Books & Videos

Table of Contents

  1. Chapter 0 Malware Analysis Primer

    1. The Goals of Malware Analysis

    2. Malware Analysis Techniques

    3. Types of Malware

    4. General Rules for Malware Analysis

  2. Basic Analysis

    1. Chapter 1 Basic Static Techniques

      1. Antivirus Scanning: A Useful First Step
      2. Hashing: A Fingerprint for Malware
      3. Finding Strings
      4. Packed and Obfuscated Malware
      5. Portable Executable File Format
      6. Linked Libraries and Functions
      7. Static Analysis in Practice
      8. The PE File Headers and Sections
      9. Conclusion
      10. Labs
    2. Chapter 2 Malware Analysis in Virtual Machines

      1. The Structure of a Virtual Machine
      2. Creating Your Malware Analysis Machine
      3. Using Your Malware Analysis Machine
      4. The Risks of Using VMware for Malware Analysis
      5. Record/Replay: Running Your Computer in Reverse
      6. Conclusion
    3. Chapter 3 Basic Dynamic Analysis

      1. Sandboxes: The Quick-and-Dirty Approach
      2. Running Malware
      3. Monitoring with Process Monitor
      4. Viewing Processes with Process Explorer
      5. Comparing Registry Snapshots with Regshot
      6. Faking a Network
      7. Packet Sniffing with Wireshark
      8. Using INetSim
      9. Basic Dynamic Tools in Practice
      10. Conclusion
      11. Labs
  3. Advanced Static Analysis

    1. Chapter 4 A Crash Course in x86 Disassembly

      1. Levels of Abstraction
      2. Reverse-Engineering
      3. The x86 Architecture
      4. Conclusion
    2. Chapter 5 IDA Pro

      1. Loading an Executable
      2. The IDA Pro Interface
      3. Using Cross-References
      4. Analyzing Functions
      5. Using Graphing Options
      6. Enhancing Disassembly
      7. Extending IDA with Plug-ins
      8. Conclusion
      9. Labs
    3. Chapter 6 Recognizing C Code Constructs in Assembly

      1. Global vs. Local Variables
      2. Disassembling Arithmetic Operations
      3. Recognizing if Statements
      4. Recognizing Loops
      5. Understanding Function Call Conventions
      6. Analyzing switch Statements
      7. Disassembling Arrays
      8. Identifying Structs
      9. Analyzing Linked List Traversal
      10. Conclusion
      11. Labs
    4. Chapter 7 Analyzing Malicious Windows Programs

      1. The Windows API
      2. The Windows Registry
      3. Networking APIs
      4. Following Running Malware
      5. Kernel vs. User Mode
      6. The Native API
      7. Conclusion
      8. Labs
  4. Advanced Dynamic Analysis

    1. Chapter 8 Debugging

      1. Source-Level vs. Assembly-Level Debuggers
      2. Kernel vs. User-Mode Debugging
      3. Using a Debugger
      4. Exceptions
      5. Modifying Execution with a Debugger
      6. Modifying Program Execution in Practice
      7. Conclusion
    2. Chapter 9 OllyDbg

      1. Loading Malware
      2. The OllyDbg Interface
      3. Memory Map
      4. Viewing Threads and Stacks
      5. Executing Code
      6. Breakpoints
      7. Loading DLLs
      8. Tracing
      9. Exception Handling
      10. Patching
      11. Analyzing Shellcode
      12. Assistance Features
      13. Plug-ins
      14. Scriptable Debugging
      15. Conclusion
      16. Labs
    3. Chapter 10 Kernel Debugging with WinDbg

      1. Drivers and Kernel Code
      2. Setting Up Kernel Debugging
      3. Using WinDbg
      4. Microsoft Symbols
      5. Kernel Debugging in Practice
      6. Rootkits
      7. Loading Drivers
      8. Kernel Issues for Windows Vista, Windows 7, and x64 Versions
      9. Conclusion
      10. Labs
  5. Malware Functionality

    1. Chapter 11 Malware Behavior

      1. Downloaders and Launchers
      2. Backdoors
      3. Credential Stealers
      4. Persistence Mechanisms
      5. Privilege Escalation
      6. Covering Its Tracks—User-Mode Rootkits
      7. Conclusion
      8. Labs
    2. Chapter 12 Covert Malware Launching

      1. Launchers
      2. Process Injection
      3. Process Replacement
      4. Hook Injection
      5. Detours
      6. APC Injection
      7. Conclusion
      8. Labs
    3. Chapter 13 Data Encoding

      1. The Goal of Analyzing Encoding Algorithms
      2. Simple Ciphers
      3. Common Cryptographic Algorithms
      4. Custom Encoding
      5. Decoding
      6. Conclusion
      7. Labs
    4. Chapter 14 Malware-Focused Network Signatures

      1. Network Countermeasures
      2. Safely Investigate an Attacker Online
      3. Content-Based Network Countermeasures
      4. Combining Dynamic and Static Analysis Techniques
      5. Understanding the Attacker’s Perspective
      6. Conclusion
      7. Labs
  6. Anti-Reverse-Engineering

    1. Chapter 15 Anti-Disassembly

      1. Understanding Anti-Disassembly
      2. Defeating Disassembly Algorithms
      3. Anti-Disassembly Techniques
      4. Obscuring Flow Control
      5. Thwarting Stack-Frame Analysis
      6. Conclusion
      7. Labs
    2. Chapter 16 Anti-Debugging

      1. Windows Debugger Detection
      2. Identifying Debugger Behavior
      3. Interfering with Debugger Functionality
      4. Debugger Vulnerabilities
      5. Conclusion
      6. Labs
    3. Chapter 17 Anti-Virtual Machine Techniques

      1. VMware Artifacts
      2. Vulnerable Instructions
      3. Tweaking Settings
      4. Escaping the Virtual Machine
      5. Conclusion
      6. Labs
    4. Chapter 18 Packers and Unpacking

      1. Packer Anatomy
      2. Identifying Packed Programs
      3. Unpacking Options
      4. Automated Unpacking
      5. Manual Unpacking
      6. Tips and Tricks for Common Packers
      7. Analyzing Without Fully Unpacking
      8. Packed DLLs
      9. Conclusion
      10. Labs
  7. Special Topics

    1. Chapter 19 Shellcode Analysis

      1. Loading Shellcode for Analysis
      2. Position-Independent Code
      3. Identifying Execution Location
      4. Manual Symbol Resolution
      5. A Full Hello World Example
      6. Shellcode Encodings
      7. NOP Sleds
      8. Finding Shellcode
      9. Conclusion
      10. Labs
    2. Chapter 20 C++ Analysis

      1. Object-Oriented Programming
      2. Virtual vs. Nonvirtual Functions
      3. Creating and Destroying Objects
      4. Conclusion
      5. Labs
    3. Chapter 21 64-Bit Malware

      1. Why 64-Bit Malware?
      2. Differences in x64 Architecture
      3. Windows 32-Bit on Windows 64-Bit
      4. 64-Bit Hints at Malware Functionality
      5. Conclusion
      6. Labs
  1. Appendix Important Windows Functions

  2. Appendix Tools for Malware Analysis

  3. Appendix Solutions to Labs

    1. Lab 1-1 Solutions

    2. Lab 1-2 Solutions

    3. Lab 1-3 Solutions

    4. Lab 1-4 Solutions

    5. Lab 3-1 Solutions

    6. Lab 3-2 Solutions

    7. Lab 3-3 Solutions

    8. Lab 3-4 Solutions

    9. Lab 5-1 Solutions

    10. Lab 6-1 Solutions

    11. Lab 6-2 Solutions

    12. Lab 6-3 Solutions

    13. Lab 6-4 Solutions

    14. Lab 7-1 Solutions

    15. Lab 7-2 Solutions

    16. Lab 7-3 Solutions

    17. Lab 9-1 Solutions

    18. Lab 9-2 Solutions

    19. Lab 9-3 Solutions

    20. Lab 10-1 Solutions

    21. Lab 10-2 Solutions

    22. Lab 10-3 Solutions

    23. Lab 11-1 Solutions

    24. Lab 11-2 Solutions

    25. Lab 11-3 Solutions

    26. Lab 12-1 Solutions

    27. Lab 12-2 Solutions

    28. Lab 12-3 Solutions

    29. Lab 12-4 Solutions

    30. Lab 13-1 Solutions

    31. Lab 13-2 Solutions

    32. Lab 13-3 Solutions

    33. Lab 14-1 Solutions

    34. Lab 14-2 Solutions

    35. Lab 14-3 Solutions

    36. Lab 15-1 Solutions

    37. Lab 15-2 Solutions

    38. Lab 15-3 Solutions

    39. Lab 16-1 Solutions

    40. Lab 16-2 Solutions

    41. Lab 16-3 Solutions

    42. Lab 17-1 Solutions

    43. Lab 17-2 Solutions

    44. Lab 17-3 Solutions

    45. Lab 18-1 Solutions

    46. Lab 18-2 Solutions

    47. Lab 18-3 Solutions

    48. Lab 18-4 Solutions

    49. Lab 18-5 Solutions

    50. Lab 19-1 Solutions

    51. Lab 19-2 Solutions

    52. Lab 19-3 Solutions

    53. Lab 20-1 Solutions

    54. Lab 20-2 Solutions

    55. Lab 20-3 Solutions

    56. Lab 21-1 Solutions

    57. Lab 21-2 Solutions

  4. Updates