Cover -- Title Page -- Copyright and Credits -- About Packt -- Contributors -- Table of Contents -- Preface -- Section 1: Fundamental Theory -- Chapter 1: A Crash Course in CISC/RISC and Programming Basics -- Basic concepts -- Registers -- Memory -- Virtual memory -- Stack -- Branches, loops, and conditions -- Exceptions, interrupts, and communicating with other devices -- Assembly languages -- CISC versus RISC -- Types of instructions -- Becoming familiar with x86 (IA-32 and x64) -- Registers -- Special registers -- The instruction structure -- opcode -- dest -- src -- The instruction set -- Data manipulation instructions -- Data transfer instructions -- Flow control instructions -- Arguments, local variables, and calling conventions (in x86 and x64) -- stdcall -- Arguments -- Local variables -- cdecl -- fastcall -- thiscall -- The x64 calling convention -- Exploring ARM assembly -- Basics -- Instruction sets -- Basics of MIPS -- Basics -- The instruction set -- Diving deep into PowerPC -- Basics -- The instruction set -- Covering the SuperH assembly -- Basics -- The instruction set -- Working with SPARC -- Basics -- The instruction set -- Moving from assembly to high-level programming languages -- Arithmetic statements -- If conditions -- While loop conditions -- Summary -- Section 2: Diving Deep into Windows Malware -- Chapter 2: Basic Static and Dynamic Analysis for x86/x64 -- Working with the PE header structure -- Why PE? -- Exploring PE structure -- MZ header -- PE header -- File header -- Optional header -- Data directory -- Section table -- PE+ (x64 PE) -- PE header analysis tools -- Static and dynamic linking -- Static linking -- Dynamic linking -- Dynamic link libraries -- Application programming interface -- Dynamic API loading -- Using PE header information for static analysis -- How to use PE header for incident handling.

How to use a PE header for threat intelligence -- PE loading and process creation -- Basic terminology -- What's process? -- Virtual memory to physical memory mapping -- Threads -- Important data structures: TIB, TEB, and PEB -- Process loading step by step -- PE file loading step by step -- WOW64 processes -- Dynamic analysis with OllyDbg/Immunity Debugger -- Debugging tools -- How to analyze a sample with OllyDbg -- Types of breakpoints -- Step into/step over breakpoint -- INT3 breakpoint -- Memory breakpoints -- Hardware breakpoints -- Modifying the program execution -- Patching-modifying the program's assembly instructions -- Change EFlags -- Modifying the instruction pointer value -- Changing the program data -- Debugging malicious services -- What is service? -- Attaching to the service -- Summary -- Chapter 3: Unpacking, Decryption, and Deobfuscation -- Exploring packers -- Exploring packing and encrypting tools -- Identifying a packed sample -- Technique 1 - checking PE tool static signatures -- Technique 2 - evaluating PE section names -- Technique 3 - using stub execution signs -- Technique 4 - detecting a small import table -- Automatically unpacking packed samples -- Technique 1 - the official unpacking process -- Technique 2 - using OllyScript with OllyDbg -- Technique 3 - using generic unpackers -- Technique 4 - emulation -- Technique 5 - memory dumps -- Manual unpacking using OllyDbg -- Technique 6 - memory breakpoint on execution -- Step 1 - setting the breakpoints -- Step 2 - turning on Data Execution Prevention -- Step 3 - preventing any further attempts to change memory permissions -- Step 4 - executing and getting the OEP -- Technique 7 - call stack backtracing -- Step 1 - setting the breakpoints -- Step 2 - following the call stack -- Step 3 - reaching the OEP -- Technique 8 - monitoring memory allocated spaces for unpacked code.

Technique 9 - in-place unpacking -- Technique 10 - stack restoration-based -- Dumping the unpacked sample and fixing the import table -- Dumping the process -- Fixing the import table -- Identifying different encryption algorithms and functions -- Types of encryption algorithms -- Basic encryption algorithms -- How to identify encryption functions -- String search detection techniques for simple algorithms -- The basics of X-RAYING -- Simple static encryption -- Other encryption algorithms -- X-RAYING tools for malware analysis and detection -- Identifying the RC4 encryption algorithm -- The RC4 encryption algorithm -- Key-scheduling algorithm -- Pseudo-random generation algorithm -- Identifying RC4 algorithms in a malware sample -- Standard symmetric and asymmetric encryption algorithms -- Extracting information from Windows cryptography APIs -- Step 1 - initializing and connecting to the cryptographic service provider (CSP) -- Step 2 - preparing the key -- Step 3 - encrypting or decrypting the data -- Step 4 - freeing the memory -- Cryptography API next generation (CNG) -- Applications of encryption in modern malware - Vawtrak banking Trojan -- String and API name encryption -- Network communication encryption -- Using IDA for decryption and unpacking -- IDA tips and tricks -- Static analysis -- Dynamic analysis -- Classic and new syntax of IDA scripts -- Dynamic string decryption -- Dynamic WinAPIs resolution -- Summary -- Chapter 4: Inspecting Process Injection and API Hooking -- Understanding process injection -- What's process injection? -- Why process injection? -- DLL injection -- Windows-supported DLL injection -- A simple DLL injection technique -- Working with process injection -- Getting the list of running processes -- Code injection -- Advanced code injection-reflective DLL injection -- Stuxnet secret technique-process hollowing.

Dynamic analysis of code injection -- Technique 1-debug it where it is -- Technique 2-attach to the targeted process -- Technique 3-dealing with process hollowing -- Memory forensics techniques for process injection -- Technique 1-detecting code injection and reflective DLL injection -- Technique 2-detecting process hollowing -- Technique 3-detecting process hollowing using the HollowFind plugin -- Understanding API hooking -- Why API hooking? -- Working with API hooking -- Inline API hooking -- Inline API hooking with trampoline -- Inline API hooking with a length disassembler -- Detecting API hooking using memory forensics -- Exploring IAT hooking -- Summary -- Chapter 5: Bypassing Anti-Reverse Engineering Techniques -- Exploring debugger detection -- Direct check for debugger presence -- Detecting a debugger through an environment change -- Detecting a debugger using parent processes -- Handling debugger breakpoints evasion -- Detecting software breakpoints (INT3) -- Detecting single-stepping breakpoints (trap flag) -- Detecting a trap flag using the SS register -- Detecting single-stepping using timing techniques -- Evading hardware breakpoints -- What is structured exception handling? -- Detecting and removing hardware breakpoints -- Memory breakpoints -- Escaping the debugger -- Process injection -- TLS callbacks -- Windows events callbacks -- Obfuscation and anti-disassemblers -- Encryption -- Junk code insertion -- Code transportation -- Dynamic API calling with checksum -- Proxy functions and proxy argument stacking -- Detecting and evading behavioral analysis tools -- Finding the tool process -- Searching for the tool window -- Detecting sandboxes and virtual machines -- Different output between virtual machines and real machines -- Detecting virtualization processes and services -- Detecting virtualization through registry keys.

Detecting virtual machines using PowerShell -- Detecting sandboxes by using default settings -- Other techniques -- Summary -- Chapter 6: Understanding Kernel-Mode Rootkits -- Kernel mode versus user mode -- Protection rings -- Windows internals -- The infrastructure of Windows -- The execution path from user mode to kernel mode -- Rootkits and device drivers -- What is a rootkit? -- Types of rootkits -- What is a device driver? -- Hooking mechanisms -- SSDT hooking -- Hooking the SYSENTER entry function -- Modifying SSDT in an x86 environment -- Modifying SSDT in an x64 environment -- Hooking SSDT functions -- IRP hooking -- Devices and major functions -- Attaching to a device -- Modifying the IRP response and setting a completion routine -- DKOM -- The kernel objects-EPROCESS and ETHREAD -- How do rootkits perform an object manipulation attack? -- Process injection in kernel mode -- Executing the inject code using APC queuing -- KPP in x64 systems (PatchGuard) -- Bypassing driver signature enforcement -- Bypassing PatchGuard-the Turla example -- Bypassing PatchGuard-GhostHook -- Disabling PatchGuard using the Command Prompt -- Static and dynamic analysis in kernel mode -- Static analysis -- Tools -- Tips and tricks -- Dynamic and behavioral analysis -- Tools -- Monitors -- Rootkit detectors -- Setting up a testing environment -- Setting up the debugger -- Stopping at the driver's entry point -- Loading the driver -- Restoring the debugging state -- Summary -- Section 3: Examining Cross-Platform Malware -- Chapter 7: Handling Exploits and Shellcode -- Getting familiar with vulnerabilities and exploits -- Types of vulnerabilities -- Stack overflow vulnerability -- Heap overflow vulnerabilities -- The use-after-free vulnerability -- Logical vulnerabilities -- Types of exploits -- Cracking the shellcode -- What's shellcode? -- Linux shellcode in x86-64.

Malware analysis is a powerful investigation technique widely used in various security areas including digital forensics and incident response processes. Working through practical examples, you'll be able to analyze any type of malware you may encounter within the modern world.