Subscription

Explore Products

Best Sellers

New Releases

Books

Videos

Audiobooks

Learning Hub

Conferences

Free Learning

You're reading from Mastering Malware Analysis The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks

Product type Paperback

Published in Jun 2019

Publisher Packt

ISBN-13 9781789610789

Length 562 pages

Edition 1st Edition

Languages

Python

Concepts

Malware Analysis

Authors (2):

Alexey Kleymenov

Amr Thabet

View More author details

Table of Contents (18) Chapters

Preface

1. Section 1: Fundamental Theory FREE CHAPTER

2. A Crash Course in CISC/RISC and Programming Basics

3. Section 2: Diving Deep into Windows Malware

4. Basic Static and Dynamic Analysis for x86/x64

5. Unpacking, Decryption, and Deobfuscation

6. Inspecting Process Injection and API Hooking

7. Bypassing Anti-Reverse Engineering Techniques

8. Understanding Kernel-Mode Rootkits

9. Section 3: Examining Cross-Platform Malware

10. Handling Exploits and Shellcode

11. Reversing Bytecode Languages: .NET, Java, and More

12. Scripts and Macros: Reversing, Deobfuscation, and Debugging

13. Section 4: Looking into IoT and Other Platforms

14. Dissecting Linux and IoT Malware

15. Introduction to macOS and iOS Threats

16. Analyzing Android Malware Samples

17. Other Books You May Enjoy

Leave a review - let other readers know what you think

Executing the inject code using APC queuing

Asynchronous Procedure Call (APC) is a function that gets executed asynchronously in the context of another thread. When a thread enters an alertable state (that is, when it executes the SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx APIs) and before it gets resumed, all the queued user-mode APC functions and kernel-mode APC functions are executed in the context of that thread, allowing the malware to execute user-mode code inside that process before returning control back to it.

For a malware sample to queue an APC function, it needs to perform the following steps:

Get the ETHREAD object of the thread it wants to queue an APC function by providing its Thread ID (TID). This can be done by using the PsLookupThreadByThreadId API.
Attach the user-mode function to this thread using the KeInitializeApc API.

Add this function to the queue of the APC functions to be executed in this...

The rest of the chapter is locked

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €18.99/month. Cancel anytime

Authors (2)

Alexey Kleymenov

Alexey Kleymenov started working in the information security industry in his second year at university and now has more than 14 years of practical experience at several international cybersecurity companies. He is a malware analyst and software developer who is passionate about reverse engineering, automation, and research. Alexey has taken part in numerous investigations analyzing all types of malicious samples, has developed various systems to perform threat intelligence activities in the IT, OT, and IoT sectors, and has authored several patents. Alexey is a member of the (ISC)² organization and holds the CISSP certification. Finally, he is a founder of the RE and More project, teaching people all over the world how to perform malware analysis in the most efficient way.

See other products by Alexey Kleymenov

Amr Thabet

Amr Thabet is a malware researcher and an incident handler with over 10 years of experience. He has worked in several Fortune 500 companies, including Symantec and Tenable. Currently, he is the founder of MalTrak, providing real-world in-depth training in malware analysis, incident response, threat hunting, and red teaming to help the next generation of cybersecurity enthusiasts to build their careers in cybersecurity. Amr is also a speaker and trainer at some of the top security conferences all around the world, including Blackhat, DEFCON, Hack In Paris, and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet.

See other products by Amr Thabet