دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
برای ارتباط با ما می توانید از طریق شماره موبایل زیر از طریق تماس و پیامک با ما در ارتباط باشید
در صورت عدم پاسخ گویی از طریق پیامک با پشتیبان در ارتباط باشید
برای کاربرانی که ثبت نام کرده اند
درصورت عدم همخوانی توضیحات با کتاب
از ساعت 7 صبح تا 10 شب
ویرایش:
نویسندگان: Alexey Kleymenov. Amr Thabet
سری:
ISBN (شابک) : 9781789610789
ناشر: Packt Publishing Ltd.
سال نشر: 2019
تعداد صفحات: 547
زبان: English
فرمت فایل : PDF (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود)
حجم فایل: 28 مگابایت
در صورت تبدیل فایل کتاب Mastering Malware Analysis به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب تسلط بر تجزیه و تحلیل بدافزار نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
برای محافظت از سیستم های خود در برابر آلوده شدن، آنالیز بدافزار را مسلط کنید ویژگی های کلیدی راه حل ها را تنظیم و مدل کنید، بدافزارها را بررسی کنید و از تکرار آن جلوگیری کنید مفاهیم اصلی مربوط به تجزیه و تحلیل بدافزار پویا، پزشکی قانونی حافظه، رمزگشایی و موارد دیگر را بیاموزید راهحلهای نوآورانه برای حوادث متعدد بدافزار توسعه دهید توضیحات کتاب با گسترش فناوری و افزایش حملات باج افزار برجسته، تجزیه و تحلیل بدافزار به موضوعی پرطرفدار در سال های اخیر تبدیل شده است. با کمک این کتاب، میتوانید خطر مواجهه با کدهای مخرب و بدافزارها را کاهش دهید. تسلط بر تجزیه و تحلیل بدافزار الگوهای جهانی پشت انواع مختلف نرم افزارهای مخرب و نحوه تجزیه و تحلیل آنها با استفاده از روش های مختلف را توضیح می دهد. شما یاد خواهید گرفت که چگونه کد بدافزار را بررسی کنید، آسیبی که می تواند به سیستم شما وارد کند را تعیین کنید و از انتشار آن جلوگیری کنید. این کتاب حتی تمام جنبه های تجزیه و تحلیل بدافزار برای پلتفرم ویندوز را به طور مفصل پوشش می دهد. با پیشروی، با مبهم سازی مقابله می کنید و همچنین به تکنیک های ضد جداسازی، رفع اشکال و ضد ماشین مجازی می پردازید. در طول دوره این کتاب، نمونههای واقعی از تجزیه و تحلیل بدافزار استاتیک و پویا، باز کردن بستهبندی و رمزگشایی، و شناسایی روتکیت را بررسی خواهید کرد و نحوه برخورد با بدافزارهای چند پلتفرمی مدرن را یاد خواهید گرفت. در نهایت، نحوه تقویت سیستم دفاعی خود و جلوگیری از نفوذ بدافزار برای دستگاه های اینترنت اشیا و پلتفرم های تلفن همراه را مطالعه خواهید کرد. در پایان این کتاب، شما یاد خواهید گرفت که به طور موثر حوادث بدافزار را تجزیه و تحلیل و بررسی کنید و راه حل های خلاقانه ای برای مقابله با آنها بسازید. آنچه خواهید آموخت برای تقویت مهارت های مهندسی معکوس خود، زبان های اسمبلی پرکاربرد را کاوش کنید به فرمت های مختلف فایل های اجرایی، زبان های برنامه نویسی و API های مرتبط مورد استفاده مهاجمان تسلط داشته باشید انجام تجزیه و تحلیل استاتیک و پویا برای چندین پلتفرم و انواع فایل با رسیدگی به پرونده های بدافزار پیچیده مقابله کنید تمام مراحل حملات پیشرفته واقعی، از نفوذ گرفته تا هک سیستم را درک کنید کشف کنید که چگونه می توانید تکنیک های ضد مهندسی معکوس را دور بزنید این کتاب برای چه کسی است اگر مدیر امنیت فناوری اطلاعات، تحلیلگر پزشکی قانونی، یا محقق بدافزار هستید که به دنبال ایمن سازی در برابر نرم افزارهای مخرب یا بررسی کدهای مخرب هستید، این کتاب برای شما مناسب است. تجربه برنامه نویسی و درک درستی از حملات و تحقیقات بدافزار انتظار می رود. فهرست مطالب
Master malware analysis to protect your systems from getting infected Key Features Set up and model solutions, investigate malware, and prevent it from recurring Learn core concepts relating to dynamic malware analysis, memory forensics, decryption, and much more Develop innovative solutions to numerous malware incidents Book Description With the proliferation of technology and increase in prominent ransomware attacks, malware analysis has become a trending topic in recent years. With the help of this book, you'll be able to mitigate the risk of encountering malicious code and malware. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches. You'll learn how to examine malware code, determine the damage it can cause to your systems, and prevent it from propagating. This book even covers all aspects of malware analysis for the Windows platform in detail. As you advance, you'll get to grips with obfuscation as well as delve into anti-disassembly, anti-debugging, and anti-virtual machine techniques. Throughout the course of this book, you'll explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection, and learn to deal with modern cross-platform malware. Finally, you'll study how to strengthen your defenses and prevent malware breaches for IoT devices and mobile platforms. By the end of this book, you'll have learned to effectively analyze and investigate malware incidents and build innovative solutions to tackle them. What you will learn Explore widely used assembly languages to enhance your reverse-engineering skills Master different executable file formats, programming languages, and relevant APIs used by attackers Perform static and dynamic analysis for multiple platforms and file types Get to grips with handling sophisticated malware cases Understand all stages of real advanced attacks, from infiltration to hacking the system Discover how you can bypass anti-reverse engineering techniques Who this book is for If you are an IT security administrator, forensic analyst, or malware researcher looking to secure against malicious software or investigate malicious code, this book is for you. Some programming experience and a fair understanding of malware attacks and investigation is expected. Table of Contents
Cover Title Page Copyright and Credits About Packt Contributors Table of Contents Preface Section 1: Fundamental Theory Chapter 1: A Crash Course in CISC/RISC and Programming Basics Basic concepts Registers Memory Virtual memory Stack Branches, loops, and conditions Exceptions, interrupts, and communicating with other devices Assembly languages CISC versus RISC Types of instructions Becoming familiar with x86 (IA-32 and x64) Registers Special registers The instruction structure opcode dest src The instruction set Data manipulation instructions Data transfer instructions Flow control instructions Arguments, local variables, and calling conventions (in x86 and x64) stdcall Arguments Local variables cdecl fastcall thiscall The x64 calling convention Exploring ARM assembly Basics Instruction sets Basics of MIPS Basics The instruction set Diving deep into PowerPC Basics The instruction set Covering the SuperH assembly Basics The instruction set Working with SPARC Basics The instruction set Moving from assembly to high-level programming languages Arithmetic statements If conditions While loop conditions Summary Section 2: Diving Deep into Windows Malware Chapter 2: Basic Static and Dynamic Analysis for x86/x64 Working with the PE header structure Why PE? Exploring PE structure MZ header PE header File header Optional header Data directory Section table PE+ (x64 PE) PE analysis tools Static and dynamic linking Static linking Dynamic linking Dynamic link libraries Application programming interface Dynamic API loading Using PE header information for static analysis How to use PE header for incident handling How to use a PE header for threat intelligence PE loading and process creation Basic terminology What's process? Virtual memory to physical memory mapping Threads Important data structures: TIB, TEB, and PEB Process loading step by step PE file loading step by step WOW64 processes Dynamic analysis with OllyDbg/immunity debugger Debugging tools How to analyze a sample with OllyDbg Types of breakpoints Step into/step over breakpoint INT3 breakpoint Memory breakpoints Hardware breakpoints Modifying the program execution Patching—modifying the program's assembly instructions Change EFlags Modifying the instruction pointer value Changing the program data Debugging malicious services What is service? Attaching to the service Summary Chapter 3: Unpacking, Decryption, and Deobfuscation Exploring packers Exploring packing and encrypting tools Identifying a packed sample Technique 1 – checking PE tool static signatures Technique 2 – evaluating PE section names Technique 3 – using stub execution signs Technique 4 – detecting a small import table Automatically unpacking packed samples Technique 1 – the official unpacking process Technique 2 – using OllyScript with OllyDbg Technique 3 – using generic unpackers Technique 4 – emulation Technique 5 – memory dumps Manual unpacking using OllyDbg Technique 6 – memory breakpoint on execution Step 1 – setting the breakpoints Step 2 – turning on Data Execution Prevention Step 3 – preventing any further attempts to change memory permissions Step 4 – executing and getting the OEP Technique 7 – call stack backtracing Step 1 – setting the breakpoints Step 2 – following the call stack Step 3 – reaching the OEP Technique 8 – monitoring memory allocated spaces for unpacked code Technique 9 – in-place unpacking Technique 10 – stack restoration based Dumping the unpacked sample and fixing the import table Dumping the process Fixing the import table Identifying different encryption algorithms and functions Types of encryption algorithms Basic encryption algorithms How to identify encryption functions String search detection techniques for simple algorithms The basics of X-RAYING Simple static encryption Other encryption algorithms X-RAYING tools for malware analysis and detection Identifying the RC4 encryption algorithm The RC4 encryption algorithm Key-scheduling algorithm Pseudo-random generation algorithm Identifying RC4 algorithms in a malware sample Standard symmetric and asymmetric encryption algorithms Extracting information from Windows cryptography APIs Step 1 – initializing and connecting to the cryptographic service provider (CSP) Step 2 – preparing the key Step 3 – encrypting or decrypting the data Step 4 – freeing the memory Cryptography API next generation (CNG) Applications of encryption in modern malware – Vawtrak banking Trojan String and API name encryption Network communication encryption Using IDA for decryption and unpacking IDA tips and tricks Static analysis Dynamic analysis Classic and new syntax of IDA scripts Dynamic string decryption Dynamic WinAPIs resolution Summary Chapter 4: Inspecting Process Injection and API Hooking Understanding process injection What's process injection? Why process injection? DLL injection Windows-supported DLL injection A simple DLL injection technique Working with process injection Getting the list of running processes Code injection Advanced code injection-reflective DLL injection Stuxnet secret technique-process hollowing Dynamic analysis of code injection Technique 1—debug it where it is Technique 2—attach to the targeted process Technique 3—dealing with process hollowing Memory forensics techniques for process injection Technique 1—detecting code injection and reflective DLL injection Technique 2—detecting process hollowing Technique 3—detecting process hollowing using the HollowFind plugin Understanding API hooking Why API hooking? Working with API hooking Inline API hooking Inline API hooking with trampoline Inline API hooking with a length disassembler Detecting API hooking using memory forensics Exploring IAT hooking Summary Chapter 5: Bypassing Anti-Reverse Engineering Techniques Exploring debugger detection Direct check for debugger presence Detecting a debugger through an environment change Detecting a debugger using parent processes Handling debugger breakpoints evasion Detecting software breakpoints (INT3) Detecting single-stepping breakpoints (trap flag) Detecting a trap flag using the SS register Detecting single-stepping using timing techniques Evading hardware breakpoints What is structured exception handling? Detecting and removing hardware breakpoints Memory breakpoints Escaping the debugger Process injection TLS callbacks Windows events callbacks Obfuscation and anti-disassemblers Encryption Junk code insertion Code transportation Dynamic API calling with checksum Proxy functions and proxy argument stacking Detecting and evading behavioral analysis tools Finding the tool process Searching for the tool window Detecting sandboxes and virtual machines Different output between virtual machines and real machines Detecting virtualization processes and services Detecting virtualization through registry keys Detecting virtual machines using PowerShell Detecting sandboxes by using default settings Other techniques Summary Chapter 6: Understanding Kernel-Mode Rootkits Kernel mode versus user mode Protection rings Windows internals The infrastructure of Windows The execution path from user mode to kernel mode Rootkits and device drivers What is a rootkit? Types of rootkits What is a device driver? Hooking mechanisms SSDT hooking Hooking the SYSENTER entry function Modifying SSDT in an x86 environment Modifying SSDT in an x64 environment Hooking SSDT functions IRP hooking Devices and major functions Attaching to a device Modifying the IRP response and setting a completion routine DKOM The kernel objects—EPROCESS and ETHREAD How do rootkits perform an object manipulation attack? Process injection in kernel mode Executing the inject code using APC queuing KPP in x64 systems (PatchGuard) Bypassing driver signature enforcement Bypassing PatchGuard—the Turla example Bypassing PatchGuard—GhostHook Disabling PatchGuard using the Command Prompt Static and dynamic analysis in kernel mode Static analysis Tools Tips and tricks Dynamic and behavioral analysis Tools Monitors Rootkit detectors Setting up a testing environment Setting up the debugger Stopping at the driver's entrypoint Loading the driver Restoring the debugging state Summary Section 3: Examining Cross-Platform Malware Chapter 7: Handling Exploits and Shellcode Getting familiar with vulnerabilities and exploits Types of vulnerabilities Stack overflow vulnerability Heap overflow vulnerabilities The use-after-free vulnerability Logical vulnerabilities Types of exploits Cracking the shellcode What's shellcode? Linux shellcode in x86-64 Getting the absolute address Null-free shellcode Local shell shellcode Reverse shell shellcode Linux shellcode for ARM Null-free shellcode Windows shellcode Getting the Kernel32.dll ImageBase Getting the required APIs from Kernel32.dll The download and execute shellcode Static and dynamic analysis of exploits Analysis workflow Shellcode analysis Exploring bypasses for exploit mitigation technologies Data execution prevention (DEP/NX) Return-oriented programming Address space layout randomization DEP and partial ASLR DEP and full ASLR – partial ROP and chaining multiple vulnerabilities DEP and full ASLR – heap spray technique Other mitigation technologies Analyzing Microsoft Office exploits File structures Compound file binary format Rich text format Office open XML format Static and dynamic analysis of MS Office exploits Static analysis Dynamic analysis Studying malicious PDFs File structure Static and dynamic analysis of PDF files Static analysis Dynamic analysis Summary Chapter 8: Reversing Bytecode Languages: .NET, Java, and More Exploring the theory of bytecode languages Object-oriented programming Inheritance Polymorphism .NET explained .NET file structure .NET COR20 header Metadata streams How to identify a .NET application from PE characteristics The CIL language instruction set Pushing into stack instructions Pulling out a value from the stack Mathematical and logical operations Branching instructions CIL language to higher-level languages Local variable assignments Local variable assignment with a method return value Basic branching statements Loops statements .NET malware analysis .NET analysis tools Static and dynamic analysis (with Dnspy) .NET static analysis .NET dynamic analysis Patching a .NET sample Dealing with obfuscation Obfuscated names for classes, methods, and others Encrypted strings inside the binary The sample is obfuscated using an obfuscator The essentials of Visual Basic File structure P-code versus native code Common p-code instructions Dissecting Visual Basic samples Static analysis P-code Native code Dynamic analysis P-code Native code The internals of Java samples File structure JVM instructions Static analysis Dynamic analysis Dealing with anti-reverse engineering solutions Python—script language internals File structure Bytecode instructions Analyzing compiled Python Static analysis Dynamic analysis Summary Chapter 9: Scripts and Macros: Reversing, Deobfuscation, and Debugging Classic shell script languages Windows batch scripting Bash VBScript explained Basic syntax Static and dynamic analysis Deobfuscation Those evil macros inside documents Basic syntax Static and dynamic analysis Besides macros The power of PowerShell Basic syntax Static and dynamic analysis Handling JavaScript Basic syntax Static and dynamic analysis Anti-reverse engineering tricks Behind C&C—even malware has its own backend Things to focus on Static and dynamic analysis Other script languages Where to start from Questions to answer Summary Section 4: Looking into IoT and Other Platforms Chapter 10: Dissecting Linux and IoT Malware Explaining ELF files ELF structure System calls Filesystem Network Process management Other Syscalls in assembly Common anti-reverse engineering tricks Exploring common behavioral patterns Initial delivery and lateral movement Persistence Privilege escalation Interaction with the command and control server Attacking stage Static and dynamic analysis of x86 (32- and 64-bit) samples Static analysis File type detectors Data carving Disassemblers Actual tools Engines How to choose Dynamic analysis Tracers Network monitors Debuggers Binary emulators Radare2 cheat sheet Anti-reverse engineering techniques Learning Mirai, its clones, and more High-level functionality Propagation Weaponry Self-defense Later derivatives Other widespread families Static and dynamic analysis of RISC samples ARM MIPS PowerPC SuperH SPARC Handling other architectures What to start from Summary Chapter 11: Introduction to macOS and iOS Threats Understanding the role of the security model macOS Security policies Filesystem hierarchy and encryption Directory structure Encryption Apps protection Gatekeeper App sandbox Other technologies iOS System security Data encryption and password management Apps' security File formats and APIs Mach-O Thin Fat Application bundles (.app) Info.plist macOS iOS Installer packages (.pkg) Apple disk images (.dmg) iOS app store packages (.ipa) APIs Static and dynamic analyses of macOS and iOS samples Static analysis Retrieving samples Disassemblers and decompilers Auxiliary tools and libraries Dynamic and behavioral analysis macOS Debuggers Monitoring and dynamic instrumentation Network analysis iOS Installers and loaders Debuggers Dumping and decryption Monitors and in-memory patching Network analysis Attack stages Jailbreaks on demand Penetration Deployment and persistence macOS iOS Action phase macOS iOS Other attack techniques macOS iOS Advanced techniques Anti-reverse-engineering (RE) tricks Misusing dynamic data exchange (DDE) User hiding Use of AppleScript API hijacking Rootkits for Mac—do they exist? Analysis workflow Summary Chapter 12: Analyzing Android Malware Samples (Ab)using Android internals File hierarchy Android security model Process management Filesystem App permissions Security services Console To root or not to root? Understanding Dalvik and ART Dalvik VM (DVM) Android runtime (ART) APIs File formats DEX ODEX OAT VDEX ART ELF APK Bytecode set Malware behavior patterns Attack stages Penetration Deployment Action phase Advanced techniques—investment pays off Patching system libraries Keylogging Self-defense Rootkits—get it covered Static and dynamic analysis of threats Static analysis Disassembling and data extraction Decompiling Dynamic analysis Android debug bridge Emulators Behavioral analysis and tracing Debuggers Analysis workflow Summary Other Books You May Enjoy Leave a review - let other readers know what you think Index