What’s in the Book?
Practical Malware Analysis begins with easy methods that can be used to get information from relatively unsophisticated malicious programs, and proceeds with increasingly complicated techniques that can be used to tackle even the most sophisticated malicious programs. Here’s what you’ll find in each chapter:
Chapter 0, “Malware Analysis Primer,” establishes the overall process and methodology of analyzing malware.
Chapter 1, “Basic Static Techniques,” teaches ways to get information from an executable without running it.
Chapter 2, “Malware Analysis in Virtual Machines,” walks you through setting up virtual machines to use as a safe environment for running malware.
Chapter 3, “Basic Dynamic Analysis,” teaches easy-to-use but effective techniques for analyzing a malicious program by running it.
Chapter 4, “A Crash Course in x86 Assembly,” is an introduction to the x86 assembly language, which provides a foundation for using IDA Pro and performing in-depth analysis of malware.
Chapter 5, “IDA Pro,” shows you how to use IDA Pro, one of the most important malware analysis tools. We’ll use IDA Pro throughout the remainder of the book.
Chapter 6, “Recognizing C Code Constructs in Assembly,” provides examples of C code in assembly and teaches you how to understand the high-level functionality of assembly code.
Chapter 7, “Analyzing Malicious Windows Programs,” covers a wide range of Windows-specific concepts that are necessary for understanding malicious Windows programs.
Chapter 8, “Debugging,” explains the basics of debugging and how to use a debugger for malware analysts.
Chapter 9, “OllyDbg,” shows you how to use OllyDbg, the most popular debugger for malware analysts.
Chapter 10, “Kernel Debugging with WinDbg,” covers how to use the WinDbg debugger to analyze kernel-mode malware and rootkits.
Chapter 11, “Malware Behavior,” describes common malware functionality and shows you how to recognize that functionality when analyzing malware.
Chapter 12, “Covert Malware Launching,” discusses how to analyze a particularly stealthy class of malicious programs that hide their execution within another process.
Chapter 13, “Data Encoding,” demonstrates how malware may encode data in order to make it harder to identify its activities in network traffic or on the victim host.
Chapter 14, “Malware-Focused Network Signatures,” teaches you how to use malware analysis to create network signatures that outperform signatures made from captured traffic alone.
Chapter 15, “Anti-Disassembly,” explains how some malware authors design their malware so that it is hard to disassemble, and how to recognize and defeat these techniques.
Chapter 16, “Anti-Debugging,” describes the tricks that malware authors use to make their code difficult to debug and how to overcome those roadblocks.
Chapter 17, “Anti-Virtual Machine Techniques,” demonstrates techniques used by malware to make it difficult to analyze in a virtual machine and how to bypass those techniques.
Chapter 18, “Packers and Unpacking,” teaches you how malware uses packing to hide its true purpose, and then provides a step-by-step approach for unpacking packed programs.
Chapter 19, “Shellcode Analysis,” explains what shellcode is and presents tips and tricks specific to analyzing malicious shellcode.
Chapter 20, “C++ Analysis,” instructs you on how C++ code looks different once it is compiled and how to perform analysis on malware created using C++.
Chapter 21, “64-Bit Malware,” discusses why malware authors may use 64-bit malware and what you need to know about the differences between x86 and x64.
Appendix A, “Important Windows Functions,” briefly describes Windows functions commonly used in malware.
Appendix B, “Tools for Malware Analysis,” lists useful tools for malware analysts.
Appendix C, “Solutions to Labs,” provides the solutions for the labs included in the chapters throughout the book.
Our goal throughout this book is to arm you with the skills to analyze and defeat malware of all types. As you’ll see, we cover a lot of material and use labs to reinforce the material. By the time you’ve finished this book, you will have learned the skills you need to analyze any malware, including simple techniques for quickly analyzing ordinary malware and complex, sophisticated ones for analyzing even the most enigmatic malware.
Let’s get started.