第1页 / 共802页
第2页 / 共802页
第3页 / 共802页
第4页 / 共802页
第5页 / 共802页
第6页 / 共802页
第7页 / 共802页
第8页 / 共802页
practical malware analysis.pdf
PRAISE FOR PRACTICAL MALWARE ANALYSIS
“An excellent crash course in malware analysis.”
—Dino Dai Zovi, INDEPENDENT SECURITY CONSULTANT
“. . . the most comprehensive guide to analysis of malware, offering detailed
coverage of all the essential skills required to understand the specific
challenges presented by modern malware.”
—Chris Eagle, SENIOR LECTURER OF COMPUTER SCIENCE, NAVAL
POSTGRADUATE SCHOOL
“A hands-on introduction to malware analysis. I'd recommend it to anyone
who wants to dissect Windows malware.”
—Ilfak Guilfanov, CREATOR OF IDA PRO
“. . . a great introduction to malware analysis. All chapters contain detailed
technical explanations and hands-on lab exercises to get you immediate
exposure to real malware.”
—Sebastian Porst, GOOGLE SOFTWARE ENGINEER
“. . . brings reverse-engineering to readers of all skill levels. Technically
rich and accessible, the labs will lead you to a deeper understanding of the
art and science of reverse-engineering. I strongly recommend this book for
beginners and experts alike.”
—Danny Quist, PHD, FOUNDER OF OFFENSIVE COMPUTING
“If you only read one malware book or are looking to break into the world of
malware analysis, this is the book to get.”
—Patrick Engbretson, IA PROFESSOR, DAKOTA STATE UNIVERSITY AND
AUTHOR OF The Basics of Hacking and Pen Testing
“. . . an excellent addition to the course materials for an advanced graduate
level course on Software Security or Intrusion Detection Systems. The labs
are especially useful to students in teaching the methods to reverse-engineer,
analyze, and understand malicious software.”
—Sal Stolfo, PROFESSOR, COLUMBIA UNIVERSITY
WARNING
This is a book about malware. The links and software described
in this book are malicious. Exercise extreme caution when executing
unknown code and visiting untrusted URLs.
For hints about creating a safe virtualized environment for malware
analysis, visit Chapter 2. Don’t be stupid; secure your environment.
PRACTICAL
MALWARE ANALYSIS
The Hands-On Guide to
Dissecting Malicious
Software
by Michael Sikorski and Andrew Honig
San Francisco
PRACTICAL MALWARE ANALYSIS. Copyright © 2012 by Michael Sikorski and Andrew Honig.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.
16 15 14 13 12
1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-290-1
ISBN-13: 978-1-59327-290-6
Publisher: William Pollock
Production Editor: Alison Law
Cover Illustration: Hugh D’Andrade
Interior Design: Octopod Studios
Developmental Editors: William Pollock and Tyler Ortman
Technical Reviewer: Stephen Lawler
Copyeditor: Marilyn Smith
Compositor: Riley Hoffman
Proofreader: Irene Barnard
Indexer: Nancy Guenther
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
38 Ringold Street, San Francisco, CA 94103
phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com
Library of Congress Cataloging-in-Publication Data
A catalog record of this book is available from the Library of Congress.
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and
company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark
symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been
taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
B R I E F C O N T E N T S
About the Authors .........................................................................................................xix
Foreword by Richard Bejtlich ..........................................................................................xxi
Acknowledgments ........................................................................................................xxv
Introduction ............................................................................................................... xxvii
Chapter 0: Malware Analysis Primer .................................................................................1
PART 1: BASIC ANALYSIS
Chapter 1: Basic Static Techniques....................................................................................9
Chapter 2: Malware Analysis in Virtual Machines.............................................................29
Chapter 3: Basic Dynamic Analysis.................................................................................39
PART 2: ADVANCED STATIC ANALYSIS
Chapter 4: A Crash Course in x86 Disassembly ...............................................................65
Chapter 5: IDA Pro .......................................................................................................87
Chapter 6: Recognizing C Code Constructs in Assembly..................................................109
Chapter 7: Analyzing Malicious Windows Programs.......................................................135
PART 3: ADVANCED DYNAMIC ANALYSIS
Chapter 8: Debugging.................................................................................................167
Chapter 9: OllyDbg ....................................................................................................179
Chapter 10: Kernel Debugging with WinDbg.................................................................205
PART 4: MALWARE FUNCTIONALITY
Chapter 11: Malware Behavior ....................................................................................231
Chapter 12: Covert Malware Launching ........................................................................253
Chapter 13: Data Encoding .........................................................................................269
Chapter 14: Malware-Focused Network Signatures.........................................................297
PART 5: ANTI-REVERSE-ENGINEERING
Chapter 15: Anti-Disassembly.......................................................................................327
Chapter 16: Anti-Debugging ........................................................................................351
Chapter 17: Anti-Virtual Machine Techniques .................................................................369
Chapter 18: Packers and Unpacking .............................................................................383
PART 6: SPECIAL TOPICS
Chapter 19: Shellcode Analysis ....................................................................................407
Chapter 20: C++ Analysis ...........................................................................................427
Chapter 21: 64-Bit Malware.........................................................................................441
Appendix A: Important Windows Functions....................................................................453
Appendix B: Tools for Malware Analysis........................................................................465
Appendix C: Solutions to Labs ......................................................................................477
Index .........................................................................................................................733
vi
Brief Contents
C O N T E N T S I N D E T A I L
ABOUT THE AUTHORS
xix
About the Technical Reviewer ................................................................................... xx
About the Contributing Authors ................................................................................. xx
FOREWORD by Richard Bejtlich
xxi
ACKNOWLEDGMENTS
xxv
Individual Thanks ...................................................................................................xxv
INTRODUCTION
xxvii
What Is Malware Analysis? .................................................................................. xxviii
Prerequisites ....................................................................................................... xxviii
Practical, Hands-On Learning .................................................................................xxix
What’s in the Book? ...............................................................................................xxx
0
MALWARE ANALYSIS PRIMER
1
The Goals of Malware Analysis ................................................................................. 1
Malware Analysis Techniques .................................................................................... 2
Basic Static Analysis .................................................................................... 2
Basic Dynamic Analysis ............................................................................... 2
Advanced Static Analysis ............................................................................. 3
Advanced Dynamic Analysis ........................................................................ 3
Types of Malware .................................................................................................... 3
General Rules for Malware Analysis ........................................................................... 5
PART 1
BASIC ANALYSIS
1
9
BASIC STATIC TECHNIQUES
Antivirus Scanning: A Useful First Step ...................................................................... 10
Hashing: A Fingerprint for Malware ......................................................................... 10
Finding Strings ....................................................................................................... 11
Packed and Obfuscated Malware ............................................................................ 13
Packing Files ............................................................................................ 13
Detecting Packers with PEiD ........................................................................ 14
Portable Executable File Format ................................................................................ 14
Linked Libraries and Functions .................................................................................. 15
Static, Runtime, and Dynamic Linking ........................................................... 15
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
