Practical Malware Analysis

The Hands-On Guide to Dissecting Malicious Software

by Michael Sikorski and Andrew Honig

February 2012, 800 pp.

ISBN-13:

9781593272906

"The book every malware analyst should keep handy."
—Richard Bejtlich, CSO of Mandiant & Founder of TaoSecurity

Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring.

For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way.

You'll learn how to:

Set up a safe virtual environment to analyze malware
Quickly extract network signatures and host-based indicators
Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
Use your newfound knowledge of Windows internals for malware analysis
Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
Analyze special cases of malware with shellcode, C++, and 64-bit code

Hands-on labs throughout the book challenge you to practice and synthesize your skills as you dissect real malware samples, and pages of detailed dissections offer an over-the-shoulder look at how the pros do it. You'll learn how to crack open malware to see how it really works, determine what damage it has done, thoroughly clean your network, and ensure that the malware never comes back.

Malware analysis is a cat-and-mouse game with rules that are constantly changing, so make sure you have the fundamentals. Whether you're tasked with securing one network or a thousand networks, or you're making a living as a malware analyst, you'll find what you need to succeed in Practical Malware Analysis.

Author Bio

Michael Sikorski is a malware analyst, researcher, and security consultant at Mandiant. His previous employers include the National Security Agency and MIT Lincoln Laboratory. Mike frequently teaches malware analysis to a variety of audiences including the FBI and Black Hat.

Andrew Honig is an Information Assurance Expert for the Department of Defense. He teaches courses on software analysis, reverse engineering, and Windows system programming. Andy is publicly credited with several zero-day exploits in VMware's virtualization products.

Table of contents

Introduction
Chapter 0: Malware Analysis Primer

Part 1: Basic Analysis
Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis

Part 2: Advanced Static Analysis
Chapter 4: A Crash Course in x86 Disassembly
Chapter 5: IDA Pro
Chapter 6: Recognizing C Code Constructs in Assembly
Chapter 7: Analyzing Malicious Windows Programs

Part 3: Advanced Dynamic Analysis
Chapter 8: Debugging
Chapter 9: OllyDbg
Chapter 10: Kernel Debugging with WinDbg

Part 4: Malware Functionality
Chapter 11: Malware Behavior
Chapter 12: Covert Malware Launching
Chapter 13: Data Encoding
Chapter 14: Malware-Focused Network Signatures

Part 5: Anti-Reverse-Engineering
Chapter 15: Anti-Disassembly
Chapter 16: Anti-Debugging
Chapter 17: Anti-Virtual Machine Techniques
Chapter 18: Packers and Unpacking

Part 6: Special Topics
Chapter 19: Shellcode Analysis
Chapter 20: C++ Analysis
Chapter 21: 64-Bit Malware

Appendix A: Important Windows Functions
Appendix B: Tools for Malware Analysis
Appendix C: Solutions to Labs

View the detailed Table of Contents (PDF)
View the Index (PDF)

Reviews

"Digital Forensics Book of the Year" - 2013 Forensic 4cast Awards

"A hands-on introduction to malware analysis. I'd recommend it to anyone who wants to dissect Windows malware."
—Ilfak Guilfanov, Creator of IDA Pro

"The book every malware analyst should keep handy."
—Richard Bejtlich, CSO of Mandiant & Founder of TaoSecurity

"This book does exactly what it promises on the cover; it's crammed with detail and has an intensely practical approach, but it's well organised enough that you can keep it around as handy reference."
—Mary Branscombe, ZDNet (Read More)

"If you're starting out in malware analysis, or if you are are coming to analysis from another discipline, I'd recommend having a nose."
—Paul Baccas, Naked Security from Sophos (Read More)

"An excellent crash course in malware analysis."
—Dino Dai Zovi, Independent Security Consultant

"The most comprehensive guide to analysis of malware, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware."
—Chris Eagle, Senior Lecturer of Computer Science at the Naval Postgraduate School

"A great introduction to malware analysis. All chapters contain detailed technical explanations and hands-on lab exercises to get you immediate exposure to real malware."
—Sebastian Porst, Google Software Engineer

"Brings reverse engineering to readers of all skill levels. Technically rich and accessible, the labs will lead you to a deeper understanding of the art and science of reverse engineering. I strongly recommend this book for beginners and experts alike. I strongly believe this will become the defacto text for learning malware analysis in the future."
—Danny Quist, PhD, Founder of Offensive Computing

“An awesome book. . . written by knowledgeable authors who possess the rare gift of being able to communicate their knowledge through the written word.”
—Richard Austin, IEEE Cipher (Read More)

"If you only read one malware book or are looking to break into the world of malware analysis, this is the book to get."
—Patrick Engebretson, IA Professor at Dakota State University and Author of The Basics of Hacking and Pen Testing

"An excellent addition to the course materials for an advanced graduate level course on Software Security or Intrusion Detection Systems. The labs are especially useful to students in teaching the methods to reverse engineer, analyze and understand malicious software."
—Sal Stolfo, Professor, Columbia University

"The explanation of the tools is clear, the presentation of the process is lucid, and the actual detective work fascinating. All presented clearly and hitting just the right level so that developers with no previous experience in this particular area can participate fully. Highly recommended."
—Dr. Dobb's (Read More)

"This book is like having your very own personal malware analysis teacher without the expensive training costs."
—Dustin Schultz, TheXploit (Read More)

"I highly recommend this book to anyone looking to get their feet wet in malware analysis or just looking for a good desktop reference on the subject."
—Pete Arzamendi, 403 Labs (Read More)

“I do not see how anyone who has hands-on responsibility for security of Windows systems can rationalize not being familiar with these tools.”
—Stephen Northcutt, SANS Institute (Read More)

"Practical Malware Analysis is another book that should be within reaching distance in anyone’s DFIR shop. I went ahead and purchased PMA hoping the book would improve my knowledge and skills when faced with malware. What I ended up with was knowledge, a process and tools I can use to analyze any program I encounter. PMA gets a five star review (5 out of 5)."
—Journey Into Incident Response (Read More)

“Highly recommend it to those looking to enter the malware analysis field.”
—Linux Ninja (Read More)

"If you are a beginner to this hacking field, then this book will be an excellent choice for you."
—Hackerzzz

"I cannot recommend it enough."
—Tony Robinson, Security Boulevard

Selected by Cyber Defense Magazine as 1 of 100 Best CyberSecurity Books

Updates

Page 10
Under the Hashing section, both MD5 sums are missing their final digit. They read 373e7a863a1a345c60edb9e20ec3231, but should instead read 373e7a863a1a345c60edb9e20ec32311.

Page 54
Figure 3-10 should look like this:

Page 66
In Figure 4-1, "move" should be "mov".

Page 74
The text "...instruction such as lea ebx, [eax*5+5], where eax is a number, rather than a memory address. This instruction is the functional equivalent of ebx = (eax+1)*5, but the former is shorter or more efficient for the compiler to use instead of a total of four instructions (for example inc eax; mov ecx, 5; mul ecx; mov ebx, eax)."

should read as:
"instruction such as lea ebx, [eax*4+4], where eax is a number, rather than a memory address. This instruction is the functional equivalent of ebx = (eax+1)*4, but the former is shorter or more efficient for the compiler to use instead of a total of four instructions (for example inc eax; mov ecx, 4; mul ecx; mov ebx, eax)."

Page 76
xhcg eax, eax should be xchg eax, eax.

Page 79
In Figure 4-8, the stack layout reads

Local Variable N
...
Local Variable 1
Local Variable 2
Old EBP
Return Address
Argument 1
Argument 2
...
Argument N

It should read

Local Variable N
...
Local Variable 2
Local Variable 1
Old EBP
Return Address
Argument 1
Argument 2
...
Argument N

Page 82
In the last paragraph, "This works in the same way as cmpsb, but it compares the byte located at address ESI to AL, rather than to EDI" should read "This works in the same way as cmpsb, but it compares the byte located at address EDI to AL, rather than to ESI."

Page 110
In Listing 6-1, the word "Total" should be "total" with a lowercase 't'.

Page 111
In Listing 6-2, the word "Total" should be "total" with a lowercase 't'.

And in Listing 6-4, the first two lines read:
00401006 mov dword ptr [ebp-4], 0
0040100D mov dword ptr [ebp-8], 1

They should instead read:
00401006 mov dword ptr [ebp-4], 1
0040100D mov dword ptr [ebp-8], 2

Page 112
In Listing 6-5, the first two lines read:
00401006 mov dword ptr [ebp-4], 0
0040100D mov dword ptr [ebp-8], 1

They should instead read:
00401006 mov dword ptr [ebp-4], 1
0040100D mov dword ptr [ebp-8], 2

Page 148
Paragraph 3 reads, "The lpStartupInfo structure for the process stores the standard output (1), standard input (2), and standard error (3) that will be used for the new process." It should instead read, "The lpStartupInfo structure for the process stores the standard output (2), standard input (3), and standard error (1) that will be used for the new process."

Page 178
"and 0x411001 if the language is Chinese" should read "and 0x41100A if the language is Chinese".

Page 237
For technical accuracy, Listing 11-2 should include 5 additional "..." breaks. It currently reads:

1000123F push offset LibFileName ; "samsrv.dll" 10001244 call esi ; LoadLibraryA 10001248 push offset aAdvapi32_dll_0 ; "advapi32.dll" ... 10001251 call esi ; LoadLibraryA ... 1000125B push offset ProcName ; "SamIConnect" 10001260 push ebx ; hModule 10001265 call esi ; GetProcAddress ... 10001281 push offset aSamrqu ; "SamrQueryInformationUser" 10001286 push ebx ; hModule 1000128C call esi ; GetProcAddress ... 100012C2 push offset aSamigetpriv ; "SamIGetPrivateData" 100012C7 push ebx ; hModule 100012CD call esi ; GetProcAddress ... 100012CF push offset aSystemfuncti ; "SystemFunction025" 100012D4 push edi ; hModule 100012DA call esi ; GetProcAddress 100012DC push offset aSystemfuni_0 ; "SystemFunction027" 100012E1 push edi ; hModule 100012E7 call esi ; GetProcAddress

But it should look like the following:

1000123F push offset LibFileName ; "samsrv.dll" 10001244 call esi ; LoadLibraryA ... 10001248 push offset aAdvapi32_dll_0 ; "advapi32.dll" ... 10001251 call esi ; LoadLibraryA ... 1000125B push offset ProcName ; "SamIConnect" 10001260 push ebx ; hModule ... 10001265 call esi ; GetProcAddress ... 10001281 push offset aSamrqueryinfor ; "SamrQueryInformationUser" 10001286 push ebx ; hModule ... 1000128C call esi ; GetProcAddress ... 100012C2 push offset aSamigetprivate ; "SamIGetPrivateData" 100012C7 push ebx ; hModule ... 100012CD call esi ; GetProcAddress 100012CF push offset aSystemfunction ; "SystemFunction025" 100012D4 push edi ; hModule ... 100012DA call esi ; GetProcAddress 100012DC push offset aSystemfuncti_0 ; "SystemFunction027" 100012E1 push edi ; hModule ... 100012E7 call esi ; GetProcAddress

Page 258
In the first line of Listing 12-3, CREATE_SUSPEND should read CREATE_SUSPENDED.

Page 263
In the first paragraph, in the second to last sentence, "Sleep" should instead read "SleepEx".

Page 290
In Listing 13-10, it should be cbuf = cfile.read() instead of cbuf = f.read()

Page 338
The "JZ -7" in Figure 15-5 should be "JZ -6" and the opcodes underneath that text should be "74 FA" instead of "74 F9".

The 3rd line of the bottom listing should read 74 FA jz short near ptr sub_4011C0+2 instead of 74 F9 jz short near ptr sub_4011C0+1.

Page 339
The 7th line of the top listing should read FA db 0FAh instead of F9 db 0F9h.

Page 363
In the "Inserting INT 2D" section, Listing 16-10 is referenced. It should reference Listing 16-9.

Page 376
Tthe text "0x5668" should be "0x5658". This happens twice on the page once in the first paragraph and once in the third paragraph.

Page 440
In Question #3, the text reads “At 0x4036F0, there is a function call that takes the string…” but it should read “The function 0x4036F0 is called multiple times and each time it takes the string…”.

Page 447
Change the two instances of "\WOW64" to "\SysWOW64"

Page 448
Change the "C:\Windows\WOW64" to "C:\Windows\SysWOW64"

Page 471
The link to download PEview reads "http://www.magma.ca/~wjr/"; it has been updated and should now read "http://wjradburn.com/software/"

Page 499
In the first paragraph, "View -> Graphs -> Xrefs From" should read "View -> Graphs -> User Xrefs Chart".

Page 514
The last sentence of the page should read "If the call succeeds, the program exits" instead of "If the call fails, the program exits".

Page 523
The middle paragraph should read "function to sleep for about 394 seconds" instead of "function to sleep for 60 seconds."

Page 566
"If you perform a full analysis of 0x4025120" should be "If you perform a full analysis of 0x402510"

Page 649
At the beginning of the second paragraph, "The two functions (sub_4012F2 and sub_401369)" should instead read "The two functions (sub_40130F and sub_401386)".

Page 651
In Listing 15-12L (as well as in the disassembly of the corresponding lab) there was a bug in the original program. There should be an add edx, 8 between lines 00401202 and 00401208.

Page 675
The text "0x5668" should be "0x5658".

Page 680
End of paragraph 2 should read “…on page 678.” instead of “…on page 670.”