I spent the last 3 weeks reading this book “PMA” and solving its labs.
I’d recommend this book to anyone willing to dive into Malware analysis.
Its labs are extensive and cover a lot of ground. And the book itself is suitable for beginners, intermediates and advanced readers.
I read the whole book, and finished all the labs. And here are my notes:
[-] I used a VM running the a 64-bit edition of the latest windows 10 (build 17763.253), and most of the labs worked fine. Some labs didn’t work because they depend on components found only in windows XP, so you’ll need another VM running windows XP in order to do a full dynamic analysis on that malware. Specifically:
- Labs that hijack the “Content Index service” (cisvc.exe). Because this service was replaced by “windows search” after windows XP.
(Read more about it here and here)
- Labs that make use of sfc_os.dll to bypass windows file protection.
(This technique is mentioned here briefly)
Of course you can do static analysis fine, and you can even tweak the exercise files in the debugger on-the-fly and make it work (sort of), but it’s better to study malware in its natural habitat (it was designed to work on windows XP).
[-] A notable advice I’d give to anyone willing to practice with this book, is that multiple new tools have been released after the book. So it would be sad not to use the newer tools because they’re not mentioned in the book.
So here’s my list:
- The free IDA 7.0. It has 64-bit support, but unfortunately it lacks the python scripting functionality, only IDC scripts work with it. So I ported the idaPython scripts used in the book to IDC files, and the code could be found on my github. Free tools will do the job most of the time 😎.
- mr.Exodia’s x96dbg (it includes both x32dbg and x64dbg). It is arguably the best debugger available right now; it supports 64-bit PE-files, plugins, command-line, patching, a free built-in decompiler, multiple dump tabs, and many more extremely useful features.
- Exeinfo PE in addition to PEiD.
- NTCore’s CFF explorer (in the explorer suite) as a replacement to PE view. It has 64-bit support, resource viewer/editor, import adder, and many more features.
- Any simple python fakeDNS. (like this one here, or here, or here)
[-] Advanced topics included anti-debugging, anti-VM, shellcode analysis, 64-bit malware, analyzing CPP object-oriented code. It also touched upon malicious PDFs. But I think it lacked topics about Malicious and obfuscated scripts (JS, VBScript, powershell, autoit), .NET malware, memory forensics and of course rootkits and kernel-mode malware
[-] One of the techniques I learnt from this book for example;
is that the after creating a suspended process using CreateProcessA, the “EBX” register will hold a pointer to the PEB of the newly created process. What the hell?!! This piece of information isn’t documented by Microsoft, but apparently it was found to be reliable enough to be used by malware authors. Now malware can access the PEB of the newly created process and leverage the information in it for attacks like process hollowing. More detailed info in this blog post.
[-] And many undocumented microsoft structures and functions are being explained in the book and demonstrated in the labs by working examples that use them. This gives you hands-on experience with the techniques that malware authors use. Some of them are still being used in the wild by new and old malware.
[-] Again, I’d 100% recommend this book to anyone interested in malware analysis 👌