Over Christmas last year I bought the book bundle Humble Bundle happened to be offering at the time – “Hacking for the Holidays”. It came with 16 books published by No Starch Press on a variety of cyber security topics, but mostly focused on penetration testing. Over the first few months of the year I worked my way through “Penetration Testing: A Hands-on Introduction to Hacking” by Georgia Weidman, which is excellent and I wish I had written about it as I did so, but that’s not why we’re here today.

One of the other books in the bundle was “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig. Considering I’ll be doing at least a little of this in the new job I’ll be starting soon, this seemed like a good next step and most of the reviews I found on the internet say it’s still incredibly useful in 2019 (it was published in 2011). I’m only on chapter 3 at the moment, so I don’t think you’ve missed out on much with the first 2 chapters, but I’ll give a brief summary of what it covered and what I’ve learned so far.

For anyone interested, here’s a link to the book. I personally bought a physical copy of it in addition to what came with the Humble Bundle as I’m not a huge fan of eBooks.
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/

Chapter 0/1

Disclaimer: Seeing as how I’m mostly explaining things here to help with my own retention, my terminology or explanations definitely won’t be 100% correct all the time and I’m OK with that because I’m still learning.

The book starts out with a basic explanation of what malware analysis entails and moves right into basic static analysis techniques in chapter 1. Static analysis focuses on any information that can be gathered from the source code of the program, the functions it calls in the OS, or anything else that can be found without actually running the file. It covers the VirusTotal website, which I only found out about a few months ago, but now use all the time and then moves into specific tools. Below are the useful tools it covers and a brief synopsis of what they’re used for.

• Strings
  • This program scans the source code of the program for anything that seems to be a sequence of characters. These could be used for anything from printing a message to the user to connecting to a specific IP address or URL.
• PEiD
  • Since it is common for malware writers to pack or compress their code to make it more difficult to be analyzed, this tool scans the file and easily shows whether a file is packed and, if so, what tool was most likely used to do so.
• Dependency Walker
  • This tool lists any DLLs that are called by the given program and shows what functions those DLLs import, which can give an idea of what the program might do when run.
• PEView
  • This is my favorite tool so far. In a way it shows some of the same information as Dependency Walker, but it also displays plenty of other useful info. Some of the information I’ve found it useful for so far: timestamp of when the program was compiled, clues on whether the program was packed based on the space it takes in memory, a cleaner view at the imported DLLs and functions, and the actual text used through the program (where Strings gets it’s results from).
• Resource Hacker
  • This tool seems useful for poking through what icons, menu items, and other resources a program uses. I haven’t actually used this much and the author says it will be used more heavily later in the book.

Before we go much further, I should probably mention what environment I’m using to run everything on. I setup two VMs for now, one with Windows XP and another with Windows 7, as that is what the book recommended, but I’ve done everything in XP so far haven’t had any issues.

The chapter finishes up with several labs that let you use the tools covered to examine some example programs provided by the author, and this is always my favorite part as I’m much more of a hands-on learner. The labs were pretty basic, which makes sense for chapter 1, but still useful and let me poke through the tools to get used to them.

Chapter 2 covered how Virtual Machines are useful for malware analysis and how to set them up, but I won’t go over any of that since anyone reading this has more than likely setup plenty of those already and there are more interesting things to move on to.