Malware Analysts Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Book

Introduction.

On The Book's DVD.

1 Anonymizing Your Activities.

Recipe 1-1: Anonymous Web Browsing with Tor.

Recipe 1-2: Wrapping Wget and Network Clients with Torsocks.

Recipe 1-3: Multi-platform Tor-enabled Downloader in Python.

Recipe 1-4: Forwarding Traffic through Open Proxies.

Recipe 1-5: Using SSH Tunnels to Proxy Connections.

Recipe 1-6: Privacy-enhanced Web browsing with Privoxy.

Recipe 1-7: Anonymous Surfing with Anonymouse.org.

Recipe 1-8: Internet Access through Cellular Networks.

Recipe 1-9: Using VPNs with Anonymizer Universal.

2 Honeypots.

Recipe 2-1: Collecting Malware Samples with Nepenthes.

Recipe 2-2: Real-Time Attack Monitoring with IRC Logging.

Recipe 2-3: Accepting Nepenthes Submissions over HTTP with Python.

Recipe 2-4: Collecting Malware Samples with Dionaea.

Recipe 2-5: Accepting Dionaea Submissions over HTTP with Python.

Recipe 2-6: Real-time Event Notification and Binary Sharing with XMPP.

Recipe 2-7: Analyzing and Replaying Attacks Logged by Dionea.

Recipe 2-8: Passive Identification of Remote Systems with p0f.

Recipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot.

3 Malware Classification.

Recipe 3-1: Examining Existing ClamAV Signatures.

Recipe 3-2: Creating a Custom ClamAV Database.

Recipe 3-3: Converting ClamAV Signatures to YARA.

Recipe 3-4: Identifying Packers with YARA and PEiD.

Recipe 3-5: Detecting Malware Capabilities with YARA.

Recipe 3-6: File Type Identification and Hashing in Python.

Recipe 3-7: Writing a Multiple-AV Scanner in Python.

Recipe 3-8: Detecting Malicious PE Files in Python.

Recipe 3-9: Finding Similar Malware with ssdeep.

Recipe 3-10: Detecting Self-modifying Code with ssdeep.

Recipe 3-11: Comparing Binaries with IDA and BinDiff.

4 Sandboxes and Multi-AV Scanners.

Recipe 4-1: Scanning Files with VirusTotal.

Recipe 4-2: Scanning Files with Jotti.

Recipe 4-3: Scanning Files with NoVirusThanks.

Recipe 4-4: Database-Enabled Multi-AV Uploader in Python.

Recipe 4-5: Analyzing Malware with ThreatExpert.

Recipe 4-6: Analyzing Malware with CWSandbox.

Recipe 4-7: Analyzing Malware with Anubis.

Recipe 4-8: Writing AutoIT Scripts for Joebox.

Recipe 4-9: Defeating Path-dependent Malware with Joebox.

Recipe 4-10: Defeating Process-dependent DLLs with Joebox.

Recipe 4-11: Setting an Active HTTP Proxy with Joebox.

Recipe 4-12: Scanning for Artifacts with Sandbox Results.

5 Researching Domains and IP Addresses.

Recipe 5-1: Researching Domains with WHOIS.

Recipe 5-2: Resolving DNS Hostnames.

Recipe 5-3: Obtaining IP WHOIS Records.

Recipe 5-4: Querying Passive DNS with BFK.

Recipe 5-5: Checking DNS Records with Robtex.

Recipe 5-6: Performing a Reverse IP Search with DomainTools.

Recipe 5-7: Initiating Zone Transfers with dig.

Recipe 5-8: Brute-forcing Subdomains with dnsmap.

Recipe 5-9: Mapping IP Addresses to ASNs via Shadowserver.

Recipe 5-10: Checking IP Reputation with RBLs.

Recipe 5-11: Detecting Fast Flux with Passive DNS and TTLs.

Recipe 5-12: Tracking Fast Flux Domains.

Recipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip.

Recipe 5-14: Interactive Maps with Google Charts API.

6 Documents, Shellcode, and URLs.

Recipe 6-1: Analyzing JavaScript with Spidermonkey.

Recipe 6-2: Automatically Decoding JavaScript with Jsunpack.

Recipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness.

Recipe 6-4: Triggering exploits by Emulating Browser DOM Elements.

Recipe 6-5: Extracting JavaScript from PDF Files with pdf.py.

Recipe 6-6: Triggering Exploits by Faking PDF Software Versions.

Recipe 6-7: Leveraging Didier Stevens's PDF Tools.

Recipe 6-8: Determining which Vulnerabilities a PDF File Exploits.

Recipe 6-9: Disassembling Shellcode with DiStorm.

Recipe 6-10: Emulating Shellcode with Libemu.

Recipe 6-11: Analyzing Microsoft Office Files with OfficeMalScanner.

Recipe 6-12: Debugging Office Shellcode with DisView and MalHost-setup.

Recipe 6-13: Extracting HTTP Files from Packet Captures with Jsunpack.

Recipe 6-14: Graphing URL Relationships with Jsunpack.

7 Malware Labs.

Recipe 7-1: Routing TCP/IP Connections in Your Lab.

Recipe 7-2: Capturing and Analyzing Network Traffic.

Recipe 7-3: Simulating the Internet with INetSim.

Recipe 7-4: Manipulating HTTP/HTTPS with Burp Suite.

Recipe 7-5: Using Joe Stewart's Truman.

Recipe 7-6: Preserving Physical Systems with Deep Freeze.

Recipe 7-7: Cloning and Imaging Disks with FOG.

Recipe 7-8: Automating FOG Tasks with the MySQL Database.

8 Automation.

Recipe 8-1: Automated Malware Analysis with VirtualBox.

Recipe 8-2: Working with VirtualBox Disk and Memory Images.

Recipe 8-3: Automated Malware Analysis with VMware.

Recipe 8-4: Capturing Packets with TShark via Python.

Recipe 8-5: Collecting Network Logs with INetSim via Python.

Recipe 8-6: Analyzing Memory Dumps with Volatility.

Recipe 8-7: Putting all the Sandbox Pieces Together.

Recipe 8-8: Automated Analysis with ZeroWine and QEMU.

Recipe 8-9: Automated Analysis with Sandboxie and Buster.

9 Dynamic Analysis.

Recipe 9-1: Logging API calls with Process Monitor.

Recipe 9-2: Change Detection with Regshot.

Recipe 9-3: Receiving File System Change Notifications.

Recipe 9-4: Receiving Registry Change Notifications.

Recipe 9-5: Handle Table Diffing.

Recipe 9-6: Exploring Code Injection with HandleDiff.

Recipe 9-7: Watching Bankpatch.C Disable Windows File Protection.

Recipe 9-8: Building an API Monitor with Microsoft Detours.

Recipe 9-9: Following Child Processes with Your API Monitor.

Recipe 9-10: Capturing Process, Thread, and Image Load Events.

Recipe 9-11: Preventing Processes from Terminating.

Recipe 9-12: Preventing Malware from Deleting Files.

Recipe 9-13: Preventing Drivers from Loading.

Recipe 9-14: Using the Data Preservation Module.

Recipe 9-15: Creating a Custom Command Shell with ReactOS.

10 Malware Forensics.

Recipe 10-1: Discovering Alternate Data Streams with TSK.

Recipe 10-2: Detecting Hidden Files and Directories with TSK.

Recipe 10-3: Finding Hidden Registry Data with Microsoft's Offline API.

Recipe 10-4: Bypassing Poison Ivy's Locked Files.

Recipe 10-5: Bypassing Conficker's File System ACL Restrictions.

Recipe 10-6: Scanning for Rootkits with GMER.

Recipe 10-7: Detecting HTML Injection by Inspecting IE's DOM.

Recipe 10-8: Registry Forensics with RegRipper Plug-ins.

Recipe 10-9: Detecting Rogue-Installed PKI Certificates.

Recipe 10-10: Examining Malware that Leaks Data into the Registry.

11 Debugging Malware.

Recipe 11-1: Opening and Attaching to Processes.

Recipe 11-2: Configuring a JIT Debugger for Shellcode Analysis.

Recipe 11-3: Getting Familiar with the Debugger GUI.

Recipe 11-4: Exploring Process Memory and Resources.

Recipe 11-5: Controlling Program Execution.

Recipe 11-6: Setting and Catching Breakpoints.

Recipe 11-7: Using Conditional Log Breakpoints.

Recipe 11-8: Debugging with Python Scripts and PyCommands.

Recipe 11-9: Detecting Shellcode in Binary Files.

Recipe 11-10: Investigating Silentbanker's API Hooks.

Recipe 11-11: Manipulating Process Memory with WinAppDbg Tools.

Recipe 11-12: Designing a Python API Monitor with WinAppDbg.

12 De-Obfuscation.

Recipe 12-1: Reversing XOR Algorithms in Python.

Recipe 12-2: Detecting XOR Encoded Data with yaratize.

Recipe 12-3: Decoding Base64 with Special Alphabets.

Recipe 12-4: Isolating Encrypted Data in Packet Captures.

Recipe 12-5: Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal.

Recipe 12-6: Porting OpenSSL Symbols with Zynamics BinDiff.

Recipe 12-7: Decrypting Data in Python with PyCrypto.

Recipe 12-8: Finding OEP in Packed Malware.

Recipe 12-9: Dumping Process Memory with LordPE.

Recipe 12-10: Rebuilding Import Tables with ImpREC.

Recipe 12-11: Cracking Domain Generation Algorithms.

Recipe 12-12: Decoding Strings with x86emu and Python.

13 Working with DLLs.

Recipe 13-1: Enumerating DLL Exports.

Recipe 13-2: Executing DLLs with rundll32.exe

Recipe 13-3: Bypassing Host Process Restrictions.

Recipe 13-4: Calling DLL Exports Remotely with rundll32ex.

Recipe 13-5: Debugging DLLs with LOADDLL.EXE.

Recipe 13-6: Catching Breakpoints on DLL Entry Points.

Recipe 13-7: Executing DLLs as a Windows Service.

Recipe 13-8: Converting DLLs to Standalone Executables.

14 Kernel Debugging.

Recipe 14-1: Local Debugging with LiveKd.

Recipe 14-2: Enabling the Kernel’s Debug Boot Switch.

Recipe 14-3: Debug a VMware Workstation Guest (on Windows).

Recipe 14-4: Debug a Parallels Guest (on Mac OS X).

Recipe 14-5: Introduction to WinDbg Commands And Controls.

Recipe 14-6: Exploring Processes and Process Contexts.

Recipe 14-7: Exploring Kernel Memory.

Recipe 14-8: Catching Breakpoints on Driver Load.

Recipe 14-9: Unpacking Drivers to OEP.

Recipe 14-10: Dumping and Rebuilding Drivers.

Recipe 14-11: Detecting Rootkits with WinDbg Scripts.

Recipe 14-12: Kernel Debugging with IDA Pro.

15 Memory Forensics with Volatility.

Recipe 15-1: Dumping Memory with MoonSols Windows Memory Toolkit.

Recipe 15-2: Remote, Read-only Memory Acquisition with F-Response.

Recipe 15-3: Accessing Virtual Machine Memory Files.

Recipe 15-4: Volatility in a Nutshell.

Recipe 15-5: Investigating processes in Memory Dumps.

Recipe 15-6: Detecting DKOM Attacks with psscan.

Recipe 15-7: Exploring csrss.exe’s Alternate Process Listings.

Recipe 15-8: Recognizing Process Context Tricks.

16 Memory Forensics: Code Injection and Extraction.

Recipe 16-1: Hunting Suspicious Loaded DLLs.

Recipe 16-2: Detecting Unlinked DLLs with ldr_modules.

Recipe 16-3: Exploring Virtual Address Descriptors (VAD).

Recipe 16-4: Translating Page Protections.

Recipe 16-5: Finding Artifacts in Process Memory.

Recipe 16-6: Identifying Injected Code with Malfind and YARA.

Recipe 16-7: Rebuilding Executable Images from Memory.

Recipe 16-8: Scanning for Imported Functions with impscan.

Recipe 16-9: Dumping Suspicious Kernel Modules.

17 Memory Forensics: Rootkits.

Recipe 17-1: Detecting IAT Hooks.

Recipe 17-2: Detecting EAT Hooks.

Recipe 17-3: Detecting Inline API Hooks.

Recipe 17-4: Detecting Interrupt Descriptor Table (IDT) Hooks.

Recipe 17-5: Detecting Driver IRP Hooks.

Recipe 17-6: Detecting SSDT Hooks.

Recipe 17-7: Automating Damn Near Everything with ssdt_ex.

Recipe 17-8: Finding Rootkits with Detached Kernel Threads.

Recipe 17-9: Identifying System-Wide Notification Routines.

Recipe 17-10: Locating Rogue Service Processes with svcscan.

Recipe 17-11: Scanning for Mutex Objects with mutantscan.

18 Memory Forensics: Network and Registry.

Recipe 18-1: Exploring Socket and Connection Objects.

Recipe 18-2: Analyzing Network Artifacts Left by Zeus.

Recipe 18-3: Detecting Attempts to Hide TCP/IP Activity.

Recipe 18-4: Detecting Raw Sockets and Promiscuous NICs.

Recipe 18-5: Analyzing Registry Artifacts with Memory Registry Tools.

Recipe 18-6: Sorting Keys by Last Written Timestamp.

Recipe 18-7: Using Volatility with RegRipper.

Index.