Preface
New and developing technologies inevitably bring new types of malware with them, creating a huge demand for IT professionals who can keep that malware at bay. With the help of this updated edition of Mastering Malware Analysis, you’ll add valuable reverse engineering skills to your CV and learn how to protect organizations in the most efficient way.
This book will familiarize you with multiple universal patterns behind different malicious software types and teach you how to analyze them using a variety of approaches. You’ll learn how to examine malware code and determine the damage it can cause to systems to ensure that the right prevention or remediation steps are followed. As you cover all aspects of malware analysis for Windows, Linux, macOS, and mobile platforms in detail, you’ll also get to grips with obfuscation, anti-debugging, and other advanced anti-reverse engineering techniques.
The skills you acquire in this cybersecurity book will help you deal with pretty much all types of modern malware, strengthening defenses and preventing or promptly mitigating breaches regardless of the platforms involved.
By the end of this book, you will have learned to efficiently analyze samples, investigate suspicious activity, and build innovative solutions to handle malware incidents.
Who this book is for
If you are a malware researcher, forensic analyst, IT security administrator, or anyone looking to secure against malicious software or investigate malicious code, this book is for you. This new edition is suited to all levels of knowledge, including complete beginners, but any prior exposure to programming or cybersecurity will further help speed up your learning process.
What this book covers
Chapter 1, Cybercrime, APT Attacks, and Research Strategies, dives into various types of attacks and associated malware, giving you an idea about attack stages and the logic behind them. In addition, we will learn different approaches and technologies that are universal to all platforms and help malware analysts do their jobs.
Chapter 2, A Crash Course in Assembly and Programming Basics, covers the basics of the most widely used architectures, from the well-known x86 and x64 Instruction Set Architectures (ISAs) to solutions powering multiple mobile and Internet of Things (IoT) devices that are often misused by malware families.
Chapter 3, Basic Static and Dynamic Analysis for x86/x64, covers the core fundamentals that you need to know in order to reverse engineer 32-bit and 64-bit malware on the Windows platform, focusing on file formats and basic concepts of static and dynamic analysis.
Chapter 4, Unpacking, Decryption, and Deobfuscation, teaches you how to identify packed samples, how to unpack them, how to deal with different encryption algorithms—from simple ones, such as sliding key encryption, to more complex algorithms, such as 3DES, AES, and RSA—and how to deal with API encryption, string encryption, and network traffic encryption.
Chapter 5, Inspecting Process Injection and API Hooking, explores various process injection techniques, including DLL injection and process hollowing (an advanced technique that was introduced by Stuxnet), and explains how to deal with them. Later, we will look at API hooking, IAT hooking, and other hooking techniques that are used by malware authors and how to handle them.
Chapter 6, Bypassing Anti-Reverse Engineering Techniques, covers various anti-reverse engineering techniques that malware authors use to protect their code against analysis. We will familiarize ourselves with various approaches, from detecting the debugger and other analysis tools to VM detection, even covering attacking anti-malware tools and products.
Chapter 7, Understanding Kernel-Mode Rootkits, digs deeper into the Windows kernel and its internal structure and mechanisms. We will cover different techniques used by malware authors to hide the presence of their malware from users and antivirus products.
Chapter 8, Handling Exploits and Shellcode, looks at the common types of vulnerabilities, the functions of shellcode and the various ways it can be implemented, exploit mitigation techniques and how attackers try to bypass them, and how to analyze MS Office and PDF malware.
Chapter 9, Reversing Bytecode Languages – .NET, Java, and More, looks at how the beauty of cross-platform compiled programs is in their flexibility, as you don’t need to port each program to different systems. In this chapter, we will take a look at how malware authors leverage these advantages for evil purposes and learn how to perform quick and efficient analyses of such samples.
Chapter 10, Scripts and Macros – Reversing, Deobfuscation, and Debugging, focuses on analyzing all types of malicious scripts, including but not limited to Batch and Bash, PowerShell, VBS, JavaScript, and different types of MS Office macros.
Chapter 11, Dissecting Linux and IoT Malware, focuses on malware for Linux and Unix-like systems. We will cover file formats that are used on these systems, go through various static and dynamic analysis techniques, and explain malware’s behavior using real-world examples.
Chapter 12, Introduction to macOS and iOS Threats, looks at various threats that target the users of macOS and iOS and explores how to analyze them.
Chapter 13, Analyzing Android Malware Samples, dives into the internals of the most popular mobile operating system in the world, explores existing and potential attack vectors, and provides detailed guidelines on how to analyze malware targeting Android users.
To get the most out of this book
There are way more tools mentioned in the book with examples; these are some of the most important ones.
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
The syntax of the IDA scripting language may change slightly over time. If something stops working, refer to the official documentation.
Download the example code files
You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Mastering-Malware-Analysis-Second-edition. If there’s an update to the code, it will be updated in the GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Download the color images
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/uFbey.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Notably, IDT was used to pass data to kernel mode in Windows 2000 and earlier before sysenter became the preferred method of doing this.
A block of code is set as follows:
push Arg02 push Arg01 call Func01
Any command-line input or output is written as follows:
sc create <service_name> type= own binpath= <path_to_executable>
Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: In VirtualBox, open the VM's settings and go to the Serial Ports category.
Tips or Important Notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Mastering Malware Analysis, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.