Practical Malware Analysis

Practical Malware Analysis : The Hands-On Guide to Dissecting Malicious Software

4.47 (522 ratings by Goodreads)
By (author) 

Free delivery worldwide

Available. Expected delivery to the United States in 6-9 business days.

Not ordering to the United States? Click here.


Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring. For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way. You'll learn how to: Set up a safe virtual environment to analyze malware Quickly extract network signatures and host-based indicators Use key analysis tools like IDA Pro, OllyDbg, and WinDbg Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques Use your newfound knowledge of Windows internals for malware analysis Develop a methodology for unpacking malware and get practical experience with five of the most popular packers Analyze special cases
show more

Product details

  • Paperback | 800 pages
  • 178 x 234 x 40.64mm | 1,292.74g
  • San Francisco, United States
  • English
  • 7th printing
  • Illustrations
  • 1593272901
  • 9781593272906
  • 34,022

Table of contents

Praise for Practical Malware Analysis; Warning; About the Authors; About the Technical Reviewer; About the Contributing Authors; Foreword; Acknowledgments; Individual Thanks; Introduction; What Is Malware Analysis?; Prerequisites; Practical, Hands-On Learning; What's in the Book?; Chapter 0: Malware Analysis Primer; 1.1 The Goals of Malware Analysis; 1.2 Malware Analysis Techniques; 1.3 Types of Malware; 1.4 General Rules for Malware Analysis; Basic Analysis; Chapter 1: Basic Static Techniques; 2.1 Antivirus Scanning: A Useful First Step; 2.2 Hashing: A Fingerprint for Malware; 2.3 Finding Strings; 2.4 Packed and Obfuscated Malware; 2.5 Portable Executable File Format; 2.6 Linked Libraries and Functions; 2.7 Static Analysis in Practice; 2.8 The PE File Headers and Sections; 2.9 Conclusion; 2.10 Labs; Chapter 2: Malware Analysis in Virtual Machines; 3.1 The Structure of a Virtual Machine; 3.2 Creating Your Malware Analysis Machine; 3.3 Using Your Malware Analysis Machine; 3.4 The Risks of Using VMware for Malware Analysis; 3.5 Record/Replay: Running Your Computer in Reverse; 3.6 Conclusion; Chapter 3: Basic Dynamic Analysis; 4.1 Sandboxes: The Quick-and-Dirty Approach; 4.2 Running Malware; 4.3 Monitoring with Process Monitor; 4.4 Viewing Processes with Process Explorer; 4.5 Comparing Registry Snapshots with Regshot; 4.6 Faking a Network; 4.7 Packet Sniffing with Wireshark; 4.8 Using INetSim; 4.9 Basic Dynamic Tools in Practice; 4.10 Conclusion; 4.11 Labs; Advanced Static Analysis; Chapter 4: A Crash Course in x86 Disassembly; 5.1 Levels of Abstraction; 5.2 Reverse-Engineering; 5.3 The x86 Architecture; 5.4 Conclusion; Chapter 5: IDA Pro; 6.1 Loading an Executable; 6.2 The IDA Pro Interface; 6.3 Using Cross-References; 6.4 Analyzing Functions; 6.5 Using Graphing Options; 6.6 Enhancing Disassembly; 6.7 Extending IDA with Plug-ins; 6.8 Conclusion; 6.9 Labs; Chapter 6: Recognizing C Code Constructs in Assembly; 7.1 Global vs. Local Variables; 7.2 Disassembling Arithmetic Operations; 7.3 Recognizing if Statements; 7.4 Recognizing Loops; 7.5 Understanding Function Call Conventions; 7.6 Analyzing switch Statements; 7.7 Disassembling Arrays; 7.8 Identifying Structs; 7.9 Analyzing Linked List Traversal; 7.10 Conclusion; 7.11 Labs; Chapter 7: Analyzing Malicious Windows Programs; 8.1 The Windows API; 8.2 The Windows Registry; 8.3 Networking APIs; 8.4 Following Running Malware; 8.5 Kernel vs. User Mode; 8.6 The Native API; 8.7 Conclusion; 8.8 Labs; Advanced Dynamic Analysis; Chapter 8: Debugging; 9.1 Source-Level vs. Assembly-Level Debuggers; 9.2 Kernel vs. User-Mode Debugging; 9.3 Using a Debugger; 9.4 Exceptions; 9.5 Modifying Execution with a Debugger; 9.6 Modifying Program Execution in Practice; 9.7 Conclusion; Chapter 9: OllyDbg; 10.1 Loading Malware; 10.2 The OllyDbg Interface; 10.3 Memory Map; 10.4 Viewing Threads and Stacks; 10.5 Executing Code; 10.6 Breakpoints; 10.7 Loading DLLs; 10.8 Tracing; 10.9 Exception Handling; 10.10 Patching; 10.11 Analyzing Shellcode; 10.12 Assistance Features; 10.13 Plug-ins; 10.14 Scriptable Debugging; 10.15 Conclusion; 10.16 Labs; Chapter 10: Kernel Debugging with WinDbg; 11.1 Drivers and Kernel Code; 11.2 Setting Up Kernel Debugging; 11.3 Using WinDbg; 11.4 Microsoft Symbols; 11.5 Kernel Debugging in Practice; 11.6 Rootkits; 11.7 Loading Drivers; 11.8 Kernel Issues for Windows Vista, Windows 7, and x64 Versions; 11.9 Conclusion; 11.10 Labs; Malware Functionality; Chapter 11: Malware Behavior; 12.1 Downloaders and Launchers; 12.2 Backdoors; 12.3 Credential Stealers; 12.4 Persistence Mechanisms; 12.5 Privilege Escalation; 12.6 Covering Its Tracks--User-Mode Rootkits; 12.7 Conclusion; 12.8 Labs; Chapter 12: Covert Malware Launching; 13.1 Launchers; 13.2 Process Injection; 13.3 Process Replacement; 13.4 Hook Injection; 13.5 Detours; 13.6 APC Injection; 13.7 Conclusion; 13.8 Labs; Chapter 13: Data Encoding; 14.1 The Goal of Analyzing Encoding Algorithms; 14.2 Simple Ciphers; 14.3 Common Cryptographic Algorithms; 14.4 Custom Encoding; 14.5 Decoding; 14.6 Conclusion; 14.7 Labs; Chapter 14: Malware-Focused Network Signatures; 15.1 Network Countermeasures; 15.2 Safely Investigate an Attacker Online; 15.3 Content-Based Network Countermeasures; 15.4 Combining Dynamic and Static Analysis Techniques; 15.5 Understanding the Attacker's Perspective; 15.6 Conclusion; 15.7 Labs; Anti-Reverse-Engineering; Chapter 15: Anti-Disassembly; 16.1 Understanding Anti-Disasseeeeeembly; 16.2 Defeating Disassembly Algorithms; 16.3 Anti-Disassembly Techniques; 16.4 Obscuring Flow Control; 16.5 Thwarting Stack-Frame Analysis; 16.6 Conclusion; 16.7 Labs; Chapter 16: Anti-Debugging; 17.1 Windows Debugger Detection; 17.2 Identifying Debugger Behavior; 17.3 Interfering with Debugger Functionality; 17.4 Debugger Vulnerabilities; 17.5 Conclusion; 17.6 Labs; Chapter 17: Anti-Virtual Machine Techniques; 18.1 VMware Artifacts; 18.2 Vulnerable Instructions; 18.3 Tweaking Settings; 18.4 Escaping the Virtual Machine; 18.5 Conclusion; 18.6 Labs; Chapter 18: Packers and Unpacking; 19.1 Packer Anatomy; 19.2 Identifying Packed Programs; 19.3 Unpacking Options; 19.4 Automated Unpacking; 19.5 Manual Unpacking; 19.6 Tips and Tricks for Common Packers; 19.7 Analyzing Without Fully Unpacking; 19.8 Packed DLLs; 19.9 Conclusion; 19.10 Labs; Special Topics; Chapter 19: Shellcode Analysis; 20.1 Loading Shellcode for Analysis; 20.2 Position-Independent Code; 20.3 Identifying Execution Location; 20.4 Manual Symbol Resolution; 20.5 A Full Hello World Example; 20.6 Shellcode Encodings; 20.7 NOP Sleds; 20.8 Finding Shellcode; 20.9 Conclusion; 20.10 Labs; Chapter 20: C++ Analysis; 21.1 Object-Oriented Programming; 21.2 Virtual vs. Nonvirtual Functions; 21.3 Creating and Destroying Objects; 21.4 Conclusion; 21.5 Labs; Chapter 21: 64-Bit Malware; 22.1 Why 64-Bit Malware?; 22.2 Differences in x64 Architecture; 22.3 Windows 32-Bit on Windows 64-Bit; 22.4 64-Bit Hints at Malware Functionality; 22.5 Conclusion; 22.6 Labs; Important Windows Functions; Tools for Malware Analysis; Solutions to Labs; Lab 1-1 Solutions; Lab 1-2 Solutions; Lab 1-3 Solutions; Lab 1-4 Solutions; Lab 3-1 Solutions; Lab 3-2 Solutions; Lab 3-3 Solutions; Lab 3-4 Solutions; Lab 5-1 Solutions; Lab 6-1 Solutions; Lab 6-2 Solutions; Lab 6-3 Solutions; Lab 6-4 Solutions; Lab 7-1 Solutions; Lab 7-2 Solutions; Lab 7-3 Solutions; Lab 9-1 Solutions; Lab 9-2 Solutions; Lab 9-3 Solutions; Lab 10-1 Solutions; Lab 10-2 Solutions; Lab 10-3 Solutions; Lab 11-1 Solutions; Lab 11-2 Solutions; Lab 11-3 Solutions; Lab 12-1 Solutions; Lab 12-2 Solutions; Lab 12-3 Solutions; Lab 12-4 Solutions; Lab 13-1 Solutions; Lab 13-2 Solutions; Lab 13-3 Solutions; Lab 14-1 Solutions; Lab 14-2 Solutions; Lab 14-3 Solutions; Lab 15-1 Solutions; Lab 15-2 Solutions; Lab 15-3 Solutions; Lab 16-1 Solutions; Lab 16-2 Solutions; Lab 16-3 Solutions; Lab 17-1 Solutions; Lab 17-2 Solutions; Lab 17-3 Solutions; Lab 18-1 Solutions; Lab 18-2 Solutions; Lab 18-3 Solutions; Lab 18-4 Solutions; Lab 18-5 Solutions; Lab 19-1 Solutions; Lab 19-2 Solutions; Lab 19-3 Solutions; Lab 20-1 Solutions; Lab 20-2 Solutions; Lab 20-3 Solutions; Lab 21-1 Solutions; Lab 21-2 Solutions;
show more

Review Text

"This book does exactly what it promises on the cover; it's crammed with detail and has an intensely practical approach, but it's well organised enough that you can keep it around as handy reference."
show more

Review quote

"A hands-on introduction to malware analysis. I'd recommend it to anyone who wants to dissect Windows malware."
-Ilfak Guilfanov, Creator of IDA Pro

"The book every malware analyst should keep handy."
-Richard Bejtlich, CSO of Mandiant & Founder of TaoSecurity

"This book does exactly what it promises on the cover; it's crammed with detail and has an intensely practical approach, but it's well organised enough that you can keep it around as handy reference."
-Mary Branscombe, ZDNet

"If you're starting out in malware analysis, or if you are are coming to analysis from another discipline, I'd recommend having a nose."
-Paul Baccas, Naked Security from Sophos

"An excellent crash course in malware analysis."
-Dino Dai Zovi, Independent Security Consultant

"The most comprehensive guide to analysis of malware, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware."
-Chris Eagle, Senior Lecturer of Computer Science at the Naval Postgraduate School

"A great introduction to malware analysis. All chapters contain detailed technical explanations and hands-on lab exercises to get you immediate exposure to real malware."
-Sebastian Porst, Google Software Engineer

"Brings reverse engineering to readers of all skill levels. Technically rich and accessible, the labs will lead you to a deeper understanding of the art and science of reverse engineering. I strongly recommend this book for beginners and experts alike. I strongly believe this will become the defacto text for learning malware analysis in the future."
-Danny Quist, PhD, Founder of Offensive Computing

"An awesome book. . . written by knowledgeable authors who possess the rare gift of being able to communicate their knowledge through the written word."
-Richard Austin, IEEE Cipher

"If you only read one malware book or are looking to break into the world of malware analysis, this is the book to get."
-Patrick Engebretson, IA Professor at Dakota State University and Author of The Basics of Hacking and Pen Testing

"An excellent addition to the course materials for an advanced graduate level course on Software Security or Intrusion Detection Systems. The labs are especially useful to students in teaching the methods to reverse engineer, analyze and understand malicious software."
-Sal Stolfo, Professor, Columbia University

"The explanation of the tools is clear, the presentation of the process is lucid, and the actual detective work fascinating. All presented clearly and hitting just the right level so that developers with no previous experience in this particular area can participate fully. Highly recommended."
-Dr. Dobb's

"This book is like having your very own personal malware analysis teacher without the expensive training costs."
-Dustin Schultz, TheXploit

"I highly recommend this book to anyone looking to get their feet wet in malware analysis or just looking for a good desktop reference on the subject."
-Pete Arzamendi, 403 Labs

"I do not see how anyone who has hands-on responsibility for security of Windows systems can rationalize not being familiar with these tools."
-Stephen Northcutt, SANS Institute

"Practical Malware Analysis is another book that should be within reaching distance in anyone's DFIR shop. I went ahead and purchased PMA hoping the book would improve my knowledge and skills when faced with malware. What I ended up with was knowledge, a process and tools I can use to analyze any program I encounter. PMA gets a five star review (5 out of 5)."
-Journey Into Incident Response

"Highly recommend it to those looking to enter the malware analysis field."
-Linux Ninja

"If you are a beginner to this hacking field, then this book will be an excellent choice for you."

"I cannot recommend it enough."
-Tony Robinson, Security Boulevard
show more

About Michael Sikorski

Michael Sikorski is a malware analyst, researcher, and security consultant at Mandiant. His previous employers include the National Security Agency and MIT Lincoln Laboratory. Mike frequently teaches malware analysis to a variety of audiences including the FBI and Black Hat.
Andrew Honig is an Information Assurance Expert for the Department of Defense. He teaches courses on software analysis, reverse engineering, and Windows system programming. Andy is publicly credited with several zero-day exploits in VMware's virtualization products.
show more

Rating details

522 ratings
4.47 out of 5 stars
5 61% (320)
4 28% (144)
3 9% (46)
2 2% (8)
1 1% (4)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X