 Название: Reversing Data Structures and Algorithms in Malware
Автор: Jason Reaves
Издательство: Leanpub
Год: 2020-05-13
Язык: английский
Формат: pdf (true), epub
Размер: 10.2 MB
Book walks through a number of real world examples for reverse engineering data structures and algorithms found in malware.
Walk through a number of real world examples for reverse engineering data structures and algorithms found in malware in order to gradually introduce the reader to more advanced examples culminating in reverse engineering a C2 (Command and Control) protocol.
There are many obstacles you encounter when doing malware analysis, from unpacking your first sample, mapping out your first routine or breaking into that malwares data encoding routine. One obstacle in particular I’ve seen give people problems more than others is being able to follow malware as it parses data, data that is sometimes seemingly random hex but instead used for configuration purposes that can depict how malware acts. One experience that seems to help people when reverse engineering these structures and the algorithms that process them is a past in low level development such as assembly or C programming, however this isn’t a luxury that everyone can come to malware analysis with such a background. As such I give you this book which is my humble attempt to walk the reader through my process of making sense of it all. From my experience there is a focus when it comes to reversing a packer/crypter that will involve algorithmic reverse engineering, as a construct when it comes to pulling out config data from a bot it will involve a data structure reverse engineering focus and finally C2 will commonly involve doing both.
Most malware comes with some sort of onboard configuration which could be as simple as a command and control server address. Not thinking of the data as strings but more in terms of pure binary data you can start to understand the data in whatever form the developer has chosen to store is ultimately just used by the bot to fulfill the tasks it needs to. Normally the easiest way to find this data is to first understand what it is you are dealing with, ex: if it’s ransomware and we want to find some of the data the bot will have on board then a list of file extensions or language flags is a good place to start the bot will have to use certain methods to get this information from the infected host and we can use these bottlenecks to find the locations in the bot where the data has already been decoded and is now being parsed. Once you find the data it’s usually a matter of backtracking, I usually use IDA and a debugger to accomplish this task and it can take quite a bit of time and experience to get good at it.
Other common methods I’ve used is setting breakpoints on suspicious functions such as those performing loops and bitwise instructions or breaking on suspicious data sections in the sample that could be storing information. When people write a bot they usually end up writing a template or stub with a builder in the same manner you would write a crypter or packer and so the configuration data in the bot must either static or be placed in a way that allows the bot to find it such as with a special marker or header this way the builder can update the stub properly and the bot can then make use of the data when it is executed.
Скачать Reversing Data Structures and Algorithms in Malware
|
Навигация
Вход на сайт
Реклама
Reversing Data Structures and Algorithms in Malware 
