The cyber world is changing rapidly nowadays, and many old threats are no longer relevant. There are multiple reasons for this, but mainly, it is due to the fact that the environment of systems that we use is constantly evolving, just like the new methods to achieve malicious goals. In this book, we will place a strong emphasis on modern malware threats, which are on the increase presently. Over the last few years, the malware landscape has evolved dramatically, from basic IRC botnets to Advanced Persistent Threats (APT) and state-sponsored malware that targets activists, steals blueprints, or even attacks nuclear reactors. And cybercrime has evolved to be a multi-million dollar business, from credit/debit card thefts to SWIFT banking hijacking, Point-of-Sale (POS) malware, and ransomware. With all of this, the world is seeing an increased demand for highly skilled malware researchers to cope with this level of threats and to be able to create the next generation of security protection technologies.

Virtually any programming language can be used to write a piece of code that will later be used for malicious purposes, so at first, the book covers universal basic knowledge, applicable to any situation. As Windows is still the most prevalent operating system in the world, it is no surprise that the vast majority of malicious code is written for it, so the next few chapters will cover this platform in detail. Then, since attackers tend to use programming languages that are both popular (so there is a higher probability they already know it) and supported by the target victim's system, the book will help you become familiar with the most common examples of them. Finally, as the targeted systems were expanded relatively recently with the emergence of Internet of Things (IoT) malware and new mobile platforms, we will also teach you how to analyze these emerging threats.

The main goal of this book is to give the reader a set of practical recipes that can quickly be applied for analyzing virtually any type of malware they may encounter within the modern world, whether the purpose is to confirm its main functionality or extract relevant Indicators of Compromise (IOCs) for further investigation. This knowledge can be used in multiple ways, such as estimating potential losses, properly applying remediation policies, strengthening the environment, or even for general research or educational purposes.

Who this book is for

If you are an IT security administrator, forensic analyst, or malware researcher looking at securing systems from malicious software, or investigating malicious code, then this book is for you. Prior programming experience and some understanding of malware attacks and investigation would do wonders.

What this book covers

Chapter 1, A Crash Course in CISC/RISC and Programming Basics, offers an insight into all widely used assembly languages, providing foundational knowledge to facilitate further reverse engineering efforts. While many security professionals spend most of their time reversing threats for the IA-32 (x86) platform on Windows as the prevalent source of threats nowadays, other platforms are increasingly gaining in popularity because of a changing landscape of the systems we use: from desktop to mobile, from IA-32 to x64. The main purpose of this part is to show the reader that there is pretty much the same logic behind any assembly language, and moving from one to another is not a problem, as long as you get the general idea of how they work.

Chapter 2, Basic Static and Dynamic Analysis for x86/x64, dives deeper into Windows executable files' inner structure, covering the PE header, PE loading, process and thread creation, and communication between the operating system and this newly created process. This chapter also covers the basic static and dynamic analysis of a malicious sample, and teaches you how to debug and alter its execution path and behavior.

Chapter 3, Unpacking, Decryption, and Deobfuscation, sharpens readers' skills to handle packed, encrypted malware for Windows, and all of the techniques that malware authors use to protect their samples against not experienced reverse engineers. This chapter covers malware packed with various types of packers, as well as detection and unpacking using various simple and advanced techniques. Also, it covers encryption algorithms, from simple XOR algorithms to advanced ones, such as 3DES and AES encryption, for protecting important information such as strings and APIs (especially related to C&C communications), as well as extra modules.

Chapter 4, Inspecting Process Injection and API Hooking, covers advanced techniques implemented in multiple APT, state-sponsored, and widespread cybercrime attacks, from basic process injection to process hollowing and API hooking. In addition, it explains the motivations behind using these techniques, how they work, and how to analyze and work around them.

 Chapter 5, Bypassing Anti-Reverse Engineering Techniques, offers a guide on various anti-reverse engineering techniques that malware authors use to protect their samples and this way slow down the reverse engineering process. This chapter reveals a lot of these techniques, from detecting the debugger and other analysis tools to breakpoint detection, virtual machine (VM) detection, and even attacking the anti-malware tools and products. It also covers the VM and sandbox detection techniques that malware authors use to avoid the spam detection and automatic malware detection techniques implemented in various enterprises.

Chapter 6, Understanding Kernel-Mode Rootkits, digs deeper into the Windows kernel and its internal structures and mechanisms. We will be covering different techniques used by malware authors to hide their malware presence from users and antivirus products. We will be looking at different advanced kernel-mode hooking techniques, process injection from kernel mode, and how to perform static and dynamic analysis in kernel mode.

Chapter 7, Handling Exploits and Shellcode, gives the reader an idea of how exploits work in general, discussing the logic behind position-independent code. In addition, we will provide practical tips and tricks on how to analyze the most common file types associated with exploits that are actively used in modern attacks today.

Chapter 8, Reversing Bytecode Languages: .NET, Java, and More, introduces the reader to cross-platform-compiled programs that don't need to be ported to different systems. Here, we will take a look at how malware authors try to leverage these advantages for malign purposes. In addition, the reader will be provided with an arsenal of tools and techniques whose aim is to make the analysis quick and efficient.

Chapter 9, Scripts and Macros: Reversing, Deobfuscation, and Debugging, discusses scripts and macro-based threats. Web incorporated script languages a long time ago, and nowadays, other script languages are also becoming increasingly popular in various projects, from proofs of concepts and prototypes to production-level systems. This chapter will provide an overview of various techniques that script malware authors incorporate in order to complicate the analysis and prolong the infection, and how this can be dealt with.

Chapter 10, Dissecting Linux and IoT Malware, is a hands-on guide to analyzing Linux threats that have become increasingly popular with the growing popularity of IoT devices commonly powered by Linux. Once it became clear that these systems are often less immune to infections due to multiple historical factors, and that it is possible to monetize these weaknesses, the current IoT malware trend emerged. This chapter is dedicated to reverse engineering various pieces of Linux malware, from the now-classic Mirai and its recent modifications to more sophisticated cases.

Chapter 11, Introduction to macOS and iOS Threats, is dedicated to reverse engineering techniques applicable to Apple platforms. Once considered as virtually immune to any infection, nowadays, we see more and more attempts to compromise the security of the users of these platforms. While still relatively immature, the significance of this trend shouldn't be underestimated, especially with the rise of APT attacks.

Chapter 12, Analyzing Android Malware Samples, teaches the reader how to deal with Android malware, walking through the most common patterns and providing detailed guidelines on how to analyze them. As our lives become more and more dynamic, the world is gradually shifting from desktop to mobile systems. As a result, more and more of our valuable data, from personal information to financial access codes, is stored on phones and tablets and eventually attracts malicious actors, thereby creating a demand for reverse engineers experienced with this platform.

To get the most out of this book

As a very minimum, this book requires strong IT knowledge. We have done our best to explain all important terms and notions so the reader won't have to switch back and forth between the book and the internet, but some topics covered may be quite advanced with a high level of technical detail. Therefore, any reverse engineering experience, while not mandatory, will be an advantage.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

1. Log in or register at www.packt.com.
2. Select the SUPPORT tab.
3. Click on Code Downloads & Errata.
4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

• WinRAR/7-Zip for Windows
• Zipeg/iZip/UnRarX for Mac
• 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Malware-Analysis. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789610789_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "One of these techniques is by using NtGlobalFlag."

A block of code is set as follows:

mov qword ptr [rsp+8],rcx
mov qword ptr [rsp+10h],rdx
mov qword ptr [rsp+18h],r8
mov qword ptr [rsp+20h],r9
pushfq
sub rsp,30h
cli
mov rcx,qword ptr gs:[20h]
add rcx,120h
call nt!RtlCaptureContext

Any command-line input or output is written as follows:

.shell -ci "uf /c nt!IopLoadDriver" grep -B 1 -i "call.*ptr [.*h"

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "It can be restored by selecting the View | Graph Overview option."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.