Skip navigation.
Home

Practical Malware Analysis - A Book Review and Curmudgeonly Rant on the State of Reverse Engineering

Recently I was asked to review a pre-publication copy of Mike Sikorski and Andrew Honig’s book “Practical Malware Analysis” by Nostarch Press. I gave it an enthusiastic review, and I strongly believe this will become the defacto text for learning malware analysis in the future. This is a review of that book, and a short rant on reverse engineering.

Before getting into Practical Malware Analysis, I hope you will indulge me in a rant about other books on the reverse engineering topic: They are not pretty. If you’ve taken one of my classes I recommend a few books for learning reversing, but climbing the steep mountain of pre-requisite material before you can attempt to be somewhat proficient is daunting. Specifically the books I recommended were based off of each individual author’s own personal style of reverse engineering with the tools that were available at the time. The field has gotten much more accessible thanks to the awesome tools that are out there from companies like Hex-Rays and Zynamics.

Practical Malware Analysis does a good job of tying together the methods of modern malware analysis. While most of the previous texts have done a good job of presenting the state of the art at their time, PMA overviews many of the tools that are in use in the modern day. Part 1 starts off with the basic static techniques, how to set up a virtual environment, and dynamic analysis. These initial steps are the basis for any good reversing environment. What is nice is that these topics aren’t dwelled on for an entire book.

Part 2 goes over the relationships of the Intel architecture, IDA Pro, modern compilers, and the Windows operating system to reverse engineering. Having an understanding of this as it applies to the reversing process is extremely important. Outside implementing a compiler, learning the fundamentals of the architecture is the most important skill a reverser can have for understanding the field. The difference between an adequate reverser and a great reverser lies in the understanding of how the system interactions work.

The rest of the book is focused on the advanced topics of dynamic analysis. Part 5 deals with all the ways that malware authors can make your life miserable, from anti-disassembly to packers. Part 6, “Special Topics,” talks about shellcode analysis, C++ specifics, and the ever-looming threat of 64-bit malware. I suspect that there will be a second edition once 64-bit malware comes in vogue.

Overall the book is excellent for those that are new to this field. Experts love to curmudgeonly talk about how nothing is new anymore, everything sucks, and pine for the good old days of reverse engineering with some wire-wrap, a lead pencil, a 9-volt Duracell, and a single LED. If you consider yourself one of these people, reading this book is going to feel a lot like wearing someone else’s underwear. If, on the other hand, you read it and put aside your natural skepticism of all things new, you might learn something.

I really do like this book.

Edit 3/4/2012: I have no financial interest in the book. The only thing I received was a reviewers copy. This was not sponsored or paid for in any way by the authors or publishers.
Edit 2/13/2013: There has been a translation to Serbo-Croation of this review by Joanna Milutinovich

Nice review Danny,

Nice review Danny, Thanks.
It's notable that this book is available for download as ebook, but for supporting and as an acknowledge to author, it's recommended to buy this book .

+1

I got asked to review too and I agree it is a good book. I will paste my review below. I also do not benefit financially from the book and do not know the authors personally.
-------------

I think it is hands down the best book for anyone who is interested in learning malicious file analysis and reverse engineering of malicious code. If you are a beginner, the book starts with baby steps explaining what you can do, how you should do it, and what exactly you should be looking at - in plain, easy to understand language. The book is the next best thing to private tutoring by the gurus guiding you every step of the way while sharing their experience, secrets, and collection of shortcuts that you cannot find anywhere else.

Every theoretical part is concise and contains only the information you need to do the analysis. All other techniques are tailored towards practical analysis - finding as much as possible meaningful information about malicious files and being able to interpret and understand it.

By the end of Part 1, you will go from zero to being able to do basic analysis and knowing what to do to become better. This is a big advantage of this book over many others - it paves a way to become a malware analyst - from beginner to advanced. By the end of the book, you will reach a very respectable level, especially if you follow it with a highlighter and do all the exercises instead of skipping them. The book's website offers samples for analysis, along with a detailed answers sections for review after you finish.

There are six parts, each is more advanced than the previous one. If you are a seasoned reverse engineer, you can dive into the sections that suit your skills. However, I suggest at least looking through the basic sections because I found very interesting tidbits of information even for those sections I thought I know well.

You will find these topics covered (including but not limited to)
Part 1 -
Ch.1 - Basic Analysis: Strings, Unpacking, DLLs and how to analyze them,
Dependencies, Functions/Function calls (which are interesting for you), PE
file structure
Ch.2 - Preparing VMs for analysis,
Ch.3 - Faking a network, Wireshark and InterSim, Sysinternals tools

Part 1
Ch.4 - Crash course in x86 disassembly,
Ch.5- IDA Pro (how to use),
Ch.6 - C-code constructs in assembly,
Ch.7 - Windows API, Registry, Threads, Services, Processes, COM objects,
etc.

Part 3
Ch.8 - Debuggers - how to use, techniques, shellcode analysis,
Ch.9 - Ollydbg,
Ch.10 -Windbg, Rootkit analysis

Part 4
Ch.11 -Different malware functionality, botnets, Rats, Trojans, backdoors,
Reverse shell, keyloggers, Persistence mechanisms, Dll-load order
hijacking, Privilege escalation, User-mode rootkits,
Ch.12 - Covert malware launching: process injection, process replacement,
hook injection, Detours, APC Injection. etc,
Ch.13 - Encoding: Simple Ciphers, XOR and other schemes, Common
cryptographic algorithms, Custom encoding, Decoding,
Ch.14 - Malware focused network signatures - Malware network signatures,
Network countermeasures, crash mini course on Snort signatures, tracking
attackers, Understanding attacker's perspective and more.

Part 5
Ch.15 - Anti-Disassembly, Anti-Disassembly Algorithms, Techniques, Thwarting
Stack-Frame Analysis,
Ch.16 - Anti - Debugging
Ch.17 - Anti - Virtual Machine Techniques
Ch.18 - Packers and Unpacking, various packers and techniques

Part 6
Ch.19 - Shellcode analysis
Ch.20 - C++ Analysis
Ch.21 64 - bit malware

Appendix
Important Windows Functions
Tools for Malware analysis

As you see, all the attention is given to file analysis. Compare this to another excellent book Malware Analyst's Cookbook (M.Ligh, S.Adair, B.Hartstein, M.Richard), which covers topics like honeypots, ClamAV, Yara, AV scanners, Automation, Malware Labs, Volatility and Memory analysis of various malware, Forensics and also malicious file analysis. You really need both books as they cover different areas of combating malware. There is not a lot of overlap and the topics are covered from different angles, using different approaches. Practical Malware Analysis will teach you how to rip malicious files apart and takes you through the process step by step. Recommend it.

Mila
http://contagiodump.blogspot.com