You're reading from Malware Analysis Techniques Tricks for the triage of adversarial software

Product type Paperback

Published in Jun 2021

Publisher Packt

ISBN-13 9781839212277

Length 282 pages

Edition 1st Edition

Languages

Python

Tools

VMware Server

Concepts

Malware Analysis

Author (1):

Dylan Barker

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Basic Techniques

2. Chapter 1: Creating and Maintaining your Detonation Environment FREE CHAPTER

3. Chapter 2: Static Analysis – Techniques and Tooling

4. Chapter 3: Dynamic Analysis – Techniques and Tooling

5. Chapter 4: A Word on Automated Sandboxing

6. Section 2: Debugging and Anti-Analysis – Going Deep

7. Chapter 5: Advanced Static Analysis – Out of the White Noise

8. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

9. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

10. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube

11. Section 3: Reporting and Weaponizing Your Findings

12. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

13. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK

14. Section 4: Challenge Solutions

15. Chapter 11: Challenge Solutions

16. Other Books You May Enjoy

Hiding in plain sight

Malicious processes are often obvious and stand out to experienced malware analysts or to anyone who has a familiarity with which process(es) should be running on a standard Windows installation.

As with anything in analysis and prevention, this is a bit of an arms race with the adversaries responsible for writing malicious code. A common set of techniques utilized by malware authors falls under the category of process injection.

Adversaries can employ a number of techniques in order to accomplish process injection, including spawning new processes in a suspended state, allocating memory within them, and then writing malicious code into this created memory space (process hollowing), or injecting a thread into an existing process.

Some of these techniques can be inferred by the presence of certain API calls within the binary, as outlined in Chapter 6, Advanced Dynamic Analysis – Looking at Explosions. The API calls are listed here: