You're reading from Windows APT Warfare Identify and prevent Windows APT attacks effectively

Product type Paperback

Published in Mar 2023

Publisher Packt

ISBN-13 9781804618110

Length 258 pages

Edition 1st Edition

Languages

C++

Tools

MiniGW

Concepts

Cybersecurity

Author (1):

Sheng-Hao Ma

View More author details

Table of Contents (17) Chapters

Preface

1. Part 1 – Modern Windows Compiler

2. Chapter 1: From Source to Binaries – The Journey of a C Program FREE CHAPTER

3. Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing

4. Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information

5. Part 2 – Windows Process Internals

6. Chapter 4: Shellcode Technique – Exported Function Parsing

7. Chapter 5: Application Loader Design

8. Chapter 6: PE Module Relocation

9. Part 3 – Abuse System Design and Red Team Tips

10. Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode

11. Chapter 8: Software Packer Design

12. Chapter 9: Digital Signature – Authenticode Verification

13. Chapter 10: Reversing User Account Control and Bypassing Tricks

14. Index

Why subscribe?

15. Other Books You May Enjoy

Appendix – NTFS, Paths, and Symbols

Win32 and NT path specification

What is a software packer?

You can imagine a program packed by a software packer will be protected or compressed and wrapped in a shell so that its internal contents are not directly visible to analysts. As usual, we’ll use a memory distribution figure to give you a quick overview of how packing technology has been implemented. Figure 8.1 shows the distribution of msgbox.exe in the dynamic phase before (left side) and after (right side) the software was packed:

Figure 8.1 – Difference in memory before and after packing

The left-hand side of the figure shows the memory distribution of the msgbox.exe executable after file mapping, which we mentioned in Chapter 7. We can see that the current image base of the executable is mounted at 0x400000, and the entire PE module is allocated a total of 0x307A bytes in memory. The .text section, which holds the code, is currently placed at 0x401000 to 0x401FFF; the .data section, which holds the data, is...

The rest of the chapter is locked

You're reading from Windows APT Warfare Identify and prevent Windows APT attacks effectively

Table of Contents (17) Chapters

What is a software packer?

Authors (1)

Personalised recommendations for you

You're reading from Windows APT Warfare Identify and prevent Windows APT attacks effectively

Table of Contents (17) Chapters

What is a software packer?

Unlock this book and the full library FREE for 7 days

Authors (1)

Personalised recommendations for you