This is a review for Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig.
Practical Malware Analysis is an excellent introduction to the study of reverse engineering. Despite being written in 2012 and being nearly 10 years old, the lessons learned within this text still apply to samples I encounter daily as an analyst.
I have had this book for a while and skimmed through it a few years ago. At the time, I mostly worked on Linux systems, and this book focuses on Windows malware. I skipped the exercises because I felt it was not a good use of my time at the time.
Now, I deal mostly with Windows systems, so this book has more relevance to my work. I have been wanting to become better at reversing and analyzing the malware I encounter at work, so I’ve decided to hit the books hard on this topic in 2022.
This book is often recommended as one of the books to read on the subject, so naturally, I wanted to see what all the fuss is about.
I’d recommend this book to anyone just starting out with malware analysis. I would probably suggest that people skip this book if they have experience with malware analysis already as I felt this book caters to absolute beginners. If you read the outline below and are familiar with most of the bullet points, reading this book might be a waste of time.
I skipped many of the exercises because they recommend doing these labs with a Windows XP virtual machine and I do similar malware analysis tasks at work daily. Despite skipping the exercises, I read the solutions. For each lab, I thought about how I would approach the problem and then compared my methods to the solution. This was interesting when our methodologies didn’t align, as it led me to learn some new tricks.
Several others have publicly offered their writeups for the labs in this book:
Malware analysis is a deep subject and there is plenty that this book does not cover, but I feel that it does a great job as an introductory text.
This book is starting to show its age but is still relevant. If this book came out with a second edition, I would buy it. Many of the tools in the book have been updated, discontinued, or have better alternatives available now. This book was written a decade ago and technology, in general, has evolved a bit since it was first published. I am not sure if there is a modern version of this book that compares in quality.
21 chapters, many of which have exercises to complete on your own at the end. These chapters are arranged into six parts:
- Part 1: Basic Analysis
- Part 2: Advanced Static Analysis
- Part 3: Advanced Dynamic Analysis
- Part 4: Malware Functionality
- Part 5: Anti-Reverse-Engineering
- Part 6: Special Topics
There are 451 pages of text, plus three appendixes bringing the book to 732 total pages:
- Appendix A and B contain a list of important Windows functions and a list of malware analysis tools, respectively.
- Appendix C contains a detailed walkthrough of the labs. This section is thorough and constitutes roughly half of the thickness of this book.
Part 1 – Basic Analysis
Chapter 1 – Basic Static Techniques
This chapter introduces fundamental concepts I encounter daily:
- Use AV tools to determine if a file is malicious
- PE files: headers, functions, resources, imports and exports, …
Some tools were mentioned and briefly introduced:
- Dependency walker
- Resource Hacker
- PEBrowse Professional
- PE Explorer
This chapter covers the basics well. There are plenty of additional tools to be aware of or may work better than another tool in different circumstances.
I use FLARE VM for most malware analysis tasks because it is easy to set up.
Chapter 2 – Malware Analysis in Virtual Machines
This chapter outlines how to set up a malware analysis environment with virtual machines. They specifically used VMWare in this book.
If you know how to install and configure virtual machines in VMWare and manage snapshots, you can probably skip reading this chapter.
Chapter 3 – Basic Dynamic Analysis
Introduces dynamic analysis concepts:
- Monitoring processes and changes to the system
- Faking network services
- Process Monitor
I use REMnux + SIFT for faking network services because it has relevant tools and scripting languages installed.
Part 2 – Advanced Static Analysis
Chapter 4 – A crash Course in x86 Disassembly
As advertised; a basic rundown on x86 assembly:
- Function Calls
Chapter 5 – IDA Pro
This chapter gives a brief overview of IDA Pro’s layout, features, and general workflow.
The end of the chapter gives example programs to extend IDA with IDC Scripts and IDAPython.
Chapter 6 – Recognizing C Code Constructs in Assembly
This chapter shows examples of C code represented in assembler. This covers a lot of the basics, but only scratches the surface.
- Linked Lists
This shows examples of a few different calling conventions:
Chapter 7 – Analyzing Malicious Windows Programs
Various Windows concepts:
- Windows API
- Types: DWORD, Handles, Long Pointer, Callback, …
- Filesystem Functions
- Special files
- Shared files
- Alternate Data Streams
- Berkeley sockets API
- WinINet API
- Structured Exception Handling
- Kernel and User modes
- Native API
Each of these subjects was touched on briefly. Many of these subjects command an entire book or series of books to explain in depth.
Part 3 – Advanced Dynamic Analysis
Chapter 8 – Debugging
This chapter provides a brief introduction to using debuggers.
- Source Level Debugging
- Assembly-Level Debugging
- Kernel Debugging
- Basic debugger concepts:
- Modifying Execution
OllyDbg has been discontinued at the time of this writing. Most people seem to be using x64dbg instead.
Chapter 9 – OllyDbg
This chapter talks about OllyDbg, which has since been discontinued. Most people seem to use x64dbg and x32dbg nowadays. This chapter shows the basic usage of OllyDbg.
Towards the end of the chapter, a neat trick is shown using OllyDbg to debug shellcode.
The Plugins section of this chapter was interesting, too. It mentions some plugins to hide debuggers from malware you are analyzing, a plugin to dump the debugged process into a file. Similar plugins exist for x64dbg.
OllyDbg is also extensible with Python + immlib. An example script was provided towards the end of the chapter.
Chapter 10 – Kernel Debugging With WinDbg
This chapter shows how to set up and use WinDbg. WinDbg is useful for dealing with rootkits.
Part 4 – Malware Functionality
Chapter 11 – Malware Behavior
Knowing what malware does helps a lot with malware analysis and incident response. This chapter outlines common types of malware:
- Downloaders and launchers
- Bind and Reverse Shells
- Credential Stealers
- Dumping hashes
- Registry Run keys
- Winlogon Notify
- SvcHost DLLs
- Trojanized binaries
- DLL hijacking
- Privilege Escalation
- IAT Hooking
- Inline Hooking
I see all of this at work frequently, plus a lot more persistence techniques, ransomware, cryptocurrency miners, and a bunch of other nonsense.
Chapter 12 – Covert Malware Launching
Malware uses a myriad of techniques to conceal itself when running on systems. This chapter covers a few of these techniques but is far from complete.
- Process Injection
- Process Replacement
- Hook Injection
- APC Injection
Chapter 13 – Data Encoding
Simple ciphers and encoding used by malware to conceal strings, configuration, etc. It also highlights methods to decode and decrypt data found within malware.
- Simple ciphers: Caesar, Replacement, rotation, …
- Encryption algorithms
- Searching for constants
- FindCrypt2 IDA plugin
- Custom encoders
This book pre-dates CyberChef.
Chapter 14 – Malware-Focused Network Signatures
Find malware on the wire! This chapter outlines how to observe malware over the network safely. There are several considerations with these techniques that may compromise your OPSEC or damage your network if performed without care.
Some of the topics covered in this chapter:
- IP Addresses
- Malware operating in plain sight
- Mimicking existing network protocols
- WinINet API
Part 5 – Anti-Reverse-Engineering
Chapter 15 – Anti-Disassembly
Malware authors often include code meant to make analysis harder into their tools. This is done with the intent to make the analysis of their tools cost more time and money if they are discovered.
This chapter specifically covers techniques impacting disassemblers and offers some methods to identify and deal with these malicious techniques if they are encountered within a sample.
Chapter 16 – Anti-Debugging
This is much like the previous chapter about anti-disassembly but is specific to attacks against debuggers.
Chapter 17 – Anti-Virtual Machine Techniques
This chapter is like the previous two but focuses on malware that detects virtualization. The rationale is that if the malware detects itself running in virtual machines or certain types of virtual machines, it will detect this and refuse to run properly.
Chapter 18 – Packers and Unpacking
Another trick malware authors employ is using packers and crypters. Packers are used legitimately by software to reduce the size required to store it on disk or to protect a company’s intellectual property. Malware authors are also able to use these packers to protect their creations.
This chapter outlines some common packer software and ways to identify and unpack it. It also touches upon the fact that malware authors can and do develop their own custom packers, and provides some ways to unpack custom software.
Part 6 – Special Topics
Chapter 19 – Shellcode Analysis
Chapter 20 – C++ Analysis
This chapter covers some of the topics specific to analyzing C++ samples:
- this pointer
- Function Overriding
- Virtual and Non-virtual Functions
This chapter recommends reading Thinking in C++ if you are not already familiar with C++.
Chapter 21 – 64-bit Malware
This is another chapter where the book is starting to show its age. At the time this book was written, 64-bit malware was nowhere near as common as it is now. This chapter briefly touches on identifying 64-bit samples and how to deal with them effectively.