book

Evasive Malware

Name: Evasive Malware
Author: Kyle Cucci
ISBN: 9781718503267

by Kyle Cucci

September 2024

Intermediate to advanced

488 pages

13h 29m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
About the Author and Technical Reviewer
Acknowledgments
Introduction
What Is Malware?What Is Malware Analysis?Why Does Malware Use Evasion?Why I Wrote This BookWho Should Read This BookHow This Book Is OrganizedMalware Samples for This Book
Part I: The Fundamentals
1. Windows Foundational Concepts
Windows Architecture OverviewUser and Kernel ModesProcesses and ThreadsObjects and HandlesThe Windows APIProcess InternalsEPROCESS StructuresProcess Environment BlocksThread Environment BlocksStacks and HeapsVirtual MemoryThe PE File FormatHeaders and SectionsImports and ExportsThe Windows PE Loading ProcessThe RegistrySummary
2. Malware Triage and Behavioral Analysis
The Analysis EnvironmentThe Malware Analysis ProcessInitial Malware TriageIdentifying the File TypeObtaining the File’s HashTriaging with VirusTotalQuerying Search Engines and Other ResourcesIdentifying and Classifying Unknown Malware with YaraAnalyzing Static PropertiesAutomated Malware Triage with SandboxesInteractive Behavioral AnalysisMonitoring Malware BehaviorsInspecting Malware Network TrafficSummary
3. Static and Dynamic Code Analysis
Introduction to Assembly CodeCPU Registersx64 and x86 InstructionsStatic Code AnalysisChoosing a DisassemblerAnalyzing with IDAAnalyzing with CAPADynamic Code AnalysisChoosing a DebuggerStarting a Debugging Session in x64dbgAnalyzing with x64dbgPatching and Modifying CodeTracing API Calls with API MonitorSummary
Part II: Context Awareness and Sandbox Evasion

4. Enumerating Operating System Artifacts
ProcessesDirectories and FilesShared FoldersThe RegistryServicesInstalled SoftwareMutexesPipesDevices and DriversUsernames and HostnamesLocale and Language SettingsOperating System Version InformationSummary
5. User Environment and Interaction Detection
Browser Cookies, Cache, and Browsing HistoryRecent Office FilesUser Files and DirectoriesDesktop WallpaperDesktop WindowsMouse and Keyboard InteractionSystem UptimeSummary
6. Enumerating Hardware and Network Configurations
Hardware and Device ConfigurationsCPURAMHard DisksMonitor ConfigurationsUSB ControllersFirmware TablesOther Hardware DevicesNetworking-Related ArtifactsIP Address ConfigurationsDomain ConfigurationsMAC Address ConfigurationsExternal IP Address and Internet ConnectivityTCP Connection StatesSummary
7. Runtime Environment and Virtual Processor Anomalies
Detecting Analysis and Runtime AnomaliesRun Paths, Filenames, and ArgumentsLoaded ModulesAnomalous Strings in MemoryHooked Functions and Acceleration ChecksUsing Performance and Timing IndicatorsThe rdtsc InstructionFunction Execution TimingPerformance CountersAbusing the Virtual ProcessorThe Red Pill and No Pill TechniquesIO PortsThe cpuid InstructionUnsupported Instruction SetsThe Trap Flag and Other TechniquesThe Risks of Using Detection TechniquesSummary
8. Evading Sandboxes and Disrupting Analysis
Self-TerminationDelayed ExecutionSleep Function CallsTimeoutsTime and Logic BombsDummy Code and Infinite LoopsForcing Reboots and LogoutsDecoys and NoiseAPI HammeringUnnecessary Process SpawningDecoy Network CommunicationAnti-hookingHook DetectionHook Removal (Unhooking)Hook CircumventionAnti-hooking ToolsetsCircumventing Sandbox AnalysisDisrupting Manual InvestigationHypervisor Exploits and VM EscapingEvasion CountermeasuresSummary
Part III: Anti-Reversing
9. Anti-Disassembly
Breaking DisassemblersControl Flow ObfuscationUnnecessary JumpsUnnecessary CodeControl Flow FlatteningOpaque PredicatesReturn Pointer AbuseSEH Handler AbuseFunction Pointer AbuseControl Flow Obfuscation CountermeasuresAPI Call and String ObfuscationDynamic API Function ResolutionJump Tables and Indirect API CallsStack StringsData HashingSummary
10. Anti-Debugging
Using Windows API Functions to Access the PEBIsDebuggerPresent and CheckRemoteDebuggerPresentNtQueryInformationProcessNtQuerySystemInformationOutputDebugStringCloseHandle and NtCloseNtQueryObjectHeap FlagsDirectly Accessing the PEBTiming ChecksSystem ArtifactsHunting for Debugger WindowsEnumerating Loaded ModulesSearching for Debugger ProcessesChecking Parent ProcessesBreakpoint Detection and TrapsDetecting Debuggers with BreakpointsDetecting and Circumventing Software BreakpointsDetecting and Circumventing Hardware and Memory BreakpointsUsing Memory Page Guards for Breakpoint DetectionUsing Breakpoint TrapsUnhandled ExceptionsChecksums, Section Hashing, and Self-HealingExploiting, Crashing, and Interfering with the DebuggerDebug Blocking and Anti-attach TechniquesOther Anti-debugging TechniquesCountering Anti-debugging TechniquesSummary
11. Covert Code Execution and Misdirection
Callback FunctionsTLS CallbacksStructured Exception HandlingVEH and 64-Bit SEHHidden ThreadsSummary
Part IV: Defense Evasion
12. Process Injection, Manipulation, and Hooking
Process InjectionRandom vs. Specific Target ProcessesShellcode InjectionDLL InjectionReflective DLL InjectionProcess HollowingThread HijackingAPC InjectionAtom BombingProcess Injection Wrap-upProcess Image ManipulationProcess HerpaderpingProcess DoppelgangingProcess Reimaging and GhostingDLL and Shim HijackingDLL HijackingShim HijackingHookingSetWindowsHookEx Hooking and InjectionInline HookingMitigations for Process and Hook InjectionSummary
13. Evading Endpoint and Network Defenses
An Endpoint Defense PrimerA Brief History of Endpoint Defense TechnologyAnti-malwareEndpoint Detection and ResponseIdentifying Endpoint DefensesActively Circumventing Endpoint DefensesDisabling Host DefensesAdding Anti-malware ExclusionsDisabling Other Security ControlsBlinding Defenses by UnhookingExploiting Vulnerabilities in Host Defense ToolingPassively Circumventing Endpoint DefensesCircumventing MonitoringCircumventing Signature-Based DetectionUsing Uncommon Programming LanguagesAbusing Certificate Trust and SigningAbusing Engine LimitationsMasquerading as a Safe FilePrivilege Elevation for Defense EvasionBypassing User Account ControlImpersonating and Manipulating Access TokensExtracting and Reusing CredentialsExploiting Vulnerabilities for Privilege ElevationCircumventing Network DefensesIntroducing Modern Network DefensesObfuscating and Obscuring Network TrafficConcealing Infrastructure Using GeofencingGenerating New Infrastructure Using DGAsExecuting the Fast-Flux TechniqueMultistage and Complex AttacksSummary
14. Introduction to Rootkits
Rootkit FundamentalsKernel Modules and DriversRootkit ComponentsRootkit InstallationBYOVD AttacksDirect Kernel Object Manipulation“Legacy” Kernel HookingSSDT HooksInline Kernel HooksIRP HooksIRP Interception by FilteringAbusing Kernel CallbacksBootkitsDefenses Against RootkitsSummary
15. Fileless, Living Off The Land, and Anti-Forensics Techniques
How Fileless Attacks WorkPersistence and Registry-Resident MalwareLiving Off The Land BinariesVBA Macro-Based MalwareSystem Binary Proxy ExecutionWindows Command Line and Other UtilitiesPowerShellDynamically Compiled CodeAnti-forensicsHiding Artifacts and CodeTampering with Logs and EvidenceDestroying the SystemSummary
16. Encoding and Encryption
Basic EncodingData HashingEncryption and DecryptionSymmetric and Asymmetric EncryptionWindows CryptoAPIWindows Cryptographic API: Next GenerationPractical Tips for Overcoming Encryption in MalwareLocating and Identifying Cryptographic RoutinesDecrypting Encrypted Malware DataSummary
17. Packers and Unpacking Malware
Types of PackersPacker Architecture and FunctionalityUnpacking the Malware PayloadResolving ImportsTransferring Execution to the OEPHow to Identify Packed MalwareViewing ImportsInspecting StringsCalculating the Entropy ValueChecking PE SectionsUsing Automated Packer DetectionAutomated UnpackingFully Automated UnpackingSandbox-Assisted UnpackingManual Dynamic UnpackingThe Quick-and-Dirty Option: Letting the Malware Do the WorkMemory Operation MonitoringProcess Injection MonitoringProcess Injection Tracing with API MonitorLibrary Loading and Address ResolutionOEP LocationUnpacked Malware ExtractionUnpacked Executable RepairGeneral Tips for Dynamic UnpackingHelpful Tools for Dynamic UnpackingManual Static UnpackingAnalyzing Without UnpackingAnti-unpacking TechniquesSummaryClosing Thoughts
A. Building an Anti-Evasion Analysis Lab
Lab ArchitectureThe Host MachineThe HypervisorVictim Windows VMsServices Windows VMsLinux VMsBuilding Your LabChoosing a HypervisorVerifying Hypervisor Network SettingsObtaining a Windows ImageCreating the Windows Victim VMTuning VM Settings for Concealment and IsolationInstalling Windows Malware Analysis ToolsInstalling VM ToolsInstalling and Configuring a Linux VMManually Installing Linux VM ToolsConfiguring and Verifying Network SettingsTaking and Restoring VM SnapshotsWindows Configurations for ConcealmentRegistry DataHostname and Domain NameAdditional Tips and TricksAdvanced VM and Hypervisor HardeningHardening VMwareHardening VirtualBoxStress-Testing Your VMTips for Operational Security and EffectivenessSimulating Network ServicesConcealing Your IPShared Folders and File TransferringUpdating SoftwareBare-Metal AnalysisBinary Instrumentation and EmulationSummary
B. Windows Functions Used for Evasion
C. Further Reading and Resources
Index

Overview

We’re all aware of Stuxnet, ShadowHammer, Sunburst, and similar attacks that use evasion to remain hidden while defending themselves from detection and analysis. Because advanced threats like these can adapt and, in some cases, self-destruct to evade detection, even the most seasoned investigators can use a little help with analysis now and then. Evasive Malware will introduce you to the evasion techniques used by today’s malicious software and show you how to defeat them.

Following a crash course on using static and dynamic code analysis to uncover malware’s true intentions, you’ll learn how malware weaponizes context awareness to detect and skirt virtual machines and sandboxes, plus the various tricks it uses to thwart analysis tools. You’ll explore the world of anti-reversing, from anti-disassembly methods and debugging interference to covert code execution and misdirection tactics. You’ll also delve into defense evasion, from process injection and rootkits to fileless malware. Finally, you’ll dissect encoding, encryption, and the complexities of malware obfuscators and packers to uncover the evil within.

You’ll learn how malware:

Abuses legitimate components of Windows, like the Windows API and LOLBins, to run undetected
Uses environmental quirks and context awareness, like CPU timing and hypervisor enumeration, to detect attempts at analysis
Bypasses network and endpoint defenses using passive circumvention techniques, like obfuscation and mutation, and active techniques, like unhooking and tampering
Detects debuggers and circumvents dynamic and static code analysis

You’ll also find tips for building a malware analysis lab and tuning it to better counter anti-analysis techniques in malware. Whether you’re a frontline defender, a forensic analyst, a detection engineer, or a researcher, Evasive Malware will arm you with the knowledge and skills you need to outmaneuver the stealthiest of today’s cyber adversaries.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098182236Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills