Practical Malware Analysis - Lab Write-up
Introduction
This details reverse engineering activities and answers for labs contained in the book ‘Practical Malware Analysis’ by Michael Sikorski, and Andrew Honig, which is published by No Starch Press. This is a very informative book to learn about malware analysis and comes with a number of binaries to test your reverse engineering skills. I would thoroughly recommend purchasing this book.
Special thanks to No Starch Press for the shout-out of this post, and to both Michael Sikorski and Andrew Honig for their permission to create this blog post based on the material and exercises contained within ‘Practical Malware Analysis’.
Notes:
- If your addresses don’t match those outlined here it’s because a program is running that is using the desired base address of the binary in question. This is most common with DLLs, and if it occurs your address will have been rebased.
- The term IDA and IDA Pro have been used interchangeably here and are used to reference IDA Pro Freeware Version v5.0, in addition variants of ‘xrefs’ have also been used to mean ‘cross-references’. In some instances Ghidra has been used where scripting or extensions were required and only available in a paid version of IDA Pro.
- This has been completed using 3 windows VMs (Windows XP 32-bit, Windows 7 32-bit, Windows 10 64-bit), a pfSense box, and an instance of SIFT Workstation; however, you really only need a couple of VMs (32-bit and 64-bit) so long as they have Python installed and the tools used (including Snort).
- The Windows 10 and Windows 7 VMs were setup with FLARE VM, with the Windows XP machine loaded just with the tools required, and the SIFT Workstation being used solely for generating Yara rules as extra bonus content.
- Virtualbox has been used for virtualisation, except in cases where Vmware was required to complete the questions (Chapter 17). In this instance a single Windows XP VM was used through Vmware Workstation instead.
This concludes the introduction, proceed to the next chapter.