Practical Malware Analysis - A Book Review and Curmudgeonly Rant on the State of Reverse EngineeringSubmitted by dannyquist on Mon, 2012-02-27 12:33. Malware
Recently I was asked to review a pre-publication copy of Mike Sikorski and Andrew Honig’s book “Practical Malware Analysis” by Nostarch Press. I gave it an enthusiastic review, and I strongly believe this will become the defacto text for learning malware analysis in the future. This is a review of that book, and a short rant on reverse engineering.
Before getting into Practical Malware Analysis, I hope you will indulge me in a rant about other books on the reverse engineering topic: They are not pretty. If you’ve taken one of my classes I recommend a few books for learning reversing, but climbing the steep mountain of pre-requisite material before you can attempt to be somewhat proficient is daunting. Specifically the books I recommended were based off of each individual author’s own personal style of reverse engineering with the tools that were available at the time. The field has gotten much more accessible thanks to the awesome tools that are out there from companies like Hex-Rays and Zynamics.
Practical Malware Analysis does a good job of tying together the methods of modern malware analysis. While most of the previous texts have done a good job of presenting the state of the art at their time, PMA overviews many of the tools that are in use in the modern day. Part 1 starts off with the basic static techniques, how to set up a virtual environment, and dynamic analysis. These initial steps are the basis for any good reversing environment. What is nice is that these topics aren’t dwelled on for an entire book.
Part 2 goes over the relationships of the Intel architecture, IDA Pro, modern compilers, and the Windows operating system to reverse engineering. Having an understanding of this as it applies to the reversing process is extremely important. Outside implementing a compiler, learning the fundamentals of the architecture is the most important skill a reverser can have for understanding the field. The difference between an adequate reverser and a great reverser lies in the understanding of how the system interactions work.
The rest of the book is focused on the advanced topics of dynamic analysis. Part 5 deals with all the ways that malware authors can make your life miserable, from anti-disassembly to packers. Part 6, “Special Topics,” talks about shellcode analysis, C++ specifics, and the ever-looming threat of 64-bit malware. I suspect that there will be a second edition once 64-bit malware comes in vogue.
Overall the book is excellent for those that are new to this field. Experts love to curmudgeonly talk about how nothing is new anymore, everything sucks, and pine for the good old days of reverse engineering with some wire-wrap, a lead pencil, a 9-volt Duracell, and a single LED. If you consider yourself one of these people, reading this book is going to feel a lot like wearing someone else’s underwear. If, on the other hand, you read it and put aside your natural skepticism of all things new, you might learn something.
I really do like this book.
Edit 3/4/2012: I have no financial interest in the book. The only thing I received was a reviewers copy. This was not sponsored or paid for in any way by the authors or publishers.
Edit 2/13/2013: There has been a translation to Serbo-Croation of this review by Joanna Milutinovich
Source code for Fragus Crimepack - a recent variant of the crimepack sold for $800 USD... The archive has everything you need to build it!
RAR Password: "infected" (without quotes)
I work for a research organization, and I'm looking into the ability to use machine learning techniques to learn safe vs malicious PDF documents. In order to do this, I need massive quantities of both. I've been able to find 32 malicious PDFs on this website, and was able to crawl the web for 1600 likely safe PDF documents. Does anyone known of some good sources for such things? Thank you.
Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
The Introduction to IDA Python document by Ero Carrera is one of the better documents on scripting the IDA Pro platform available. After talking with Ero directly, I have received permission to host the PDF directly on Offensive Computing to make it available long-term. Enjoy.
Trying to get a new set of rogue samples, I have a numerous malware samples in my websites in zip file orden2 and orden:
I request some good samples not damaged, but also I do have good samples. There is no samples required. I tried to get my multi trojan pack application. In one exe file there was 6 trojans, but it was too big to send up.
Can some one lend me a site to get a good rogue sample. leave the site on the page above on the comments section.
Just in case you missed my forensic analysis contributions for the CSI:Internet series on h-online.com...
CSI:Internet - A trip into RAM
CSI:Internet - Open heart surgery
Here is a Windows driver I developed that I presented at Blackhat this year. Enjoy
Hades is a tool for dynamic application analysis on Microsoft Windows-based systems. It has function hooking capabilities similar to those of Microsoft Detours and WinAPIOverride (WAO), and it can also function as a debugger. It was developed to allow analysis of malware binaries that were able to detect Detours and WAO.
Today we added our three millionth sample to the Offensive Computing malware corpus. While three million pales in comparison to the total malware out there, we still have the largest openly available collection available on the open Internet.
The story of this site has had its ups and downs, and on multiple occasions it was on the brink of shutting down. Every time I heard from someone at a conference, or saw mention of the site in presentations in papers, this helped to keep us up and running. The resources needed to keep things moving have been interesting to deal with. Our commercial services have supported the ongoing maintenance of running a free malware archive.
Some changes are coming to the site Real Soon Now (TM) and I think now is a good time to share them with you. First, the storage and catalog software we have been running on has been sluggish for a long time. I'm about 80% through a rewrite of the underlying malware processing system that should get us to the next order of magnitude without problems. We have made some key partnerships with other open malware resources and we are beginning to put those into service soon. Second, our Reverse Engineering training is getting a massive rewrite. Currently we only do on-site offerings, but we are investigating the possibility of hosting at a more public general venue. Finally, the blog that you see here will be undergoing some changes.
Thank you to all of our customers, users, and supporters. Without you Offensive Computing would not be up and running today. Watch for more news coming soon.
Founder, Offensive Computing, LLC.
Vejovis is a project that was started to develop an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.