Learning Malware Analysis Explore the Concepts, Tools, and Techniques to Analyze and Investigate Windows Malware
Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis an...
Saved in:
| Main Author | |
|---|---|
| Format | eBook |
| Language | English |
| Published |
Birmingham
Packt Publishing, Limited
2018
Packt Publishing Limited |
| Edition | 1 |
| Subjects | |
| Online Access | Get full text |
| ISBN | 1788392507 9781788392501 |
| DOI | 10.0000/9781788397520 |
Cover
| Abstract | Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis and memory forensics. |
|---|---|
| AbstractList | Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis and memory forensics. |
| Author | K A, Monnappa |
| Author_xml | – sequence: 1 fullname: K A, Monnappa |
| BookMark | eNpVj81LAzEQxSN-oK09evDWm3hYTTLJJjm2S_2AFS_idZlsZkt13dVsS-l_b6Aq-GCY94M3A2_Ejrq-I8YuBL_hSbfOWGGsBWe05Ads9Af68Bek5uYkAVfKKaOVOGWTYXhL15BGQH7GLkvC2K265fQJ2y1Gms46bHfDajhnxw22A01-9pi93i1eioesfL5_LGZlhqA0yMyDtOh1wynkeW4QPXdgQpC1qz23TS2CtaFxGETjZC1BEaGw0gIQWJ_DmF3vH2-xXVMMtIybXTLVB8a6-lczZa_22c_Yf21oWFfk-_69pm4dsa0W80IrlXPN4RuYolCk |
| ContentType | eBook |
| DEWEY | 005.88 |
| DOI | 10.0000/9781788397520 |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 1788397525 9781788397520 |
| Edition | 1 |
| ExternalDocumentID | 9781788397520 EBC5446050 |
| GroupedDBID | -VX 20A 38. AABBV AAFKH AAKGN AANYM AAZEP AAZGR ABARN ABCYV ABIWA ABMRC ABRSK ABWNX ACBYE ACLGV ADBND ADVEM AECLD AEHEP AEIUR AERYV AFQEX AHWGJ AJFER ALMA_UNASSIGNED_HOLDINGS APVFW ATDNW AVGCG AZZ BBABE BSWCA CZZ DUGUG E2F EBSCA GEOUK IHRAH J-X L7C OHILO OODEK PASLL QD8 UE6 |
| ID | FETCH-LOGICAL-a34532-b328ab5f0ed6667aab0937dd2c9cb08fc1d88df9ad1f92c234eea182833e38b63 |
| ISBN | 1788392507 9781788392501 |
| IngestDate | Sat Oct 25 01:18:27 EDT 2025 Wed Oct 29 00:15:49 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| LCCallNum_Ident | QA76.76.C68 .M666 2018 |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-a34532-b328ab5f0ed6667aab0937dd2c9cb08fc1d88df9ad1f92c234eea182833e38b63 |
| OCLC | 1044947541 |
| PQID | EBC5446050 |
| PageCount | 500 |
| ParticipantIDs | walterdegruyter_marc_9781788397520 proquest_ebookcentral_EBC5446050 |
| PublicationCentury | 2000 |
| PublicationDate | 2018 [2018] |
| PublicationDateYYYYMMDD | 2018-01-01 |
| PublicationDate_xml | – year: 2018 text: 2018 |
| PublicationDecade | 2010 |
| PublicationPlace | Birmingham |
| PublicationPlace_xml | – name: Birmingham – name: Birmingham, UK |
| PublicationYear | 2018 |
| Publisher | Packt Publishing, Limited Packt Publishing Limited |
| Publisher_xml | – name: Packt Publishing, Limited – name: Packt Publishing Limited |
| RestrictionsOnAccess | restricted access |
| SSID | ssj0003000136 |
| Score | 2.063057 |
| Snippet | Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response.... |
| SourceID | walterdegruyter proquest |
| SourceType | Publisher |
| SubjectTerms | COM015000 COMPUTERS / Security / Viruses & Malware COM019000 COMPUTERS / System Administration / Disaster & Recovery Computer security Computer software-Evaluation COMPUTERS / Security / Networking Malware (Computer software) Microsoft Windows (Computer file) |
| Subtitle | Explore the Concepts, Tools, and Techniques to Analyze and Investigate Windows Malware |
| TableOfContents | Cover -- Title Page -- Copyright and Credits -- Dedication -- Packt Upsell -- Contributors -- Table of Contents -- Preface -- Chapter 1: Introduction to Malware Analysis -- 1. What Is Malware? -- 2. What Is Malware Analysis? -- 3. Why Malware Analysis? -- 4. Types Of Malware Analysis -- 5. Setting Up The Lab Environment -- 5.1 Lab Requirements -- 5.2 Overview Of Lab Architecture -- 5.3 Setting Up And Configuring Linux VM -- 5.4 Setting Up And Configuring Windows VM -- 6. Malware Sources -- Summary -- Chapter 2: Static Analysis -- 1. Determining the File Type -- 1.1 Identifying File Type Using Manual Method -- 1.2 Identifying File Type Using Tools -- 1.3 Determining File Type Using Python -- 2. Fingerprinting the Malware -- 2.1 Generating Cryptographic Hash Using Tools -- 2.2 Determining Cryptographic Hash in Python -- 3. Multiple Anti-Virus Scanning -- 3.1 Scanning the Suspect Binary with VirusTotal -- 3.2 Querying Hash Values Using VirusTotal Public API -- 4. Extracting Strings -- 4.1 String Extraction Using Tools -- 4.2 Decoding Obfuscated Strings Using FLOSS -- 5. Determining File Obfuscation -- 5.1 Packers and Cryptors -- 5.2 Detecting File Obfuscation Using Exeinfo PE -- 6. Inspecting PE Header Information -- 6.1 Inspecting File Dependencies and Imports -- 6.2 Inspecting Exports -- 6.3 Examining PE Section Table And Sections -- 6.4 Examining the Compilation Timestamp -- 6.5 Examining PE Resources -- 7. Comparing And Classifying The Malware -- 7.1 Classifying Malware Using Fuzzy Hashing -- 7.2 Classifying Malware Using Import Hash -- 7.3 Classifying Malware Using Section Hash -- 7.4 Classifying Malware Using YARA -- 7.4.1 Installing YARA -- 7.4.2 YARA Rule Basics -- 7.4.3 Running YARA -- 7.4.4 Applications of YARA -- Summary -- Chapter 3: Dynamic Analysis -- 1. Lab Environment Overview -- 2. System And Network Monitoring 5.3 IDA Plugins -- Summary -- Chapter 6: Debugging Malicious Binaries -- 1. General Debugging Concepts -- 1.1 Launching And Attaching To Process -- 1.2 Controlling Process Execution -- 1.3 Interrupting a Program with Breakpoints -- 1.4 Tracing Program Execution -- 2. Debugging a Binary Using x64dbg -- 2.1 Launching a New Process in x64dbg -- 2.2 Attaching to an Existing Process Using x64dbg -- 2.3 x64dbg Debugger Interface -- 2.4 Controlling Process Execution Using x64dbg -- 2.5 Setting a Breakpoint in x64dbg -- 2.6 Debugging 32-bit Malware -- 2.7 Debugging 64-bit Malware -- 2.8 Debugging a Malicious DLL Using x64dbg -- 2.8.1 Using rundll32.exe to Debug the DLL in x64dbg -- 2.8.2 Debugging a DLL in a Specific Process -- 2.9 Tracing Execution in x64dbg -- 2.9.1 Instruction Tracing -- 2.9.2 Function Tracing -- 2.10 Patching in x64dbg -- 3. Debugging a Binary Using IDA -- 3.1 Launching a New Process in IDA -- 3.2 Attaching to an Existing Process Using IDA -- 3.3 IDA's Debugger Interface -- 3.4 Controlling Process Execution Using IDA -- 3.5 Setting a Breakpoint in IDA -- 3.6 Debugging Malware Executables -- 3.7 Debugging a Malicious DLL Using IDA -- 3.7.1 Debugging a DLL in a Specific Process -- 3.8 Tracing Execution Using IDA -- 3.9 Debugger Scripting Using IDAPython -- 3.9.1 Example - Determining Files Accessed by Malware -- 4. Debugging a .NET Application -- Summary -- Chapter 7: Malware Functionalities and Persistence -- 1. Malware Functionalities -- 1.1 Downloader -- 1.2 Dropper -- 1.2.1 Reversing a 64-bit Dropper -- 1.3 Keylogger -- 1.3.1 Keylogger Using GetAsyncKeyState() -- 1.3.2 Keylogger Using SetWindowsHookEx() -- 1.4 Malware Replication Via Removable Media -- 1.5 Malware Command and Control (C2) -- 1.5.1 HTTP Command and Control -- 1.5.2 Custom Command and Control -- 1.6 PowerShell-Based Execution -- 1.6.1 PowerShell Command Basics 3. Dynamic Analysis (Monitoring) Tools -- 3.1 Process Inspection with Process Hacker -- 3.2 Determining System Interaction with Process Monitor -- 3.3 Logging System Activities Using Noriben -- 3.4 Capturing Network Traffic With Wireshark -- 3.5 Simulating Services with INetSim -- 4. Dynamic Analysis Steps -- 5. Putting it All Together: Analyzing a Malware Executable -- 5.1 Static Analysis of the Sample -- 5.2 Dynamic Analysis of the Sample -- 6. Dynamic-Link Library (DLL) Analysis -- 6.1 Why Attackers Use DLLs -- 6.2 Analyzing the DLL Using rundll32.exe -- 6.2.1 Working of rundll32.exe -- 6.2.2 Launching the DLL Using rundll32.exe -- Example 1 - Analyzing a DLL With No Exports -- Example 2 - Analyzing a DLL Containing Exports -- Example 3 - Analyzing a DLL Accepting Export Arguments -- 6.3 Analyzing a DLL with Process Checks -- Summary -- Chapter 4: Assembly Language and Disassembly Primer -- 1. Computer Basics -- 1.1 Memory -- 1.1.1 How Data Resides In Memory -- 1.2 CPU -- 1.2.1 Machine Language -- 1.3 Program Basics -- 1.3.1 Program Compilation -- 1.3.2 Program On Disk -- 1.3.3 Program In Memory -- 1.3.4 Program Disassembly (From Machine code To Assembly code) -- 2. CPU Registers -- 2.1 General-Purpose Registers -- 2.2 Instruction Pointer (EIP) -- 2.3 EFLAGS Register -- 3. Data Transfer Instructions -- 3.1 Moving a Constant Into Register -- 3.2 Moving Values From Register To Register -- 3.3 Moving Values From Memory To Registers -- 3.4 Moving Values From Registers To Memory -- 3.5 Disassembly Challenge -- 3.6 Disassembly Solution -- 4. Arithmetic Operations -- 4.1 Disassembly Challenge -- 4.2 Disassembly Solution -- 5. Bitwise Operations -- 6. Branching And Conditionals -- 6.1 Unconditional Jumps -- 6.2 Conditional Jumps -- 6.3 If Statement -- 6.4 If-Else Statement -- 6.5 If-Elseif-Else Statement -- 6.6 Disassembly Challenge 6.7 Disassembly Solution -- 7. Loops -- 7.1 Disassembly Challenge -- 7.2 Disassembly Solution -- 8. Functions -- 8.1 Stack -- 8.2 Calling Function -- 8.3 Returning From Function -- 8.4 Function Parameters And Return Values -- 9. Arrays And Strings -- 9.1 Disassembly Challenge -- 9.2 Disassembly Solution -- 9.3 Strings -- 9.3.1 String Instructions -- 9.3.2 Moving From Memory To Memory (movsx) -- 9.3.3 Repeat Instructions (rep) -- 9.3.4 Storing Value From Register to Memory (stosx) -- 9.3.5 Loading From Memory to Register (lodsx) -- 9.3.6 Scanning Memory (scasx) -- 9.3.7 Comparing Values in Memory (cmpsx) -- 10. Structures -- 11. x64 Architecture -- 11.1 Analyzing 32-bit Executable On 64-bit Windows -- 12. Additional Resources -- Summary -- Chapter 5: Disassembly Using IDA -- 1. Code Analysis Tools -- 2. Static Code Analysis (Disassembly) Using IDA -- 2.1 Loading Binary in IDA -- 2.2 Exploring IDA Displays -- 2.2.1 Disassembly Window -- 2.2.2 Functions Window -- 2.2.3 Output Window -- 2.2.4 Hex View Window -- 2.2.5 Structures Window -- 2.2.6 Imports Window -- 2.2.7 Exports Window -- 2.2.8 Strings Window -- 2.2.9 Segments Window -- 2.3 Improving Disassembly Using IDA -- 2.3.1 Renaming Locations -- 2.3.2 Commenting in IDA -- 2.3.3 IDA Database -- 2.3.4 Formatting Operands -- 2.3.5 Navigating Locations -- 2.3.6 Cross-References -- 2.3.7 Listing All Cross-References -- 2.3.8 Proximity View And Graphs -- 3. Disassembling Windows API -- 3.1 Understanding Windows API -- 3.1.1 ANSI and Unicode API Functions -- 3.1.2 Extended API Functions -- 3.2 Windows API 32-Bit and 64-Bit Comparison -- 4. Patching Binary Using IDA -- 4.1 Patching Program Bytes -- 4.2 Patching Instructions -- 5. IDA Scripting and Plugins -- 5.1 Executing IDA Scripts -- 5.2 IDAPython -- 5.2.1 Checking The Presence Of CreateFile API -- 5.2.2 Code Cross-References to CreateFile Using IDAPython 1.6.2 PowerShell Scripts And Execution Policy -- 1.6.2 Analyzing PowerShell Commands/Scripts -- 1.6.3 How Attackers Use PowerShell -- 2. Malware Persistence Methods -- 2.1 Run Registry Key -- 2.2 Scheduled Tasks -- 2.3 Startup Folder -- 2.4 Winlogon Registry Entries -- 2.5 Image File Execution Options -- 2.6 Accessibility Programs -- 2.7 AppInit_DLLs -- 2.8 DLL Search Order Hijacking -- 2.9 COM hijacking -- 2.10 Service -- Summary -- Chapter 8: Code Injection and Hooking -- 1. Virtual Memory -- 1.1 Process Memory Components (User Space) -- 1.2 Kernel Memory Contents (Kernel Space) -- 2. User Mode And Kernel Mode -- 2.1 Windows API Call Flow -- 3. Code Injection Techniques -- 3.1 Remote DLL Injection -- 3.2 DLL Injection Using APC (APC Injection) -- 3.3 DLL Injection Using SetWindowsHookEx() -- 3.4 DLL Injection Using The Application Compatibility Shim -- 3.4.1 Creating A Shim -- 3.4.2 Shim Artifacts -- 3.4.3 How Attackers Use Shims -- 3.4.4 Analyzing The Shim Database -- 3.5 Remote Executable/Shellcode Injection -- 3.6 Hollow Process Injection (Process Hollowing) -- 4. Hooking Techniques -- 4.1 IAT Hooking -- 4.2 Inline Hooking (Inline Patching) -- 4.3 In-memory Patching Using Shim -- 5. Additional Resources -- Summary -- Chapter 9: Malware Obfuscation Techniques -- 1. Simple Encoding -- 1.1 Caesar Cipher -- 1.1.1 Working Of Caesar Cipher -- 1.1.2 Decrypting Caesar Cipher In Python -- 1.2 Base64 Encoding -- 1.2.1 Translating Data To Base64 -- 1.2.2 Encoding And Decoding Base64 -- 1.2.3 Decoding Custom Base64 -- 1.2.4 Identifying Base64 -- 1.3 XOR Encoding -- 1.3.1 Single Byte XOR -- 1.3.2 Finding XOR Key Through Brute-Force -- 1.3.3 NULL Ignoring XOR Encoding -- 1.3.4 Multi-byte XOR Encoding -- 1.3.5 Identifying XOR Encoding -- 2. Malware Encryption -- 2.1 Identifying Crypto Signatures Using Signsrch -- 2.2 Detecting Crypto Constants Using FindCrypt2 2.3 Detecting Crypto Signatures Using YARA Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware |
| Title | Learning Malware Analysis |
| URI | https://ebookcentral.proquest.com/lib/[SITE_ID]/detail.action?docID=5446050 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3NS8MwFA-6Xbz4Lc4viogXqbZJ2qZHHZMhTDxM8TbSfHhQujk6hv71vrRpt1ZB9BLaEELyXkh-Ly-_9xA6ixUMj8jQjYTmLsVUunGCIxdrHMES4J4Sho08uA_7j_TuOXheJOzK2SVZcik-f-SV_EerUAd6NSzZP2i26hQq4Bv0CyVoGMoG-K1-LXO5vNAY8Le5ebtVxhap9s-L6_yqc5ymfGJTilvb3mcN2_6Bi9ds6T6qMNWXeU-FGeiDHQu4IshpZd82RXMkFe8g6u0acaZ7N92AGi-pdz55d01aLuO-tjlKVlEbUwBXLdSG47I3qK6xSA4iQ0OZyzsHRBXZSFrlv1-ENjXDuKoNogbq1-f58wCpXqazj6x0R-en_HATtZWhfmyhFZVuo40y4YVj978d1Cnl7li5O6Xcd9HTbW_Y7bs2t4TLCQ0IdhOCGU8C7SkJFlzEeeIBUpMSi1gkHtPCl4xJHXPp6xgLTCisajDGGCGKsCQke6iVjlO1j5yYEO1BM0E1WNtcMc_kc_ZDBtApiBXvIKec5yh3gdt3t6OFyDvotDH_kQllMqrJ6-D3fg7R2mIdHaFWNp2pY0BNWXJiNfcFFRMReg |
| linkProvider | ProQuest Ebooks |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.title=Learning+Malware+Analysis&rft.au=K+A%2C+Monnappa&rft.date=2018-01-01&rft.pub=Packt+Publishing%2C+Limited&rft.isbn=9781788397520&rft_id=info:doi/10.0000%2F9781788397520&rft.externalDocID=EBC5446050 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781788392501/lc.gif&client=summon&freeimage=true |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781788392501/mc.gif&client=summon&freeimage=true |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781788392501/sc.gif&client=summon&freeimage=true |