Home Page Icon
Home Page
Table of Contents for
Contents
Close
Contents
by Elias Bachaalany, Joxean Koret
The Antivirus Hacker's Handbook
Introduction
Overview of the Book and Technology
How This Book Is Organized
Who Should Read This Book
Tools You Will Need
What's on the Wiley Website
Summary (From Here, Up Next, and So On)
Part I: Antivirus Basics
Chapter 1: Introduction to Antivirus Software
What Is Antivirus Software?
Antivirus Software: Past and Present
Antivirus Scanners, Kernels, and Products
Typical Misconceptions about Antivirus Software
Antivirus Features
Summary
Chapter 2: Reverse-Engineering the Core
Reverse-Engineering Tools
Debugging Tricks
Porting the Core
A Practical Example: Writing Basic Python Bindings for Avast for Linux
A Practical Example: Writing Native C/C++ Tools for Comodo Antivirus for Linux
Other Components Loaded by the Kernel
Summary
Chapter 3: The Plug-ins System
Understanding How Plug-ins Are Loaded
Types of Plug-ins
Some Advanced Plug-ins
Summary
Chapter 4: Understanding Antivirus Signatures
Typical Signatures
Advanced Signatures
Summary
Chapter 5: The Update System
Understanding the Update Protocols
Dissecting an Update Protocol
When Protection Is Done Wrong
Summary
Part II: Antivirus Software Evasion
Chapter 6: Antivirus Software Evasion
Who Uses Antivirus Evasion Techniques?
Discovering Where and How Malware Is Detected
Summary
Chapter 7: Evading Signatures
File Formats: Corner Cases and Undocumented Cases
Evading a Real Signature
Evasion Tips and Tricks for Specific File Formats
Summary
Chapter 8: Evading Scanners
Generic Evasion Tips and Tricks
Automating Evasion of Scanners
Summary
Chapter 9: Evading Heuristic Engines
Heuristic Engine Types
Summary
Chapter 10: Identifying the Attack Surface
Understanding the Local Attack Surface
Incorrect Access Control Lists
Understanding the Remote Attack Surface
Summary
Chapter 11: Denial of Service
Local Denial-of-Service Attacks
Remote Denial-of-Service Attacks
Summary
Part III: Analysis and Exploitation
Chapter 12: Static Analysis
Performing a Manual Binary Audit
Summary
Chapter 13: Dynamic Analysis
Fuzzing
Summary
Chapter 14: Local Exploitation
Exploiting Backdoors and Hidden Features
Finding Invalid Privileges, Permissions, and ACLs
Searching Kernel-Land for Hidden Features
More Logical Kernel Vulnerabilities
Summary
Chapter 15: Remote Exploitation
Implementing Client-Side Exploitation
Server-Side Exploitation
Summary
Part IV: Current Trends and Recommendations
Chapter 16: Current Trends in Antivirus Protection
Matching the Attack Technique with the Target
Targeting Governments and Big Companies
Summary
Chapter 17: Recommendations and the Possible Future
Recommendations for Users of Antivirus Products
Recommendations for Antivirus Vendors
Summary
End User License Agreement
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Cover
Next
Next Chapter
Introduction
Table of Contents
Introduction
Overview of the Book and Technology
How This Book Is Organized
Who Should Read This Book
Tools You Will Need
What's on the Wiley Website
Summary (From Here, Up Next, and So On)
Part I: Antivirus Basics
Chapter 1: Introduction to Antivirus Software
What Is Antivirus Software?
Antivirus Software: Past and Present
Antivirus Scanners, Kernels, and Products
Typical Misconceptions about Antivirus Software
Antivirus Features
Summary
Chapter 2: Reverse-Engineering the Core
Reverse-Engineering Tools
Debugging Tricks
Porting the Core
A Practical Example: Writing Basic Python Bindings for Avast for Linux
A Practical Example: Writing Native C/C++ Tools for Comodo Antivirus for Linux
Other Components Loaded by the Kernel
Summary
Chapter 3: The Plug-ins System
Understanding How Plug-ins Are Loaded
Types of Plug-ins
Some Advanced Plug-ins
Summary
Chapter 4: Understanding Antivirus Signatures
Typical Signatures
Advanced Signatures
Summary
Chapter 5: The Update System
Understanding the Update Protocols
Dissecting an Update Protocol
When Protection Is Done Wrong
Summary
Part II: Antivirus Software Evasion
Chapter 6: Antivirus Software Evasion
Who Uses Antivirus Evasion Techniques?
Discovering Where and How Malware Is Detected
Summary
Chapter 7: Evading Signatures
File Formats: Corner Cases and Undocumented Cases
Evading a Real Signature
Evasion Tips and Tricks for Specific File Formats
Summary
Chapter 8: Evading Scanners
Generic Evasion Tips and Tricks
Automating Evasion of Scanners
Summary
Chapter 9: Evading Heuristic Engines
Heuristic Engine Types
Summary
Chapter 10: Identifying the Attack Surface
Understanding the Local Attack Surface
Incorrect Access Control Lists
Understanding the Remote Attack Surface
Summary
Chapter 11: Denial of Service
Local Denial-of-Service Attacks
Remote Denial-of-Service Attacks
Summary
Part III: Analysis and Exploitation
Chapter 12: Static Analysis
Performing a Manual Binary Audit
Summary
Chapter 13: Dynamic Analysis
Fuzzing
Summary
Chapter 14: Local Exploitation
Exploiting Backdoors and Hidden Features
Finding Invalid Privileges, Permissions, and ACLs
Searching Kernel-Land for Hidden Features
More Logical Kernel Vulnerabilities
Summary
Chapter 15: Remote Exploitation
Implementing Client-Side Exploitation
Server-Side Exploitation
Summary
Part IV: Current Trends and Recommendations
Chapter 16: Current Trends in Antivirus Protection
Matching the Attack Technique with the Target
Targeting Governments and Big Companies
Summary
Chapter 17: Recommendations and the Possible Future
Recommendations for Users of Antivirus Products
Recommendations for Antivirus Vendors
Summary
End User License Agreement
Pages
v
vii
ix
xix
xx
xxi
xxii
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
47
46
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
105
106
107
108
109
110
111
112
113
114
115
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
207
208
209
210
211
212
213
214
215
216
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
323
324
325
326
327
328
329
331
332
333
334
335
336
337
338
339
340
341
345
342
343
344
346
1
103
217
321
Guide
Cover
Table of Contents
Introduction
Part I: Antivirus Basics
Begin Reading
List of Illustrations
Chapter 1: Introduction to Antivirus Software
Figure 1.1 A false positive generated with Comodo Internet Security and the de facto reverse-engineering tool IDA
Chapter 2: Reverse-Engineering the Core
Figure 2.1 F-Secure for Windows library fm4av.dll as displayed in IDA
Figure 2.2 F-Secure for Linux library libfmx-linux32.so as seen in IDA
Figure 2.3 Importing symbols from Linux to Windows
Figure 2.4 Disassembly of Comodo for Linux library libPE32.so showing full symbols
Figure 2.5 How to disable the 360AntiHacker driver
Figure 2.6 The WinDbg debugger
Figure 2.7 Setting up kernel debugging on Windows 7 with bcdedit
Figure 2.8 Setting up debugging in VirtualBox
Figure 2.9 Ikarus t3 Scan running in Linux with Wine
Figure 2.10 A list of functions and disassembly of the scan_path function in the “scan” tool from Avast
Chapter 5: The Update System
Figure 5.1 The main GUI of Comodo Antivirus for Linux
Figure 5.2 Comodo offers an Update Virus Database option for the Linux GUI
Figure 5.3 Wireshark shows a trace of a signature's updating check [c05f003.eps]
Figure 5.4 Request made to the Comodo web servers to download updates
Figure 5.5 The recorded trace checking for new Comodo product files
Figure 5.6 XML file to update Comodo software for Linux
Figure 5.7 Tracing the download of the libSCRIPT.so component
Chapter 7: Evading Signatures
Figure 7.1 The AVC tool unpacking the Kaspersky daily.avc signatures file
Figure 7.2 Files and directories created after unpacking
Figure 7.3 Generic detection for uncovering some CVE-2010-3333 exploits
Figure 7.4 Pseudo-code for the _decode routine
Figure 7.5 Obfuscated JavaScript code
Chapter 8: Evading Scanners
Figure 8.1 FlyStudio malware disassembled code
Figure 8.2 IDA showing more disassembling from the FlyStudio malware
Figure 8.3 A partial function from FlyStudio
Figure 8.4 The main function's flow graph in FlyStudio
Figure 8.5 MultiAV home page
Figure 8.6 Antivirus results
Chapter 9: Evading Heuristic Engines
Figure 9.1 The heuristic functions in IDA
Figure 9.2 The Comodo HIPS engine without ASLR injected into Firefox
Figure 9.3 List of IRQLs
Chapter 10: Identifying the Attack Surface
Figure 10.1 Bitdefender Security Service without ASLR enabled for most libraries, as well as the main executable program
Figure 10.2 A set of three libraries without ASLR enabled, injected in the Firefox browser's memory space
Figure 10.3 No ACL is set for the KIS event object, and WinObj warns that anybody can take control of the object.
Figure 10.4 This is an example of the Panda process SrvLoad running as SYSTEM with the highest integrity level and without any ACL set. This vulnerability was reported by the author and fixed in 2014.
Figure 10.5 This list of functions is exported by the library pavshdl.dll.
Figure 10.6 This secret UUID can be used to disable the shield.
Chapter 11: Denial of Service
Figure 11.1 Slide from the “Breaking AV Software” talk at SyScan 2014 showing an antivirus program affected by the compression bombs bug
Figure 11.2 VirusTotal results showing time outs in two antivirus programs
Figure 11.3 VirusTotal error message trying to analyze a 32GB dummy file compressed with XAR
Figure 11.4 Proofs-of-concepts exploiting DoS bugs
Chapter 12: Static Analysis
Figure 12.1 The library libfm.so opened in IDA Pro
Figure 12.2 Find the code references to FMAlloc(uint).
Chapter 13: Dynamic Analysis
Figure 13.1 Final configuration of the Nightmare fuzzing suite
Figure 13.2 Starting a new fuzzing project in Nightmare
Figure 13.3 Finding samples with the Nightmare fuzzing suite
Figure 13.4 View your fuzzing statistics.
Figure 13.5 View your fuzzing results.
Chapter 14: Local Exploitation
Figure 14.1 Panda's shield prevented termination of a Panda process using the Task Manager.
Figure 14.2 Call graph of ProcProt!Func_0056
Figure 14.3 Security properties of the WebProxy.exe process
Figure 14.4 User interface of the RemoteDLL injector tool
Figure 14.5 Panda blocks your attempt to inject a DLL.
Figure 14.6 Panda is successfully owned.
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset