Torrent details for "Reaves J. Reversing Data Structures and Algorithms in Malware 2020 [andryold1]"    Log in to bookmark

Torrent details
Cover
Download
Torrent rating (0 rated)
Controls:
Category:
Language:
English English
Total Size:
3.18 MB
Info Hash:
75b2d1115033f55e921e1b61cbc5976d238901c6
Added By:
Added:  
26-02-2023 09:27
Views:
165
Health:
Seeds:
4
Leechers:
0
Completed:
225




Description
Externally indexed torrent
If you are the original uploader, contact staff to have it moved to your account
Textbook in PDF format

Book walks through a number of real world examples for reverse engineering data structures and algorithms found in malware.
Walk through a number of real world examples for reverse engineering data structures and algorithms found in malware in order to gradually introduce the reader to more advanced examples culminating in reverse engineering a C2 (Command and Control) protocol.
There are many obstacles you encounter when doing malware analysis, from unpacking your first sample, mapping out your first routine or breaking into that malwares data encoding routine. One obstacle in particular I’ve seen give people problems more than others is being able to follow malware as it parses data, data that is sometimes seemingly random hex but instead used for configuration purposes that can depict how malware acts. One experience that seems to help people when reverse engineering these structures and the algorithms that process them is a past in low level development such as assembly or C programming, however this isn’t a luxury that everyone can come to malware analysis with such a background. As such I give you this book which is my humble attempt to walk the reader through my process of making sense of it all. From my experience there is a focus when it comes to reversing a packer/crypter that will involve algorithmic reverse engineering, as a construct when it comes to pulling out config data from a bot it will involve a data structure reverse engineering focus and finally C2 will commonly involve doing both.
Most malware comes with some sort of onboard configuration which could be as simple as a command and control server address. Not thinking of the data as strings but more in terms of pure binary data you can start to understand the data in whatever form the developer has chosen to store is ultimately just used by the bot to fulfill the tasks it needs to. Normally the easiest way to find this data is to first understand what it is you are dealing with, ex: if it’s ransomware and we want to find some of the data the bot will have on board then a list of file extensions or language flags is a good place to start the bot will have to use certain methods to get this information from the infected host and we can use these bottlenecks to find the __cpLocations in the bot where the data has already been decoded and is now being parsed. Once you find the data it’s usually a matter of backtracking, I usually use IDA and a debugger to accomplish this task and it can take quite a bit of time and experience to get good at it.
Other common methods I’ve used is setting breakpoints on suspicious functions such as those performing loops and bitwise instructions or breaking on suspicious data sections in the sample that could be storing information. When people write a bot they usually end up writing a template or stub with a builder in the same manner you would write a crypter or packer and so the configuration data in the bot must either static or be placed in a way that allows the bot to find it such as with a special marker or header this way the builder can update the stub properly and the bot can then make use of the data when it is executed

  User comments    Sort newest first

No comments have been posted yet.



Post anonymous comment
  • Comments need intelligible text (not only emojis or meaningless drivel).
  • No upload requests, visit the forum or message the uploader for this.
  • Use common sense and try to stay on topic.

  • :) :( :D :P :-) B) 8o :? 8) ;) :-* :-( :| O:-D Party Pirates Yuk Facepalm :-@ :o) Pacman Shit Alien eyes Ass Warn Help Bad Love Joystick Boom Eggplant Floppy TV Ghost Note Msg


    CAPTCHA Image 

    Anonymous comments have a moderation delay and show up after 15 minutes