logo资料库

Accelerated Windows Malware Analysis with Memory Dumps(2nd) 无水印pdf.pdf

第1页 / 共312页
第2页 / 共312页
第3页 / 共312页
第4页 / 共312页
第5页 / 共312页
第6页 / 共312页
第7页 / 共312页
第8页 / 共312页
资料共312页,剩余部分请下载后查看
Cover
Copyright
Contents
About the Author
Introduction
Prerequisites
Training Goals
Training Principles
Agenda
Malware and Victimware
Pattern-Oriented Approach
Pattern-Oriented Diagnostic Analysis
Practice Exercises
Links
Exercise 0
User Space Memory
Space Review (x86)
Space Review (x64)
EXE/DLL/SYS
Exercise M1A
Dynamic Linking Design
After Dynamic Linking
Exercise M1B
Packed Code and Data
Thread Raw Stack Data
Exercise M2
Malware Requirements
Malware Architecture
Hooksware (Patching)
Exercise M3
DLL Injection
Pathways
Pattern Links
Kernel Space Memory
Space Review (x86)
Space Review (x64)
Driver PE Format
Suspicious Behaviour
BSOD
The First Steps
IDT
Raw Stack
Processes and Threads
Attached Threads
CPU Spikes
Exercise M4
SSDT
IRP Dispatch
Device Driver Example
IRP Communication
False Positives
Exercise M5
Direct Dump Manipulation
Physical Space Memory
Space Review
Exercise M6
Memory Acquisition
Pattern Links
Resources
Selected Q&A
Appendix
Malware Analysis Patterns - Deviant Module
Deviant Token
Driver Device Collection
Execution Residue
Fake Module
Hidden Module
Hidden Process
Hooksware
Namespace
No Component Symbols
Out-of-Module Pointer
Packed Code
Patched Code
Pre-Obfuscation Residue
Raw Pointer
RIP Stack Trace
Self-Diagnosis (Kernel Mode)
Stack Trace Collection
Stack Trace Collection (I/O Requests)
String Hint
Unknown Module
Raw Stack Dump of All Threads (Kernel Space)
Complete Stack Traces from x64 System
Published by OpenTask, Republic of Ireland Copyright © 2017 by OpenTask Copyright © 2017 by Software Diagnostics Services Copyright © 2017 by Dmitry Vostokov All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of the publisher. You must not circulate this book in any other binding or cover, and you must impose the same condition on any acquirer. Product and company names mentioned in this book may be trademarks of their owners. OpenTask books and magazines are available through booksellers and distributors worldwide. For further information or comments send requests to press@opentask.com. A CIP catalog record for this book is available from the British Library. ISBN-l3: 978-1-908043-86-3 (Paperback) Revision 2.01 (October 2017) 2
Contents About the Author .............................................................................................................................................................. 5 Introduction ...................................................................................................................................................................... 7 Practice Exercises ........................................................................................................................................................... 17 Exercise 0: Download, setup and verify your WinDbg installation ............................................................................ 22 Exercise M1A .............................................................................................................................................................. 35 Exercise M1B .............................................................................................................................................................. 48 Exercise M2 ................................................................................................................................................................. 60 Exercise M3 ................................................................................................................................................................. 77 Exercise M4 ............................................................................................................................................................... 130 Exercise M5 ............................................................................................................................................................... 186 Exercise M6 ............................................................................................................................................................... 210 Selected Q&A ................................................................................................................................................................ 232 Appendix ....................................................................................................................................................................... 235 Malware Analysis Patterns ....................................................................................................................................... 237 Deviant Module .................................................................................................................................................... 237 Deviant Token ....................................................................................................................................................... 244 Driver Device Collection ....................................................................................................................................... 245 Execution Residue ................................................................................................................................................ 246 Fake Module ......................................................................................................................................................... 270 Hidden Module ..................................................................................................................................................... 274 Hidden Process ..................................................................................................................................................... 276 Hooksware ............................................................................................................................................................ 278 Namespace ........................................................................................................................................................... 279 No Component Symbols ....................................................................................................................................... 280 Out-of-Module Pointer ......................................................................................................................................... 283 Packed Code ......................................................................................................................................................... 284 Patched Code ........................................................................................................................................................ 287 Pre-Obfuscation Residue ...................................................................................................................................... 288 Raw Pointer .......................................................................................................................................................... 289 RIP Stack Trace ..................................................................................................................................................... 290 Self-Diagnosis (Kernel Mode) ............................................................................................................................... 292 Stack Trace Collection .......................................................................................................................................... 293 Stack Trace Collection (I/O Requests) .................................................................................................................. 301 3
String Hint ............................................................................................................................................................. 305 Unknown Module ................................................................................................................................................. 307 Raw Stack Dump of All Threads (Kernel Space) ........................................................................................................ 310 Complete Stack Traces from x64 System ................................................................................................................. 311 4
About the Author 5
Dmitry Vostokov is an internationally recognized expert, speaker, educator, scientist, and author. He is the founder of pattern-oriented forensics and prognostics discipline, and software diagnostics, Software Diagnostics (DA+TA: DumpAnalysis.org + TraceAnalysis.org). Vostokov has also authored more than 30 books on software diagnostics, forensics and problem-solving, memory dump analysis, debugging, software log analysis, reverse engineering, and malware analysis. He has more than 20 years of experience in software architecture, design, development, and maintenance in a variety of industries including leadership, technical and people management roles. Dmitry also founded DiaThings, Logtellect, OpenTask Iterative and Incremental Publishing (OpenTask.com), Software Diagnostics Services (former Memory Dump Analysis Services) PatternDiagnostics.com and Software Prognostics. In his spare time, he presents various topics on Debugging.TV and explores Software Narratology, an applied science of software stories that he pioneered, and its further development as Narratology of Things and Diagnostics of Things (DoT). His current area of interest is theoretical software diagnostics and its mathematical foundations. trace and Institute 6
Introduction 7
8
分享到:
收藏