Key Features Gets you up and running with the key concepts of malware analysis Learn the art of detecting, analyzing and investigating malware threats Practical use of malware analysis using different tools and techniques. Learn the concepts using real world examples Book DescriptionMalware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics and incident response. With adversaries becoming sophisticated and carrying out advanced malware attacks on critical infrastructures, Data centers, private and public organizations; detecting, responding and investigating such intrusions are critical to information security professionals. Malware analysis and memory forensics have become a must have skill for fighting advanced malware, targeted attacks and security breaches.This book teaches concepts, techniques, and tools to understand the behavior and characteristics of malware by using malware analysis and it also teaches the techniques to investigate and hunt malwares using memory forensics.This book will introduce readers to the basics of malware analysis, Windows internals and it then gradually progresses deep into more advanced concepts of code analysis & memory forensics. This book uses real world malware samples and infected memory images to help readers gain a better understanding of the subject so that the readers will be equipped with skills required to analyze, investigate and respond to malware related incidents.What you will learn Create a safe and isolated lab environment for malware analysis Tools, concepts & techniques to perform malware analysis using static, dynamic, code and memory analysis/forensics Extracting the metadata associated with malware Determining malware interaction with system Reverse engineering and debugging using code analysis tools like IDA pro and x64dbg Reverse engineering various malware functionalities Reverse engineering & decoding the common encoding/encryption algorithms. Techniques to investigate & hunt malware using memory forensics. Build a custom sandbox to automate malware analysisMonnappa K Aworks with Cisco Systems as information security investigator focusing on threat intelligence, investigation, and research of cyber espionage attacks. He is the author of Limon sandbox used for analyzing Linux malwares and winner of Volatility memory forensics plugin contest 2016. He is the co-founder of cyber security research community ""Cysinfo"". His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. He has presented and conducted training at security conferences like Black Hat, FIRST, 4SICS-SCADA/ICS summit, DSCI/NASSCOM and Cysinfo events. He has also authored various articles in Hakin9, eForensics, and Hack[In]sight magazines.

lgrsnf/Z:\Bibliotik_\16\2\%&Ovr1\2018 Monnappa K A-Learning Malware Analysis.pdf

lgli/Z:\Bibliotik_\16\2\%&Ovr1\2018 Monnappa K A-Learning Malware Analysis.pdf

Анализ вредоносных программ: изучение концепции, инструментальные средства и методы анализа и исследования вредоносных программ для Windows

Монаппа К. А.; перевод с английского Д. А. Беликова

A, Monnappa K

Monnappa K. A

ДМК Пресс

United Kingdom and Ireland, United Kingdom

Москва, Russia, 2019

Jun 29, 2018

lg2645766

{"isbns":["1788392507","9781788392501"],"last_page":510,"publisher":"Packt Publishing, Limited"}

Monappa, K. A. Learning Maiware Analysis Birmingham -Mumbai : Packt, cop. 2018 978-1-78839-250-1

РГБ

Russian State Library [rgb] MARC:
=001 010414095
=005 20201009152138.0
=008 200713s2019\\\\ru\\\\\\\\\\\\000\0\rus\d
=017 \\ $a 6893-20 $b RuMoRGB
=020 \\ $a 978-5-97060-700-8 $c 200 экз.
=040 \\ $a RuMoRGB $b rus $e rcr
=041 1\ $a rus $h eng
=044 \\ $a ru
=084 \\ $a З973.2-018-5-05,07 $2 rubbk
=084 \\ $a З973.233-021.3,07 $2 rubbk
=100 1\ $a Монаппа, К. А.
=245 00 $a Анализ вредоносных программ : $b изучение концепции, инструментальные средства и методы анализа и исследования вредоносных программ для Windows $c Монаппа К. А. ; перевод с английского Д. А. Беликова
=260 \\ $a Москва $b ДМК Пресс $c 2019
=300 \\ $a 450 с. $b ил. $c 22 см
=336 \\ $a Текст (визуальный)
=337 \\ $a непосредственный
=534 \\ $a Monappa, K. A. $t Learning Maiware Analysis $c Birmingham -Mumbai : Packt, cop. 2018 $z 978-1-78839-250-1
=650 \7 $a Техника. Технические науки -- Энергетика. Радиоэлектроника -- Радиоэлектроника -- Вычислительная техника -- Электронные вычислительные машины (компьютеры) -- Теория. Исследования -- Программирование -- Пособие для специалистов $2 rubbk
=650 \7 $a Техника. Технические науки -- Энергетика. Радиоэлектроника -- Радиоэлектроника -- Вычислительная техника -- Электронные вычислительные машины (компьютеры) -- Цифровые электронные вычислительные машины. Программирование -- Специализированные компьютеры и системы. Отдельные информационные технологии -- Автоматическая обработка информации -- Безопасность информации -- Пособие для специалистов $2 rubbk
=852 \\ $a РГБ $b FB $j 2 20-46/171 $x 90

Cover --
Title Page --
Copyright and Credits --
Dedication --
Packt Upsell --
Contributors --
Table of Contents --
Preface --
Chapter 1: Introduction to Malware Analysis --
1. What Is Malware? --
2. What Is Malware Analysis? --
3. Why Malware Analysis? --
4. Types Of Malware Analysis --
5. Setting Up The Lab Environment --
5.1 Lab Requirements --
5.2 Overview Of Lab Architecture --
5.3 Setting Up And Configuring Linux VM --
5.4 Setting Up And Configuring Windows VM --
6. Malware Sources --
Summary --
Chapter 2: Static Analysis --
1. Determining the File Type --
1.1 Identifying File Type Using Manual Method --
1.2 Identifying File Type Using Tools --
1.3 Determining File Type Using Python --
2. Fingerprinting the Malware --
2.1 Generating Cryptographic Hash Using Tools --
2.2 Determining Cryptographic Hash in Python --
3. Multiple Anti-Virus Scanning --
3.1 Scanning the Suspect Binary with VirusTotal --
3.2 Querying Hash Values Using VirusTotal Public API --
4. Extracting Strings --
4.1 String Extraction Using Tools --
4.2 Decoding Obfuscated Strings Using FLOSS --
5. Determining File Obfuscation --
5.1 Packers and Cryptors --
5.2 Detecting File Obfuscation Using Exeinfo PE --
6. Inspecting PE Header Information --
6.1 Inspecting File Dependencies and Imports --
6.2 Inspecting Exports --
6.3 Examining PE Section Table And Sections --
6.4 Examining the Compilation Timestamp --
6.5 Examining PE Resources --
7. Comparing And Classifying The Malware --
7.1 Classifying Malware Using Fuzzy Hashing --
7.2 Classifying Malware Using Import Hash --
7.3 Classifying Malware Using Section Hash --
7.4 Classifying Malware Using YARA --
7.4.1 Installing YARA --
7.4.2 YARA Rule Basics --
7.4.3 Running YARA --
7.4.4 Applications of YARA --
Summary --
Chapter 3: Dynamic Analysis --
1. Lab Environment Overview --
2. System And Network Monitoring. 3. Dynamic Analysis (Monitoring) Tools --
3.1 Process Inspection with Process Hacker --
3.2 Determining System Interaction with Process Monitor --
3.3 Logging System Activities Using Noriben --
3.4 Capturing Network Traffic With Wireshark --
3.5 Simulating Services with INetSim --
4. Dynamic Analysis Steps --
5. Putting it All Together: Analyzing a Malware Executable --
5.1 Static Analysis of the Sample --
5.2 Dynamic Analysis of the Sample --
6. Dynamic-Link Library (DLL) Analysis --
6.1 Why Attackers Use DLLs --
6.2 Analyzing the DLL Using rundll32.exe --
6.2.1 Working of rundll32.exe --
6.2.2 Launching the DLL Using rundll32.exe --
Example 1 --
Analyzing a DLL With No Exports --
Example 2 --
Analyzing a DLL Containing Exports --
Example 3 --
Analyzing a DLL Accepting Export Arguments --
6.3 Analyzing a DLL with Process Checks --
Summary --
Chapter 4: Assembly Language and Disassembly Primer --
1. Computer Basics --
1.1 Memory --
1.1.1 How Data Resides In Memory --
1.2 CPU --
1.2.1 Machine Language --
1.3 Program Basics --
1.3.1 Program Compilation --
1.3.2 Program On Disk --
1.3.3 Program In Memory --
1.3.4 Program Disassembly (From Machine code To Assembly code) --
2. CPU Registers --
2.1 General-Purpose Registers --
2.2 Instruction Pointer (EIP) --
2.3 EFLAGS Register --
3. Data Transfer Instructions --
3.1 Moving a Constant Into Register --
3.2 Moving Values From Register To Register --
3.3 Moving Values From Memory To Registers --
3.4 Moving Values From Registers To Memory --
3.5 Disassembly Challenge --
3.6 Disassembly Solution --
4. Arithmetic Operations --
4.1 Disassembly Challenge --
4.2 Disassembly Solution --
5. Bitwise Operations --
6. Branching And Conditionals --
6.1 Unconditional Jumps --
6.2 Conditional Jumps --
6.3 If Statement --
6.4 If-Else Statement --
6.5 If-Elseif-Else Statement --
6.6 Disassembly Challenge. 6.7 Disassembly Solution --
7. Loops --
7.1 Disassembly Challenge --
7.2 Disassembly Solution --
8. Functions --
8.1 Stack --
8.2 Calling Function --
8.3 Returning From Function --
8.4 Function Parameters And Return Values --
9. Arrays And Strings --
9.1 Disassembly Challenge --
9.2 Disassembly Solution --
9.3 Strings --
9.3.1 String Instructions --
9.3.2 Moving From Memory To Memory (movsx) --
9.3.3 Repeat Instructions (rep) --
9.3.4 Storing Value From Register to Memory (stosx) --
9.3.5 Loading From Memory to Register (lodsx) --
9.3.6 Scanning Memory (scasx) --
9.3.7 Comparing Values in Memory (cmpsx) --
10. Structures --
11. x64 Architecture --
11.1 Analyzing 32-bit Executable On 64-bit Windows --
12. Additional Resources --
Summary --
Chapter 5: Disassembly Using IDA --
1. Code Analysis Tools --
2. Static Code Analysis (Disassembly) Using IDA --
2.1 Loading Binary in IDA --
2.2 Exploring IDA Displays --
2.2.1 Disassembly Window --
2.2.2 Functions Window --
2.2.3 Output Window --
2.2.4 Hex View Window --
2.2.5 Structures Window --
2.2.6 Imports Window --
2.2.7 Exports Window --
2.2.8 Strings Window --
2.2.9 Segments Window --
2.3 Improving Disassembly Using IDA --
2.3.1 Renaming Locations --
2.3.2 Commenting in IDA --
2.3.3 IDA Database --
2.3.4 Formatting Operands --
2.3.5 Navigating Locations --
2.3.6 Cross-References --
2.3.7 Listing All Cross-References --
2.3.8 Proximity View And Graphs --
3. Disassembling Windows API --
3.1 Understanding Windows API --
3.1.1 ANSI and Unicode API Functions --
3.1.2 Extended API Functions --
3.2 Windows API 32-Bit and 64-Bit Comparison --
4. Patching Binary Using IDA --
4.1 Patching Program Bytes --
4.2 Patching Instructions --
5. IDA Scripting and Plugins --
5.1 Executing IDA Scripts --
5.2 IDAPython --
5.2.1 Checking The Presence Of CreateFile API --
5.2.2 Code Cross-References to CreateFile Using IDAPython. 5.3 IDA Plugins --
Summary --
Chapter 6: Debugging Malicious Binaries --
1. General Debugging Concepts --
1.1 Launching And Attaching To Process --
1.2 Controlling Process Execution --
1.3 Interrupting a Program with Breakpoints --
1.4 Tracing Program Execution --
2. Debugging a Binary Using x64dbg --
2.1 Launching a New Process in x64dbg --
2.2 Attaching to an Existing Process Using x64dbg --
2.3 x64dbg Debugger Interface --
2.4 Controlling Process Execution Using x64dbg --
2.5 Setting a Breakpoint in x64dbg --
2.6 Debugging 32-bit Malware --
2.7 Debugging 64-bit Malware --
2.8 Debugging a Malicious DLL Using x64dbg --
2.8.1 Using rundll32.exe to Debug the DLL in x64dbg --
2.8.2 Debugging a DLL in a Specific Process --
2.9 Tracing Execution in x64dbg --
2.9.1 Instruction Tracing --
2.9.2 Function Tracing --
2.10 Patching in x64dbg --
3. Debugging a Binary Using IDA --
3.1 Launching a New Process in IDA --
3.2 Attaching to an Existing Process Using IDA --
3.3 IDA's Debugger Interface --
3.4 Controlling Process Execution Using IDA --
3.5 Setting a Breakpoint in IDA --
3.6 Debugging Malware Executables --
3.7 Debugging a Malicious DLL Using IDA --
3.7.1 Debugging a DLL in a Specific Process --
3.8 Tracing Execution Using IDA --
3.9 Debugger Scripting Using IDAPython --
3.9.1 Example --
Determining Files Accessed by Malware --
4. Debugging a .NET Application --
Summary --
Chapter 7: Malware Functionalities and Persistence --
1. Malware Functionalities --
1.1 Downloader --
1.2 Dropper --
1.2.1 Reversing a 64-bit Dropper --
1.3 Keylogger --
1.3.1 Keylogger Using GetAsyncKeyState() --
1.3.2 Keylogger Using SetWindowsHookEx() --
1.4 Malware Replication Via Removable Media --
1.5 Malware Command and Control (C2) --
1.5.1 HTTP Command and Control --
1.5.2 Custom Command and Control --
1.6 PowerShell-Based Execution --
1.6.1 PowerShell Command Basics. 1.6.2 PowerShell Scripts And Execution Policy --
1.6.2 Analyzing PowerShell Commands/Scripts --
1.6.3 How Attackers Use PowerShell --
2. Malware Persistence Methods --
2.1 Run Registry Key --
2.2 Scheduled Tasks --
2.3 Startup Folder --
2.4 Winlogon Registry Entries --
2.5 Image File Execution Options --
2.6 Accessibility Programs --
2.7 AppInit_DLLs --
2.8 DLL Search Order Hijacking --
2.9 COM hijacking --
2.10 Service --
Summary --
Chapter 8: Code Injection and Hooking --
1. Virtual Memory --
1.1 Process Memory Components (User Space) --
1.2 Kernel Memory Contents (Kernel Space) --
2. User Mode And Kernel Mode --
2.1 Windows API Call Flow --
3. Code Injection Techniques --
3.1 Remote DLL Injection --
3.2 DLL Injection Using APC (APC Injection) --
3.3 DLL Injection Using SetWindowsHookEx() --
3.4 DLL Injection Using The Application Compatibility Shim --
3.4.1 Creating A Shim --
3.4.2 Shim Artifacts --
3.4.3 How Attackers Use Shims --
3.4.4 Analyzing The Shim Database --
3.5 Remote Executable/Shellcode Injection --
3.6 Hollow Process Injection (Process Hollowing) --
4. Hooking Techniques --
4.1 IAT Hooking --
4.2 Inline Hooking (Inline Patching) --
4.3 In-memory Patching Using Shim --
5. Additional Resources --
Summary --
Chapter 9: Malware Obfuscation Techniques --
1. Simple Encoding --
1.1 Caesar Cipher --
1.1.1 Working Of Caesar Cipher --
1.1.2 Decrypting Caesar Cipher In Python --
1.2 Base64 Encoding --
1.2.1 Translating Data To Base64 --
1.2.2 Encoding And Decoding Base64 --
1.2.3 Decoding Custom Base64 --
1.2.4 Identifying Base64 --
1.3 XOR Encoding --
1.3.1 Single Byte XOR --
1.3.2 Finding XOR Key Through Brute-Force --
1.3.3 NULL Ignoring XOR Encoding --
1.3.4 Multi-byte XOR Encoding --
1.3.5 Identifying XOR Encoding --
2. Malware Encryption --
2.1 Identifying Crypto Signatures Using Signsrch --
2.2 Detecting Crypto Constants Using FindCrypt2.

Understand Malware Analysis And Its Practical Implementation Key Features Explore The Key Concepts Of Malware Analysis And Memory Forensics Using Real-world Examples Learn The Art Of Detecting, Analyzing, And Investigating Malware Threats Understand Adversary Tactics And Techniques Book Description Malware Analysis And Memory Forensics Are Powerful Analysis And Investigation Techniques Used In Reverse Engineering, Digital Forensics, And Incident Response. With Adversaries Becoming Sophisticated And Carrying Out Advanced Malware Attacks On Critical Infrastructures, Data Centers, And Private And Public Organizations, Detecting, Responding To, And Investigating Such Intrusions Is Critical To Information Security Professionals. Malware Analysis And Memory Forensics Have Become Must-have Skills To Fight Advanced Malware, Targeted Attacks, And Security Breaches. This Book Teaches You The Concepts, Techniques, And Tools To Understand The Behavior And Characteristics Of Malware Through Malware Analysis. It Also Teaches You Techniques To Investigate And Hunt Malware Using Memory Forensics. This Book Introduces You To The Basics Of Malware Analysis, And Then Gradually Progresses Into The More Advanced Concepts Of Code Analysis And Memory Forensics. It Uses Real-world Malware Samples, Infected Memory Images, And Visual Diagrams To Help You Gain A Better Understanding Of The Subject And To Equip You With The Skills Required To Analyze, Investigate, And Respond To Malware-related Incidents. What You Will Learn Create A Safe And Isolated Lab Environment For Malware Analysis Extract The Metadata Associated With Malware Determine Malware's Interaction With The System Perform Code Analysis Using Ida Pro And X64dbg Reverse-engineer Various Malware Functionalities Reverse Engineer And Decode Common Encoding/encryption Algorithms Reverse-engineer Malware Code Injection And Hooking Techniques Investigate And Hunt Malware Using Memory Forensics Who This Book Is For This Book Is For Incident Responders, Cyber-security Investigators, System Administrators, Malware Analyst, Forensic Practitioners, Student, Or Curious Security Professionals Interested In Learning Malware Analysis And Memory Forensics. Knowledge Of Programming Languages Such As C And Python Is Helpful But Is Not Mandatory. If You Have Written Few Lines Of Code And Have A Basic Understanding Of Programming Concepts, You'll Be Able To Get Most Out Of This Book.

Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis and memory forensics.;Cover -- Title Page -- Copyright and Credits -- Dedication -- Packt Upsell -- Contributors -- Table of Contents -- Preface -- Chapter 1: Introduction to Malware Analysis -- 1. What Is Malware? -- 2. What Is Malware Analysis? -- 3. Why Malware Analysis? -- 4. Types Of Malware Analysis -- 5. Setting Up The Lab Environment -- 5.1 Lab Requirements -- 5.2 Overview Of Lab Architecture -- 5.3 Setting Up And Configuring Linux VM -- 5.4 Setting Up And Configuring Windows VM -- 6. Malware Sources -- Summary -- Chapter 2: Static Analysis -- 1. Determining the File Type -- 1.1 Identifying File Type Using Manual Method -- 1.2 Identifying File Type Using Tools -- 1.3 Determining File Type Using Python -- 2. Fingerprinting the Malware -- 2.1 Generating Cryptographic Hash Using Tools -- 2.2 Determining Cryptographic Hash in Python -- 3. Multiple Anti-Virus Scanning -- 3.1 Scanning the Suspect Binary with VirusTotal -- 3.2 Querying Hash Values Using VirusTotal Public API -- 4. Extracting Strings -- 4.1 String Extraction Using Tools -- 4.2 Decoding Obfuscated Strings Using FLOSS -- 5. Determining File Obfuscation -- 5.1 Packers and Cryptors -- 5.2 Detecting File Obfuscation Using Exeinfo PE -- 6. Inspecting PE Header Information -- 6.1 Inspecting File Dependencies and Imports -- 6.2 Inspecting Exports -- 6.3 Examining PE Section Table And Sections -- 6.4 Examining the Compilation Timestamp -- 6.5 Examining PE Resources -- 7. Comparing And Classifying The Malware -- 7.1 Classifying Malware Using Fuzzy Hashing -- 7.2 Classifying Malware Using Import Hash -- 7.3 Classifying Malware Using Section Hash -- 7.4 Classifying Malware Using YARA -- 7.4.1 Installing YARA -- 7.4.2 YARA Rule Basics -- 7.4.3 Running YARA -- 7.4.4 Applications of YARA -- Summary -- Chapter 3: Dynamic Analysis -- 1. Lab Environment Overview -- 2. System And Network Monitoring.

2020-07-26