Practical Malware Analysis – Another Hit From No Starch Press
Malware analysis is an obsession for me. So when I heard that No Starch Press was coming out with a new book called Practical Malware Analysis (also available at Amazon), I had to pick it up. Having read several No Starch Press books, I was confident that the content of the book was going to be good. Once again, No Starch Press did not let me down.
The writers, Michael Sikorski and Andrew Honig, did an excellent job of starting off with the basics. They include a “Chapter 0,” called Malware Analysis Primer, before diving into the more in-depth concepts. From there, the book consists of six major parts, with each comprised of three to four chapters. The huge bonuses of this book in my eyes are the hands-on labs at the end of each chapter. These labs help solidify the concepts that appear within the chapter.
For those who may be considering checking out the book, I thought I would include a brief description of each section here:
Part 1: Basic Analysis
The first part of the book covers basic malware analysis topics such as static versus dynamic analysis. This section also includes suggestions on how to set up a lab environment for malware analysis.
Part 2: Advanced Static Analysis
Part 2 begins with a crash course on x86 assembly, then jumps into a brief how-to of IDA Pro. The last two chapters of this section deal with C code constructs and offer the first look at a malicious windows executable. By the way, if you want to get more intimate with IDA Pro, I highly recommend IDA Pro Book, 2nd Edition from No Starch Press (also at Amazon).
Part 3: Advanced Dynamic Analysis
The three chapters in Part 3 cover what debugging is, the difference between kernel and user-mode, and how to use both OllyDbg and WinDbg. I’m more of an Immunity debugger kind of guy, but I found that most of the topics worked seamlessly with Immunity.
A quick aside on the subject of Immunity, there is a really wicked tool called FixPlugins that can convert Olly plugins to Immunity-compatible plugins.
Part 4: Malware Functionally
In these four chapters, the writers go into detail on common malware behavior, how malware encode data, and how to go about creating network-based signatures for detecting malware in the environment.
Part 5: Anti-Reverse-Engineering
This was one of my favorite sections. This section goes into great depth on how malware writers try to slow down the efforts of the malware analyst, and discusses how analysts can try to get around those efforts. Within Part 5, the authors address anti-disassembly, anti-debugging, VM detection, and executable packers. Linear and flow-oriented disassembly and their weaknesses are also covered within this section.
The book hits on all of the hip tricks, such as return pointer abuse, same location jumps, checking for the presence of debugger using structured exception handling, and checking the Process Environment Block for
BeingDebugged set. The section ends by discussing how to deal with a packed executable, as well as how to identify and unpack manually or automatically.
Part 6: Special Topics
The last portion of the book includes chapters on shellcode analysis, C++ analysis and 64-bit malware. This section was one of the main reasons I picked up this book, as other malware books tend not to address these topics.
Personally, I was most interested in the C++ and 64-bit malware chapters. The C++ chapter goes into great detail about the differences between C++ and C and how they affect the assembly code. Topics include the “this” pointer, function overloading, inheritance, and, last but not least, virtual functions.
The last chapter on 64-bit malware examines the new general-purpose registers, special-purpose register renames, calling convention, and how the stack is used. This chapter helps you get a start on understanding malware analysis on 64-bit systems.
Even the appendix of the book is great, as it is chock-full of great resources, such as commonly-used Windows functions, tools for malware analysis and solutions for the labs at the end of each chapter.
With all of the great examples and labs, this book has earned its spot between my copies of the Malware Analyst’s Cookbook and IDA Pro Book in my reference library. I highly recommend this book to anyone looking to get their feet wet in malware analysis or just looking for a good desktop reference on the subject.