Index
As this ebook edition doesn't have fixed pagination, the page numbers below are hyperlinked for reference only, based on the printed edition of this book.
Symbols
7-Zip 466
.NET languages 313
.NET application
CIL language instruction set 317
identifying, from PE characteristics 316
.NET file structure
about 313
metadata streams 315
.NET malware analysis
about 322
obfuscation, dealing with 325
static and dynamic analysis 323
.NET malware analysis, tools
dnSpy 322
dotPeek 322
ILSpy 322
.NET IL Editor (DILE) 322
.NET reflector 322
SOSEX 322
Visual Studio 322
partial ROP 290
A
aapt 507
Access Control List (ACL) 353
Accumulator (ACC) 57
AceDeceiver 458
ActiveX Data Objects (ADOs) 330
Activity Manager (AM) 510
address space layout randomization (ASLR) 289, 290, 439
Adore-Ng 404
AdThief 459
Advanced Encryption Standard (AES) 432
Advanced Mac Cleaner 456
Advanced Persistent Threat (APT) attacks
files 497
Ahead-Of-Time (AOT) 488
AMD registers 234
analysis strategy
selecting 14
selection considerations 14-18
analysis strategy, workflow
behavioral analysis 18
dynamic analysis 18
static analysis 18
triage 18
unpacking 18
AND (&) operation 27
AndroChef 508
androguard 507
Android
ART files 497
ELF files 497
file formats and APIs 494
OAT files 496
ODEX files 496
VDEX files 497
Android Debug Bridge (ADB) 508-510
Android documentation, directory structure
data storage options 478
androiddump 516
Android internals
using 478
Android malware
Android malware, dynamic analysis
about 508
Android Debug Bridge (ADB) 508-510
Android malware, static analysis
about 506
Android Package (APK) file 487
Android-Rootkit 505
Android Runtime (ART) 390, 487-489
Android security model
about 480
filesystem 481
process management 480
security services 483
AndroidSnooper 516
angr 408
anti-disassemblers 210
API hooking
about 186
detecting, with memory forensics 190, 191
using, with length disassembler 189, 190
using, with trampoline 188, 189
working with 187
APK Downloader 516
APK Studio 507
AppBuyer threat 459
apple disk images (.dmg) 447
Apple FileSystem (APFS) 432
Apple Filing Protocol (AFP) 457
Apple Remote Desktop 457
AppleScript
using 463
AppleTalk Filing Protocol 457
Application bundles (.app)
about 444
Info.plist 444
iOS apps 445
macOS 444
application programming interfaces (APIs)
about 82, 83, 104, 439, 447, 448, 499, 500
Application Program Status Register (APSR) 48
Application-Specific Extensions (ASEs) 52
App Sandbox 434
AppSync Unified 472
App Translocation 433
Arbitrary Code Execution (ACE) 9, 274
architecture, instructions
splitting 33
architectures
about 30
assembly 30
instructions 32
memory 31
registers 30
architectures, memory
stack 32
virtual memory 31
architectures, registers
types 30
ARM
about 424
Linux shellcode 281
ARM assembly
categories 47
codes 51
asymmetric algorithms 138
asymmetric encryption algorithms 145
asynchronous Procedure Call (APC) 249
Autoruns 170
B
Back to My Mac (BTMM) 457
Baksmali 506
Basic Input/Output System (BIOS) 231
batch files
obfuscation patterns 354
behavioral analysis, of malware functionality
essentials 109
network activity 112
process operations 111
registry operations 110
behavioral analysis tools
detecting 215
evading 215
behavioral patterns
exploring 395
initial access and lateral movement 396-398
ways, for achieving privilege escalation 400
BiffView 371
Binary Interchange File Format (BIFF8) format 367
Binary Ninja 407
Binder 480
Bionic C library 497
bit 25
bitwise operations
about 26
AND (&) operation 27
circular shift (Rotate) 29
logical shift (<< or >>) 29
NOT (~) operation 28
OR (|) operation 27
XOR (^) operation 28
bootkit 9
Boot ROM 435
borland register 45
BotenaG 422
breakpoints
memory breakpoints 101
software (INT3) breakpoints 100, 101
step into breakpoints 100
step over breakpoints 100
types 100
BrickerBot 422
Bundlore 456
Bundlore threat 465
Burp Suite 471
BusyBox 484
BusyBox suite 401
BusyGasper 504
bytecode languages
about 311
inheritance 312
object-oriented programming 312
polymorphism 312
theory 311
bytecode_tracer 350
Bytecode Visualizer plugin 344
C
calling conventions 42
call stack
following 129
capa 157
CAPE 113
capstorm 408
Carna 422
carry flag (CF) 35
C declaration (cdecl) 44
central processing unit (CPU) 30
checksum
dynamic API calling 212
Chimera 450
Chrome Developer Tools 381
CIL language instruction set, .NET
branching instructions 319
mathematical and logical operations 319
stack instructions, pushing into 317, 318
value, pulling out from stack 318
circular shift (Rotate) 29
class 312
Classic Mac OS 430
clicker 8
Cloud Atlas 458
cloud-based Genymotion 513
Cocoa 430
Cocoa Touch 435
code injection, dynamic analysis
about 179
dealing, with process hollowing 180, 181
debugging 179
targeted process, attaching 180
code patching 233
cold boot attack 459
com.apple.quarantine 433
COM functionality
Command and Control (C&C) 5, 168
Command & Control servers (C&Cs) 194
Common Intermediate Language (CIL) 313
Common Vulnerabilities and Exposures (CVE) 286
Compact DEX (CDEX) 497
compiled Python threats
analyzing 345
compiled Python threats analysis
Complex Instruction Set Computer (CISC) 32
Compound File Binary (CFB) format 293-297, 367
COMView tool 215
Condition Codes Register (CCR) 62
Condition Register (CR) 57
container-based anbox 513
control flow instructions 41, 42
Control Panel (CPL) 162
CookieMiner 456
Core Foundation framework 447
Count Register (CTR) 57
CPUID hypervisor bit 219
cross-references 104
cross-reference stream 304
cross-reference table 303
Crossrider 456
cryptocurrency miners 456
cryptocurrency mining 402
cryptographic service provider (CSP)
connecting 146
initializing 146
Cryptography API
Next Generation (CNG)
steps 148
Current Program Status Register (CPSR) 48
Cutter 411
cycrypt 471
Cydia Extender 472
Cydia Impactor 471
Cydia package 471
Cydia Substrate 464
D
Dalvik Executable (DEX) format 486, 494, 495
Dalvik VM (DVM) 486
Dark Nexus 422
data carving tools
foremost 405
scalpel 405
strings 405
data directories
about 75
entries 76
Data Execution Prevention (DEP)
Data Execution Prevention/No Execute (DEP/NX) 270, 288
data manipulation instructions 38, 39
data structures
about 90
functions 90
data structures, functions
Process Environment Block (PEB) 91
Thread Environment Block (TEB) 91
Thread Information Block (TIB) 90
data transfer instructions 39, 40
DazzleSpy threat 431
DDoS attacks 401
Debug Base Register (DBR) 60
debugger
attacking 209
escaping 207
debugger detection
exploring 194
with DebugObject 197
with EPROCESS information 196
with exceptions 197
with handles 197
with parent processes 198, 199
debuggers 254
DebugObject
using, for debugger detection 197
DebugView 256
Decompyle++ (pycdc) 349
decompyle3 349
default settings
used, for detecting sandboxes 222
delimiters
about 298
types 298
demilitarized zone (DMZ) 4
Denial of Service (DoS) attack 8, 270, 274
deobfuscation tools
de4dot 322
Detect It Easy (DiE) 322
NoFuserEx 322
dest 36
device driver 231
Device Firmware Upgrade (DFU) 435
Device Policy Manager (DPM) 510
dex2jar 508
digital forensics 14
Digital Signal Processor (DSP) module 53
direction flag (DF) 35
Direct Kernel Object Manipulation Attack (DKOM)
performing, with rootkits 244-246
Direct Memory Access (DMA) 459
disassembly
encryption functions, identifying 140, 141
Disk Utility 432
dissemblers 210
distorm3 408
Distributed Denial of Service (DDoS) 8
DLL injection
about 169
dmg2img 447
dnSpy 323
Document Object Model (DOM) 359
Domain Name System (DNS) format 444
DOS program’s MZ Header 73
dotPeek tool 323
Double-Indirect File Allocation Table (DIFAT) 297
DR0-DR3 101
DR6 101
DR7 101
DRAKVUF Sandbox 113
DriverBuddy 253
DriverView 256
DTrace 470
dtruss 470
dual-use tools 9
Dvmap 502
dylib hijacking 453
dynamic analysis
for native code 339
for p-code 339
dynamic analysis, in kernel mode
about 254
debuggers 254
monitors 256
dynamic analysis, of iOS
about 471
debuggers 472
dumping and decryption 473
in-memory patching 473
installers and loaders 471, 472
monitors patching 473
network analysis 473
dynamic analysis, of macOS
about 468
monitoring and dynamic instrumentation 470, 471
network analysis 471
dynamic analysis, x86 (32- and 64-bit) samples
about 409
network monitors 410
tracers 409
dynamic API
dynamic API calling
with checksum 212
dynamic data exchange (DDE)
about 372
misusing 463
dynamic linking
about 82
dynamic link libraries (DLLs) 82, 168, 228
dynamic string decryption
dynamic WinAPIs resolution
approaches 165
using 165
E
echobot 421
Effaceable Storage 436
EFlags
about 100
modifying 103
ELF structure
for executable and linkable files 390-392
encryption 210
encryption algorithms
basic 139
identifying 137
string search detection techniques 141
encryption functions
identifying 137
identifying, in disassembly 140, 141
Enterprise Matrix, tactics
collection 12
command and control 12
credential access 12
defense evasion 12
discovery 12
execution 11
exfiltration 12
impact 12
initial access 11
lateral movement 12
persistence 11
privilege escalation 11
reconnaissance 11
resource development 11
Enterprise Program certificates 438
entitlements 439
environment setup
about 18
virtualization software, selecting 19
EPROCESS 243
EPROCESS information
using 196
using, for debugger detection 196
evasion, of debugger breakpoints
handling 199
evil maid attacks 459
EvilQuest 458
Excel 4.0 (XLM) macros
about 367
basic syntax 367
exception register (XER) 57
exceptions
using, for debugger detection 197
execsnoop 470
Executable and Linkable Format (ELF) 390
Execute Never (XN) 439
exploit mitigation technologies
address space layout randomization (ASLR) 290
bypasses, exploring 287
Data execution prevention (DEP/NX) 288
return-oriented programming (ROP) 288, 289
SafeSEH 293
stack canaries (/GS Cookies) 292
Structured Exception Handling Overwrite Protection (SEHOP) 293
exploit mitigation technologies, bypass
DEP and partial ASLR 290
full ASLR 291
exploits
shellcode analysis 287
exploit, types
about 274
Arbitrary Code Execution (ACE) 274
Denial of Service (DoS) 274
privilege escalation 274
types 274
unauthorized data access 274
eXtensible ARchive (XAR) format 446
F
FairPlay 439
Fakeapp 504
FakeAV 9
fastcall 45
Fast Interrupt Request (FIQ) 47
fat binaries 442, 443. See multi-architecture binaries; See universal binaries
FAT sectors 295
Field Programmable Gate Arrays (FPGAs) 47
File Allocation Table (FAT) 295
file formats 439
file header 74
fileless malware 14
filesystem (FS) 392
FileVault 432
financially motivated actors 6
FindCrypt 157
Find My iPhone feature 461
FinFisher 458
Firefox Developer Tools 381
FLARE VM 19
FLIRTDB 159
floating-point communication registers (FPULs) 60
Floating-Point Registers (FPRs) 48
formulas 367
frida 470
frida-server 516
frida tool 410
frida-trace 516
fsmon 470
fsmon tool 515
funcap tool 162
function 45
G
Gatekeeper 433
GDB 410
gdbserver tool 422
general-purpose registers (GPRs) 30, 34
General Status Register (GSR) 62
generic unpackers
using 121
glibc 497
Global Base Register (GBR) 60
Global Flags Editor (GFlags) 108
golang_loader_assist 158
H
Hacktool 9
Hajime 422
handles
using, for debugger detection 197
hardware breakpoints
detecting 206
evading 204
Hardware Random Number Generator (HRNG) 436
hdiutil 447
heap 271
heap chunks 271
heap overflow vulnerability 271, 272
heap spraying
about 291
technique 291
Hex-Rays Decompiler 408
higher-level languages conversion, to CIL language
branching statements 320
local variable assignments 320
local variable assignments, with method return value 320
loops statements 321
high-level functionality, Mirai
propagation 418
self-defense 419
high-level programming languages
about 64
while loop conditions 68
Hoax 9
HollowFind plugin
used, for detecting process hollowing 185, 186
hollow process injection (process hollowing) 177
hooking mechanisms
API hooking 233
code patching 233
layered drivers 233
SSDT functions, patching 238
SSDT hooking 233
SSDT, modifying in x64 environment 237, 238
SSDT, modifying in x86 environment 235, 236
SYSENTER entry function, hooking 233, 234
SYSENTER hooking 233
user-mode hooking 233
Hopper 408
hypervisor I/O port 220
I
iBoot 435
IDA
tips and tricks 155
using, for decryption and unpacking 154
IDAGolangHelper 158
IDAscope 157
IDA scripts
dynamic string decryption, using 164, 165
dynamic WinAPIs resolution, using 165
IDA Signsrch 157
IDA, tips and tricks
idb2pat tool 160
IDR tool 158
iFile 472
iFunbox 472
ildasm.exe tool 324
iMazing 466
Imeij 421
Immunity Debugger 96
Import Address Table hooking (IAT hooking)
Import Address Table (IAT) 288
Import REConstructor (ImpREC) 136
import table
Incident Response (IR)
about 14
malware analysis 5
Indicators of Attack (IoAs) 4
Indicators of Compromise (IoCs) 4, 231
Industrial Control Systems (ICSs) 11
Info.plist 444
information, from Windows cryptography APIs
data, encrypting or decrypting 148
memory, freeing 148
infostealer (Password Stealer (PWS) 8
infostealers 456
inject code
executing, with APC queuing 249-251
injector 8
installer packages (.pkg) 446, 447
instruction pointer 30
instruction pointer register (EIP/RIP) 168
instruction pointer value
modifying 103
integer overflow vulnerability 273
Integrated Scripting Environment (ISE) 378
Intel Processor Trace (Intel PT) 252
Internet of Things (IoT) 7
Inter-Process Communication (IPC) 431, 480
Interrupt Descriptor Table (IDT) hooking 233
I/O control codes (IOCTLs) 241
I/O Request Packet (IRP) 230
iOS
about 435
layers 435
organizing 454
iOS apps
fields 445
iOS app store packages (.ipa) 447
ios-deploy 472
iOS kernel 435
iosnoop 470
iOS, protection layers
ipainstaller 472
IRP hooking
completion routine, setting up 242
device, attaching to 241
IRP response, modifying 242
iTunes 466
J
JADX 507
jailbreakMe 450
jailbreaks 449
jailbreaks, for iOS
types 450
Java Deobfuscator 344
Java DeObfuscator (JDO) 344
Java Development Kit (JDK) 340
Java languages 486
Java Network Launch Protocol (JNLP) 341
Java Runtime Environment (JRE) 340
Java samples
anti-reverse engineering solutions, dealing with 344
dynamic analysis 344
internals 340
JavaScript
about 378
anti-reverse engineering tricks 380, 381
handling 378
Java Virtual Machines (JVMs) 340
JD-GUI 343
JEB decompiler 508
JMD 344
jrename 344
jsbeautifier 381
JSDetox project 383
juice jacking 460
Just-In-Time (JIT) compiler 292, 311, 408, 487
K
KD debugger 254
KeRanger 457
KeRanger threat 452
kernel32.dll 283
Kernel-Based Virtual Machine (KVM) 19
Kernel Integrity Protection (KIP) 435
kernel mode
debugging state, restoring 265
driver, loading 265
driver's entry point, stopping 262-264
dynamic analysis 254
process injection, performing 247, 248
static analysis 253
testing environment, setting up 257-259
kernel-mode debuggers
BugChecker 256
HyperDbg 256
IDA 256
radare2 256
Rasta Ring 0 Debugger (RR0D) 256
SoftICE (obsolete) 256
Syser 256
keybags 437
keybags, types
backup keybag 437
device keybag 437
escrow keybag 437
iCloud backups 437
user keybag 437
key-scheduling algorithm (KSA) 143
Knark 404
KPP, in x64 systems
about 251
driver signature enforcement, bypassing 251
GhostHook 252
Turla example 252
L
Last In First Out (LIFO) 32
lbxslt 501
legal protectors 117
libc6-arm64-cross 424
libc6-armhf-cross package 424
LIEF 507
Lightaidra 420
Link Register (LR) 57
Linux shellcode
about 275
for ARM 281
in x86-64 275
Linux shellcode, for ARM
null-free shellcode 282
Linux shellcode, in x86-64
absolute address, obtaining 275, 276
reverse shell shellcode 279-281
ListDLLs 173
LiveKd tool 257
local exploits 274
logical shift (<< or >>) 29
logical vulnerability 273
LOLBAS
reference link 354
Lord PE 134
LoudMiner threat 465
Low Fragmentation Heap (LFH) 272
Low-Level Bootloader (LLB) 435
ltrace tool 410
LuaBot 421
M
Mac
rootkit 465
Mac-A-Mal 471
Machine State Register (MSR) 57
Mach-O
about 439
MachOView 468
Mach ports 431
macOS, security model
about 430
apps protection 432
directory structure 431
encryption 432
XProtect 434
MacRansom malware 462
malicious charger attacks 460
malicious encryptors 117
malicious services
debugging 105
designing, ways 106
malpdfobj 308
malware
achieving, goals by misusing MS Office documents 371, 372
categories 7
C&C server, usage 384
naming conventions 10
types 6
malware analysis
about 4
in collecting threat intelligence 4
in creating detections 6
in incident response 5
in threat hunting 5
malware attack
execution and persistence stages 452
impact stage 454
stages 449
techniques 459
malware attack, execution and persistence stages
iOS 454
malware attack, impact stage
malware attack, techniques
malware authors
using, techniques 381
malware backend
questions to answer, preparing 384
static and dynamic analysis 385
malware behavior patterns
about 500
collection 504
initial access 501
persistence 502
privilege escalation 501
malware categories
Adware 9
Bootkit 9
dual-use tools 9
Exploit 9
FakeAV 9
Hacktool 9
Hoax 9
PUAs 9
Rootkit 9
Trojan 7
Virus 8
Worm 8
malware families
example 486
malware, hiding from user on macOS system
locations 452
Malware Removal Tool (MRT) 434
Malzilla 383
MaMi 456
Mandatory Access Control (MAC) 480
man-in-the-middle (MITM) attacks 231
manual unpacking, with OllyDbg
techniques 123
manual unpacking with OllyDbg, techniques
breakpoints, setting 123, 124, 128
call stack, backtracing 126-128
call stack, following 129
control, transferring to OEP 133
further attempts, preventing to change memory permissions 125, 126
in-place unpacking 132
memory allocated spaces, monitoring for unpacked code 130-132
memory breakpoint, on execution 123
OEP, executing 126
OEP, obtaining 126
searching, for OEP 133
stack restoration-based 133
turning, on Data Execution Prevention 124, 125
Masuta or PureMasuta 419
memory forensics
used, for detecting API hooking 190, 191
memory forensics techniques
for process injection 181
memory forensics techniques, for process injection
code injection, detecting 182-184
process hollowing, detecting 184, 185
process hollowing, detecting with HollowFind plugin 185, 186
reflective DLL injection 182-184
Memory Management Unit (MMU) 31
Memory Protection Unit (MPU) 47
Meris 422
Metasm 408
Miasm 408
Microprocessor without Interlocked Pipelined Stages (MIPS)
about 425
PowerPC 56
processors 54
Microsoft Component Object Model (COM) 357
misused, by attackers 357, 358
Microsoft Office exploits
analyzing 293
dynamic analysis 302
file structures 293
static analysis 301
Microsoft Office exploits, file structures
Compound File Binary (CFB) format 293-297
Office Open XML (OOXML) format 300
Rich Text Format (RTF) 298, 299
Microsoft Script Debugger 360
Microsoft Script Editor 360
Microsoft x64 calling convention 45
MiniFAT 296
Mirai
derivatives 419
high-level functionality 417
widespread families 420, 421, 422
MITRE ATT&CK framework
about 10
Enterprise matrix 11
group 11
matrix 11
mitigation 11
procedure 11
software 11
tactic 10
technique 11
TTPs 11
MMX registers 219
Mobile Device Management (MDM) 437
Model-Specific Register (MSR) 233
Mouse click/Mouse over technique 371
Mozi 421
MRxCls rootkit 247
mshelper 456
msodde tool 372
Muhstik 421
multiple vulnerabilities
chaining 290
MZ header 73
MZ magic 185
N
native cmdlets 373
ndisasm 405
NET-based methods 374
network communication encryption 153, 154
Network Detection Responses (NDRs) 5
network evil maid attack 460
network operations 112
New Disk Image Format (NDIF) 447
Next Program Counter (NPC) 63
node-applesign 472
nop ramp 291
nop sled 291
nop slide 291
NOT (~) operation 28
notarizing 433
Nymaim proxy function 213, 214
O
oat2dex 507
obfuscation 210
obfuscation patterns
for batch files 354
obfuscation techniques, .NET
code blocks, loading dynamically 329
compilation, after delivery and proxy code execution 329
encrypted strings, in Binary 326-328
obfuscated names, for classes and methods 325, 326
objdump 405
Objective-C 430
object-oriented programming (OOP) 273, 312
objects 312
obj/endobj 304
ODEX files 496
officedissector 301
officeMalScanner 301
OfficeMalScanner 366
Office Open XML (OOXML) format 300
Okiru 420
OLE2
about 293
allocators 295
oletools
examples 301
OllyDbg
APIs 104
cross-references 104
labels and comments, setting 104
list of strings 104
OllyScript, using with 121
using, for dynamic analysis 94
using, for sample analysis 97-100
OllyDump 134
OllyScript
using, with OllyDbg 121
Online DisAssembler (ODA) 422
online sandbox services 113
opcode 36
Open Packaging Convention (OPC) 300
opensnoop 470
operands 36
Optimized DEX (ODEX) file 487
optional header 74
OR (|) operation 27
origami 308
original entry point (OEP)
about 123
control, transferring 133
executing 126
obtaining 126
searching for 133
OSAMiner 464
otool 468
overflow flag (OF) 36
Over-The-Air (OTA) 436
Owari 420
P
P32Dasm tool
using 337
Package Manager (PM) 510
packed sample
identifying 117
identifying, with static signatures 118
PE section names, evaluating 118
small import table, detecting 119, 120
stub execution signs, using 119
packers
about 117
ASPack 117
exploring 116
UPX 117
Packet Filter (PF) 454
packing and encrypting tools
parent processes
using, for debugger detection 198, 199
Password AutoFill 437
PatchGuard 237. See also KPP in x64 systems
Path Randomization 433
pcf tool 160
pcodedmp 366
PDF files
dynamic analysis 309
pdf-parser 307
PDFStreamDumper 307
PE-bear 80
PEB information
using, for debugger detection 194-196
peepdf 307
Pegasus 458
Pegasus malware 451
PE header structure
about 74
data directory 75
exploring 73
file header 74
MZ header 73
need for 72
section table 76
working with 72
Performance Monitoring Units (PMUs) 253
Performance Optimization With Enhanced RISC-Performance Computing (PowerPC) 56
Persirai 421
PE section names
evaluating 118
PETools 134
phantomjs 378
physical memory
virtual memory, mapping to 88, 89
plutil 468
polymorphism 312
Portable Document Format (PDF)
about 302
Portable Executable file header (PE header)
about 71
information, using for static analysis 84
using, for incident handling 84, 85
using, for threat hunting 85, 87
Potentially Unwanted Applications (PUAs) 9
Potentially Unwanted Programs (PUPs) 456
Poweliks 378
PowerShell
about 373
basic syntax 373
dynamic analysis 377
obfuscation 376
static analysis 377
primitive data types
in programming languages 25
private key 138
privilege escalation 274
process
creation, step by step 91
Process Environment Block (PEB) 87, 90, 177, 194, 283
Process Explorer 111
process hollowing
detecting, with HollowFind plugin 185, 186
Process IDs (PIDs) 173
process injection
memory forensics techniques 181
need for 168
performing, in kernel mode 247, 248
reflective DLL injection 176, 177
Stuxnet secret technique 177, 178
victim process, searching 173, 174
Process Monitor (Procmon) 111
process operations 111
processor rings
RING 0 226
RING 3 226
program counter 30
program data
modifying 103
program’s assembly instructions
modifying 102
program’s execution
modifying 102
Proofs of Concept (PoCs) 231
proxy argument stacking 213, 214
PSDecode 378
Pseudo-Random Number Generators (PRNGs) 143, 436
psexec tool 376
public key 138
PyPDF2 308
Python 3
binary operations 347
coroutine opcodes 348
general instructions 347
in-place operations 348
miscellaneous opcodes 348
Unary operations 347
Q
qpdf 308
R
r2lldb plugin 472
radare2 cheat sheet
basic information, collecting 412
breakpoints 413
control flows 413
data representation and modification 413
generic commands 412
markups 413
misc 413
rax/eax 35
rbp/ebp register 35
RC4 encryption algorithm
about 143
identifying 143
identifying, in malware sample 144, 145
key-scheduling algorithm (KSA) 143
pseudo-random generation algorithm (PRNG) 143
rcx/ecx 35
rdi/edi 35
rdx/edx 35
Read-Only Memory (ROM) 435
Reaper/IoTroop 421
Reduced Instruction Set Computer (RISC) 32, 317
reflective DLL injection 176, 177
registry keys
virtualization, detecting through 220
registry operations 110
Relative Virtual Addresses (RVAs) 75, 283
Relyze 407
REMnux 19
Remote Access Tools (RATs) 7, 340, 457
Remote Code Execution (RCE) 274
Remote Control System (RCS) 458
remote exploits 274
Remote Virtual Interface (RVI) 473
Renesas SH 426
Resource Hacker 85
RetDec 406
return-oriented programming (ROP) 288, 289
reverse shell shellcode 279-281
rflags/eflags/flags 35
Rich Text Format (RTF)
elements 298
rip/eip 35
RISC samples
MIPS 425
SPARC 427
static and dynamic analysis 422-424
SuperH 426
rizin 411
root directory 297
rootkit
about 231
bootkits 231
Firmware rootkits 231
for Mac 465
hypervisor or virtual rootkits 231
kernel-mode rootkits 231
types 231
user-mode or application rootkits 231
rootkit 9
rootkit detectors
about 256
DarkSpy 257
GMER 256
IceSword 257
RootkitRevealer 257
Rootkit Unhooker 257
rsi/esi 35
rsp/esp register 35
rtfdump 301
Rubylin rootkit 465
Run- Length Encoding (RLE) algorithm 306
run-only 464
rvictl tool 473
S
SafeSEH 293
sandboxed apps
directories 438
sandboxes
detecting 219
detecting, with default settings 222
using, options 113
satori 419
Saved General Register 15 (SGR) 60
Saved Program Counter (SPC) 60
Saved Program Status Registers (SPSR) 48
Saved Status Register (SSR) 60
Scalable Processor Architecture (SPARC)
instruction set 63
working with 62
scdbg 287
script languages
about 385
questions to answer 386
Search Engine Optimization (SEO) 501
section table 76
Secure Boot 432
Security-Enhanced Linux (SELinux) 480
security model
role 430
self-managed sandboxes 113
Service Control Manager (SCM) 105
Service Descriptor Table (SDT) 235
Setting Content files
using 372
shellcode
about 275
cracking 275
shell script languages
about 352
Windows batch scripting 352-355
Shlayer 456
sig-database 159
sigmake 160
sigmake tool 159
Signal Processing Engine (SPE) 57
sign flag (SF) 36
simple static encryption 139
single-stepping
detecting, with timing techniques 203
breakpoints, detecting, with trap flag 201, 202
Smali 506
smalidea 513
SmaliEx 507
Smalltalk 340
Smart Search 456
snowman 406
Sockbot 503
SoftICE (obsolete) 256
software breakpoints (INT3)
software (INT3) breakpoints 100, 101
Software Interrupt (SWI) instruction 51
Sora 420
spammer (spambot) 8
SPARC 427
spyware 8
src 37
SSDT hooking 233
stack and frame pointers 30
stack canaries (/GS Cookies) 292
stack overflow vulnerability 270, 271
stack restoration-based 133
standard call (stdcall)
about 42
static analysis
PE header information, using 84
static analysis, in kernel mode
about 253
rootkit file structure 253
workflow 254
static analysis, of macOS and iOS
about 466
auxiliary tools and libraries 468
decompilers 467
disassemblers 467
samples, retrieving 466
static analysis tools, Java samples
CFR 342
d4j 342
FernFlower 342
Ghidra 342
JAD 343
JD Project 343
Krakatau 342
Procyon 342
static analysis, x86 (32- and 64-bit) samples
data carving 405
disassemblers 405
frameworks 408
solutions, selecting 409
static and dynamic analysis
.NET dynamic analysis 324
.NET sample, patching 324, 325
.NET static analysis 323
static linking 81
static signatures
using 118
Status Register (SR) 60
step into breakpoints 100
step over breakpoints 100
stream/endstream 304
streams 315
strings
list 104
Structured Exception Handling Overwrite Protection (SEHOP) 293
Structured Exception Handling (SEH) 197, 204, 205
Structured Threat Information Expression (STIX) 13
stub execution signs
using 119
Stuxnet 247
Stuxnet secret technique 177, 178
SuperH 426
SuperH assembly
basic 60
covering 59
Supervisor Call (SVC) instruction 51
symchk tool 261
symmetric algorithms 138
symmetric encryption algorithms 145
SYSENTER entry function
hooking 233
SYSENTER hooking 233
drawbacks 234
system calls (syscalls)
about 392
filesystem 392
network 392
process management 393
using 393
System Integrity Protection (SIP) 430, 470
System Service Dispatch Table (SSDT) 229
System Service Number (SSN) 235
system software authorization 436
System V AMD64 ABI 45
T
tactics, techniques, and procedures (TTPs) 4
Target Access Register (TAR) 57
Target Disk mode 432
Terminal Emulator 483
Termux 483
TheMoon 420
thin
thiscall 45
Thread Environment Block (TEB) 87, 90, 204
thread ID (TID) 249
Thread Information Block (TIB) 90
Thread Local Storage (TLS) 76, 207
Thumb Execution Environment (ThumbEE) 49
ThunderClap 459
Tilib tool 157
Time Base (TB) 57
Time Machine 432
timing techniques
used, for detecting single-stepping 203
tool process
tool window
Torii 421
Trap Base Address (TBA) 63
trap flag
used, for detecting single-stepping breakpoints 201, 202
trepan2/trepan3k debugger 349
TrID tool 405
Trivial File Transfer Protocol (TFTP) 356
Trojan
about 7
Backdoor 7
Banker 8
Clicker 8
DDoS 8
DoS 8
Downloader 7
Dropper 7
Infostealer (Password Stealer (PWS)) 8
Injector 8
Miner 8
Packed 8
Ransomware 7
Spammer (spambot) 8
Spyware 8
Wiper 8
trustjacking 460
Tsunami/Kaiten 421
two-factor authentication (2FA) 8
U
unauthorized data access 274
unc0ver 450
uncompyle6 349
Unified Extensible Firmware Interface (UEFI) 231
unipacker 122
Universal Disk Image Format (UDIF) 447
unpacked code
memory allocated spaces, monitoring 130-132
unpacked sample
dumping 134
unpacking packed samples
automatically 120
generic unpackers, using 121
memory dumps 122
official unpacking process 120
OllyScript, using with OllyDbg 121
UnPYC 349
UPX 120
use-after-free vulnerability 272, 273
use case examples, reverse engineering
article, for general public 15
AV detection 14
technical article or conference presentation 15
threat intelligence 14
user
hiding 463
user-mode API hooking 233
V
Vawtrak banking Trojan
about 149
network communication encryption 153, 154
VBA macros
about 364
dynamic analysis 366
static analysis 366
VB Decompiler
using 336
VB Decompiler Lite program 333
vb.idc script 338
vdbbin (vdb) 411
vdexExtractor 507
Vector Base Counter (VBR) 60
Vector Registers (VRs) 57
Vector Scalar Registers (VSRs) 57
videojacking 460
ViperMonkey 366
Virtual Address Descriptors (VADs) 183, 243
VirtualBox 19
virtualization
detecting, through registry keys 220
processes, detecting 220
services, detecting 220
VirtualKD project 260
virtual machines (VMs)
about 254
detecting 219
detecting, with WMI 221
virtual memory
mapping, to physical memory 88, 89
Virtual Private Network (VPN) 480
Visual Basic
essentials 330
p-code, versus native code 332-334
Visual Basic for Applications (VBA) 330, 364
Visual Basic samples
dissecting 336
dynamic analysis, performing 339
static analysis, performing 336
Visual Basic Scripting Edition (VBScript)
about 356
Visual Studio 360
vivisect 408
VM detection
VMRay 113
VMware 19
Volatility 181
VSD 134
vulnerability, types
about 270
heap overflow vulnerability 271, 272
integer overflow vulnerability 273
logical vulnerability 273
stack overflow vulnerability 270, 271
use-after-free vulnerability 272, 273
W
WeKnow 456
while loop conditions 68
Wifatch 422
Windows
execution path, from user mode to kernel mode 229, 230
internals 227
kernel mode 228
user mode 228
Windows batch scripting
about 352
built-in commands 352
commands 352
Windows cryptography APIs
information, extracting from 145
Windows events callbacks 208, 209
Windows Management Instrumentation Command (WMIC) 376
Windows Management Instrumentation (WMI)
about 359
used, for detecting VMs 221
Windows PE loader
Windows Print Spooler Service Vulnerability 273
Windows shellcode
about 282
base address of kernel32.dll, obtaining 283
downloading 285
executing 285
required APIs, obtaining from kernel32.dll 283-285
win_driver_plugin 253
WinObj 256
WinRAR 120
wireshark (tshark) tool 410
WKTVBDE project 339
Worm 8
WOW64
X
x64dbg
about 96
using, for dynamic analysis 94
x86 (32- and 64-bit) samples
dynamic analysis 409
radare2 cheat sheet 412
static analysis 404
x86 (IA-32 and x64)
arguments 42
calling conventions 42
instruction set 38
local variables 42
x86 (IA-32 and x64), instruction set
control flow instructions 41, 42
data manipulation instructions 38, 39
data transfer instructions 39, 40
x86 (IA-32 and x64), instruction structure
dest 36
src 37
XAgent 458
XcodeGhost threats 451
XcodeSpy threats 451
XCSSET threats 451
XLMMacroDeobfuscator 370
XOR (^) operation
about 28
applications 28
XORSearch 142
XProtect 434
X-RAYING
about 141
basics 141
X-RAYING tools
for malware analysis 142
for malware detection 142
xref 303
Y
Yara Scanner 142
YiSpecter 458
Z
ZergHelper 451
zero-day attack 13
zero-day exploit 274
zero flag (ZF) 35
Zygote process 486