- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Praise for Practical Malware Analysis
- Warning
- About the Authors
- Foreword
- Acknowledgments
- Introduction
- 0. Malware Analysis Primer
- I. Basic Analysis
- Conclusion
- Labs
- 2. Malware Analysis in Virtual Machines
- 3. Basic Dynamic Analysis
- Sandboxes: The Quick-and-Dirty Approach
- Running Malware
- Monitoring with Process Monitor
- Viewing Processes with Process Explorer
- Comparing Registry Snapshots with Regshot
- Faking a Network
- Packet Sniffing with Wireshark
- Using INetSim
- Basic Dynamic Tools in Practice
- Conclusion
- Labs
- Lab 3-1
- Lab 3-2
- Lab 3-3
- Lab 3-4
- Questions
- II. Advanced Static Analysis
- 4. A Crash Course in x86 Disassembly
- 5. IDA Pro
- Using Cross-References
- Analyzing Functions
- Using Graphing Options
- Enhancing Disassembly
- Extending IDA with Plug-ins
- Conclusion
- Labs
- 6. Recognizing C Code Constructs in Assembly
- 7. Analyzing Malicious Windows Programs
- The Windows API
- The Windows Registry
- Networking APIs
- Following Running Malware
- Kernel vs. User Mode
- The Native API
- Labs
- Lab 7-1
- Lab 7-2
- Lab 7-3
- Questions
- III. Advanced Dynamic Analysis
- 8. Debugging
- 9. OllyDbg
- 10. Kernel Debugging with WinDbg
- Rootkits
- Loading Drivers
- Kernel Issues for Windows Vista, Windows 7, and x64 Versions
- Conclusion
- Labs
- Lab 10-1
- Lab 10-2
- Lab 10-3
- Questions
- IV. Malware Functionality
- 11. Malware Behavior
- 12. Covert Malware Launching
- 13. Data Encoding
- 14. Malware-Focused Network Signatures
- Network Countermeasures
- Safely Investigate an Attacker Online
- Content-Based Network Countermeasures
- Combining Dynamic and Static Analysis Techniques
- The Danger of Overanalysis
- Hiding in Plain Sight
- Understanding Surrounding Code
- Finding the Networking Code
- Knowing the Sources of Network Content
- Hard-Coded Data vs. Ephemeral Data
- Identifying and Leveraging the Encoding Steps
- Creating a Signature
- Analyze the Parsing Routines
- Targeting Multiple Elements
- Understanding the Attacker’s Perspective
- Conclusion
- Labs
- Lab 14-1
- Lab 14-2
- Lab 14-3
- Questions
- V. Anti-Reverse-Engineering
- 15. Anti-Disassembly
- 16. Anti-Debugging
- 17. Anti-Virtual Machine Techniques
OllyDbg has an easy (if undocumented) way to analyze shellcode. Follow these steps to use this approach:
Copy shellcode from a hex editor to the clipboard.
Within the memory map, select a memory region whose type is
Priv.(This is private memory assigned to the process, as opposed to the read-only executable images that are shared among multiple processes.)Double-click rows in the memory map to bring up a hex dump so you can examine the contents. This region should contain a few hundred bytes of contiguous zero bytes.
Right-click the chosen region in the Memory Map window, and select Set Access ▶ Full Access to give the region read, write, and execute permissions.
Return to the memory dump window. Highlight a region of zero-filled bytes large enough for the entire shellcode to fit, right-click the selection, and select Binary ▶ Binary Paste. This will paste the shellcode to the selected region.
Set the EIP register to the location of the memory you modified. (You can easily set the EIP register by right-clicking an instruction in the disassembler window and selecting New Origin Here.)
Now you can run, debug, and single-step through the shellcode, just as you would a normal program.
-
No Comment