIRECTION
DST_IP field
DST_IP port
PROTOCOL
SRC_IP field
SRC_IP port
sudo apt update
Suricata IDPS
PCAP
yaml config file
Syscalls
Sysinternals string tool
system32
System processes
anomalies
attributes
image file path
masquerading
no of instances
parent process
PID
Process Hacker
session ID
System service descriptor table (SSDT)
API hooking
APIMiner tool
GMER tool
inline hooking
service functions
structure
T
Tactics, Techniques, and Procedures (TTP)
Target process
The Onion Router (Tor)
Thread context
CFF explorer
ContextStruct
CreateProcessInternalW
CreateProcessInternalW API
decoding/parsing memory
GetThreadContext API
malware
NTUnmapViewOfSection
pContent argument
PROCESS_INFORMATION structure
runpe technique
RVA format
SetThreadContext API
target process
Thread Environment Block (TEB)
Threat hunting
Traffic analysis
U
Unconditional jump instruction
Unique identifier string
Unpacking
automatic
manual
OEP/payload
technique
Unpacking stub code
User document/settings
User-mode code injection
ExecuteInjectedCode()
execution
SeeRemote process, execution
injector process
locating target process
MemAlloc()
remote target process, memory allocation
section objects/views
target process
WriteProcessMemory()
WriteProcessMemory() API
User mode rootkits
V
vadinfo command
VBScript malware
Virtual memory
addressability
components
CPU
demand paging
frames
hacker
page states
permissions
private pages
types of pages
hardware
kernel space/user
malware detection
page file
pages
page table
processes
RAM
strings
swap space
Virtual memory inspection
vaddump command
vadinfo command
VAD tree
VirtualQuery
Virus (file infectors)
Visual Studio (VS)
Volatility
von Neumann architecture
Vulnerabilities
W
Weaponization
Web Crawlers
Whitelist process list
Win32 API
analysis
ASCII/Unicode versions
behavior identification
CamelCase naming style
DLLs
dynamic analysis
govern functionality, parameters
MSDN docs
NTCreateFile()
object
operations
parameters
processes/threads
static analysis
undocumented
VirtualAllocEx()
Windows services
Windows APIs
Windows dev VM, tools
Windows driver kit (WDK)
Windows Management Instrumentation (WMI)
Windows registry
altering registry information
CHMHIVE
data storage
dumpregistry command
hivelist command
hives
logical view
new keys/name values
printkey command
protected system files
querying information
root directories
tree-based hierarchical database
Volatility
Windows scripting environment
Windows scripting host (WSH)
Windows VM
Cygwin
Cygwin/VS
developer command
VS install
Wireshark
X
x86 assembly language
CFF Explorer
components
instructions
SeeInstructions, x86
machine code bytes
opcodes/operands
SeeOpcodes/operands
Quick Disassembeler
reference manuals
von Neumann architecture
XCHG instruction
Y
YARA Signature
Z
Zero-day exploits
Zero-day vulnerabilities
Zero flag (ZF)
Zeus malware
Zipped file
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.