Accelerated Windows Malware Analysis with Memory Dumps(2nd) 无水印pdf.pdf-资料库

d41e581f-eb53-4434-b802-a75e049497de.pdf-第1页.png

第1页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第2页.png

第2页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第3页.png

第3页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第4页.png

第4页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第5页.png

第5页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第6页.png

第6页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第7页.png

第7页 / 共312页

d41e581f-eb53-4434-b802-a75e049497de.pdf-第8页.png

第8页 / 共312页

Published by OpenTask, Republic of Ireland Copyright © 2017 by OpenTask Copyright © 2017 by Software Diagnostics Services Copyright © 2017 by Dmitry Vostokov All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of the publisher. You must not circulate this book in any other binding or cover, and you must impose the same condition on any acquirer. Product and company names mentioned in this book may be trademarks of their owners. OpenTask books and magazines are available through booksellers and distributors worldwide. For further information or comments send requests to press@opentask.com. A CIP catalog record for this book is available from the British Library. ISBN-l3: 978-1-908043-86-3 (Paperback) Revision 2.01 (October 2017) 2

Contents About the Author .............................................................................................................................................................. 5 Introduction ...................................................................................................................................................................... 7 Practice Exercises ........................................................................................................................................................... 17 Exercise 0: Download, setup and verify your WinDbg installation ............................................................................ 22 Exercise M1A .............................................................................................................................................................. 35 Exercise M1B .............................................................................................................................................................. 48 Exercise M2 ................................................................................................................................................................. 60 Exercise M3 ................................................................................................................................................................. 77 Exercise M4 ............................................................................................................................................................... 130 Exercise M5 ............................................................................................................................................................... 186 Exercise M6 ............................................................................................................................................................... 210 Selected Q&A ................................................................................................................................................................ 232 Appendix ....................................................................................................................................................................... 235 Malware Analysis Patterns ....................................................................................................................................... 237 Deviant Module .................................................................................................................................................... 237 Deviant Token ....................................................................................................................................................... 244 Driver Device Collection ....................................................................................................................................... 245 Execution Residue ................................................................................................................................................ 246 Fake Module ......................................................................................................................................................... 270 Hidden Module ..................................................................................................................................................... 274 Hidden Process ..................................................................................................................................................... 276 Hooksware ............................................................................................................................................................ 278 Namespace ........................................................................................................................................................... 279 No Component Symbols ....................................................................................................................................... 280 Out-of-Module Pointer ......................................................................................................................................... 283 Packed Code ......................................................................................................................................................... 284 Patched Code ........................................................................................................................................................ 287 Pre-Obfuscation Residue ...................................................................................................................................... 288 Raw Pointer .......................................................................................................................................................... 289 RIP Stack Trace ..................................................................................................................................................... 290 Self-Diagnosis (Kernel Mode) ............................................................................................................................... 292 Stack Trace Collection .......................................................................................................................................... 293 Stack Trace Collection (I/O Requests) .................................................................................................................. 301 3

String Hint ............................................................................................................................................................. 305 Unknown Module ................................................................................................................................................. 307 Raw Stack Dump of All Threads (Kernel Space) ........................................................................................................ 310 Complete Stack Traces from x64 System ................................................................................................................. 311 4

About the Author 5

Dmitry Vostokov is an internationally recognized expert, speaker, educator, scientist, and author. He is the founder of pattern-oriented forensics and prognostics discipline, and software diagnostics, Software Diagnostics (DA+TA: DumpAnalysis.org + TraceAnalysis.org). Vostokov has also authored more than 30 books on software diagnostics, forensics and problem-solving, memory dump analysis, debugging, software log analysis, reverse engineering, and malware analysis. He has more than 20 years of experience in software architecture, design, development, and maintenance in a variety of industries including leadership, technical and people management roles. Dmitry also founded DiaThings, Logtellect, OpenTask Iterative and Incremental Publishing (OpenTask.com), Software Diagnostics Services (former Memory Dump Analysis Services) PatternDiagnostics.com and Software Prognostics. In his spare time, he presents various topics on Debugging.TV and explores Software Narratology, an applied science of software stories that he pioneered, and its further development as Narratology of Things and Diagnostics of Things (DoT). His current area of interest is theoretical software diagnostics and its mathematical foundations. trace and Institute 6

Introduction 7

资料库

Accelerated Windows Malware Analysis with Memory Dumps(2nd) 无水印pdf.pdf

相关推荐

开发技术

热门标签

最新资料