Название: Defending Cyber Systems through Reverse Engineering of Criminal MalwareАвтор: Marwan Omar
Издательство: Springer
Год: 2022
Язык: английский
Формат: pdf (true), epub
Размер: 17.2 MB
This book discusses underlying principles of malware reverse engineering and introduces the major techniques and tools needed to effectively analyze malware that targets business organizations. It also covers the examination of real-world malware samples, which illustrates the knowledge and skills necessary to take control of cyberattacks.
Most cyber-attacks involve deploying some type of malware. Malware that viciously targets every industry, every sector, every enterprise, and even individuals has shown its capabilities to take the entire business organizations offline and cause significant financial damage in billions of dollars annually. Malware authors are constantly evolving in their attack strategies and sophistication and are developing malware that is difficult to detect and can lay dormant in the background for quite some time in order to evade security controls.
The portable executable file format is the standard format for dynamic link libraries (DLLs), executables (.exe), and common object files (COC). Files with extensions such as (.exe, .dll, and .sys) are called portable executables. “PE file is a series of structures and sub-components that contain the information required by the operating system to load it into memory”. The PE header is considered a wealth of information for malware reverse engineers because it contains information such as where the executable needs to be loaded into memory, the address where the execution starts, the list of libraries/functions on which the application relies on, and the resources used by the binary.
PeStudio relied on PE header contents when displaying some of the information we found helpful. Detect It Easy (DIE) and Exeinfo PE. These utilities are especially useful for determining which tools were used to generate the executable file you’re examining. Packing typically involves obfuscating, encrypting, or otherwise encoding the original executable to create a new file that embeds the original program as data. When the packed program runs, it unpacks itself into the memory of the infected host. It can be useful to determine whether the file is packed and, if it is, which packer was used to safeguard the original file. Detect It Easy and Exeinfo PE can help with these tasks. These tools show that brbbot.exe is not packed and was probably created in C or C++ using Visual Studio.
Скачать Defending Cyber Systems through Reverse Engineering of Criminal Malware