-
Notifications
You must be signed in to change notification settings - Fork 169
/
render.article.toc
80 lines (80 loc) · 5.03 KB
/
render.article.toc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
\contentsline {section}{\numberline {1}Outline}{1}
\contentsline {subsection}{\numberline {1.1}Background}{1}
\contentsline {subsection}{\numberline {1.2}Basic Analysis}{3}
\contentsline {subsection}{\numberline {1.3}Advanced Analysis}{3}
\contentsline {subsection}{\numberline {1.4}Custom Development}{3}
\contentsline {part}{I\hspace {1em}Background Information}{3}
\contentsline {section}{\numberline {2}Introduction}{3}
\contentsline {subsection}{\numberline {2.1}Introduction}{3}
\contentsline {subsection}{\numberline {2.2}Malware Analysis}{5}
\contentsline {subsection}{\numberline {2.3}Questions to Consider}{6}
\contentsline {section}{\numberline {3}VM's and Live Analysis}{8}
\contentsline {subsection}{\numberline {3.1}Virtual Machines}{8}
\contentsline {subsection}{\numberline {3.2}Live Analysis}{9}
\contentsline {section}{\numberline {4}Architecture and OS}{13}
\contentsline {subsection}{\numberline {4.1}x86 Architecture}{13}
\contentsline {subsection}{\numberline {4.2}Microsoft Windows OS}{15}
\contentsline {section}{\numberline {5}PE File Format}{17}
\contentsline {subsection}{\numberline {5.1}Overview and Headers}{17}
\contentsline {subsection}{\numberline {5.2}Interactive Walkthrough}{20}
\contentsline {subsection}{\numberline {5.3}Import/Export Address Tables}{26}
\contentsline {subsection}{\numberline {5.4}Updated PE32+ and Usage Examples}{30}
\contentsline {part}{II\hspace {1em}Basic Analysis}{31}
\contentsline {section}{\numberline {6}Overview of Analysis Tools}{31}
\contentsline {subsection}{\numberline {6.1}Debuggers}{31}
\contentsline {subsection}{\numberline {6.2}Disassemblers / Decompilers}{32}
\contentsline {subsection}{\numberline {6.3}Other}{34}
\contentsline {subsection}{\numberline {6.4}Python}{35}
\contentsline {section}{\numberline {7}(Dis)Assembly}{37}
\contentsline {subsection}{\numberline {7.1}Crash Course}{37}
\contentsline {subsection}{\numberline {7.2}Assembly Patterns}{39}
\contentsline {section}{\numberline {8}IDA Pro}{45}
\contentsline {subsection}{\numberline {8.1}Overview}{45}
\contentsline {subsection}{\numberline {8.2}Overview of Views}{47}
\contentsline {subsection}{\numberline {8.3}Driving IDA}{51}
\contentsline {subsection}{\numberline {8.4}Customizations}{52}
\contentsline {section}{\numberline {9}OllyDbg}{53}
\contentsline {subsection}{\numberline {9.1}Overview}{53}
\contentsline {subsection}{\numberline {9.2}Overview of Views}{54}
\contentsline {subsection}{\numberline {9.3}Driving OllyDbg}{60}
\contentsline {part}{III\hspace {1em}Advanced Analysis}{62}
\contentsline {section}{\numberline {10}Executable (Un)Packing}{62}
\contentsline {subsection}{\numberline {10.1}Executable Packing}{62}
\contentsline {subsection}{\numberline {10.2}Executable Unpacking}{66}
\contentsline {subsection}{\numberline {10.3}Packer Usage Statistics}{69}
\contentsline {subsection}{\numberline {10.4}Unpacking Traces}{71}
\contentsline {section}{\numberline {11}Anti Reverse Engineering}{75}
\contentsline {subsection}{\numberline {11.1}Anti-Debugging}{75}
\contentsline {subsection}{\numberline {11.2}Anti-Disassembling}{78}
\contentsline {subsection}{\numberline {11.3}Anti-PE Analysis}{83}
\contentsline {subsection}{\numberline {11.4}Anti-VM}{87}
\contentsline {section}{\numberline {12}Binary Diffing and Matching}{90}
\contentsline {subsection}{\numberline {12.1}Binary Diffing}{90}
\contentsline {subsection}{\numberline {12.2}Example in Malware Analysis}{91}
\contentsline {subsection}{\numberline {12.3}Binary Matching}{93}
\contentsline {subsection}{\numberline {12.4}Exercises}{94}
\contentsline {section}{\numberline {13}Advanced Malware Techniques}{94}
\contentsline {subsection}{\numberline {13.1}Advanced Malware Techniques}{94}
\contentsline {subsection}{\numberline {13.2}Anti-Detection/Obfuscation Measures}{94}
\contentsline {subsection}{\numberline {13.3}Runtime Hiding Techniques}{97}
\contentsline {subsection}{\numberline {13.4}Counter-Measures}{98}
\contentsline {part}{IV\hspace {1em}Analysis and Custom Development}{98}
\contentsline {section}{\numberline {14}Analysis}{98}
\contentsline {subsection}{\numberline {14.1}Analysis I}{98}
\contentsline {subsection}{\numberline {14.2}Analysis II}{104}
\contentsline {section}{\numberline {15}IDA Python}{112}
\contentsline {subsection}{\numberline {15.1}Overview}{112}
\contentsline {subsection}{\numberline {15.2}Examples}{113}
\contentsline {subsection}{\numberline {15.3}Exercises}{114}
\contentsline {section}{\numberline {16}PEFile and PyDasm}{115}
\contentsline {subsection}{\numberline {16.1}Overview}{115}
\contentsline {subsection}{\numberline {16.2}pefile}{115}
\contentsline {subsection}{\numberline {16.3}pydasm}{118}
\contentsline {subsection}{\numberline {16.4}Exercises}{119}
\contentsline {section}{\numberline {17}PaiMei}{120}
\contentsline {subsection}{\numberline {17.1}Overview}{120}
\contentsline {subsection}{\numberline {17.2}Command Line Tools}{127}
\contentsline {subsection}{\numberline {17.3}GUI and Tools}{131}
\contentsline {subsection}{\numberline {17.4}Exercises}{134}
\contentsline {section}{\numberline {A}Appendix}{134}
\contentsline {subsection}{\numberline {A.1}References}{135}