Here is a list of the recipes:
Anonymizing Your Activities
- Anonymous Web Browsing with Tor
- Wrapping Wget and Network Clients with Torsocks
- Multi-platform Tor-enabled Downloader in Python
- Forwarding Traffic Through Open Proxies
- Using SSH Tunnels to Proxy Connections
- Privacy-enhanced Web Browsing with Privoxy
- Anonymous Surfing with Anonymous.org
- Internet Access Through Cellular Networks
- Using VPNs with Anonymizer Universal
- Collecting Malware Samples with Nepenthes
- Real-time Attack Monitoring with IRC Logging
- Accepting Nepenthes Submissions over HTTP in Python
- Collecting Malware Samples with Dionaea
- Accepting Dionaea Submissions over HTTP in Python
- Real-time Event Notification and Binary Sharing with XMPP
- Analyzing and Replaying Attacks Logged by Dionaea
- Passive Identification of Remote Systems with p0f
- Graphing Dionaea Attack Patterns with SQLite3 and Gnuplot
- Examining Existing ClamAV Signatures
- Creating a Custom ClamAV Database
- Converting ClamAV Signatures to YARA
- Identifying Packers with YARA and PEiD
- Detecting Malware Capabilities with YARA
- File Type Identification and Hashing in Python
- Writing a Multiple-AV Scanner in Python
- Detecting Malicious PE Files in Python
- Finding Similar Malware with ssdeep
- Detecting Self-modifying Code with ssdeep
- Comparing Binaries with IDA and BinDiff
- Scanning Files with VirusTotal
- Scanning Files with Jotti
- Scanning Files with NoVirusThanks
- Database-enabled Multi-AV Uploader in Python
- Analyzing Malware with ThreatExpert
- Analyzing Malware with CWSandbox
- Analyzing malware with Anubis
- Writing AutoIT Scripts for Joebox
- Defeating Path-dependent Malware with Joebox
- Defeating Process-dependent DLLs with Joebox
- Setting an Active HTTP Proxy with Joebox
- Scanning for Artifacts with Sandbox Results
- Researching Domains with WHOIS
- Resolving DNS Hostnames
- Obtaining IP WHOIS Records
- Querying Passive DNS with BFK
- Checking DNS Records with Robtex
- Performing a Reverse IP Search with DomainTools
- Initiating Zone Transfers with dig
- Brute-forcing Subdomains with dnsmap
- Mapping IP Addresses to ASNs via Shadowserver
- Checking IP Reputation with RBLs
- Detecting Fast Flux with Passive DNS and TTLs
- Tracking Fast Flux Domains with Tracker
- Static Maps with Maxmind, Matplotlib and pygoeip
- Interactive Maps with Google Charts API
- Analyzing JavaScript with Spidermonkey
- Automatically Decoding JavaScript with Jsunpack
- Optimizing Jsunpack-n Decodings for Speed and Completeness
- Triggering Exploits by Emulating Browser DOM Elements
- Extracting JavaScript from PDF Files with pdf.py
- Triggering Exploits by Faking PDF Software Versions
- Leveraging Didier Stevens's PDF Tools
- Determining which Vulnerabilities a PDF File Exploits
- Disassembling Shellcode with DiStorm
- Emulating Shellcode with Libemu
- Analyzing Microsoft Office Files with OfficeMalScanner
- Debugging Office Shellcode with DisView and MalHost-Setup
- Extracting HTTP Files from Packet Captures with Jsunpack
- Graphing URL Relationships with Jsunpack
- Routing TCP/IP Connections in Your Lab
- Capturing and Analyzing Network Traffic
- Simulating the Internet with INetSim
- Manipulating HTTP/HTTPS with Burp Proxy
- Using Joe Stewart's Truman
- Preserving Physical Systems with Deep Freeze
- Cloning and Imaging Disks with FOG
- Automating FOG Tasks with the MySQL Database
- Automated Malware Analysis with VirtualBox
- Working with VirtualBox Disk and Memory Images
- Automated Malware Analysis with VMware
- Capturing Packets with TShark via Python
- Collecting Network Logs with INetSim via Python
- Analyzing Memory Files with Volatility
- Putting All the Sandbox Pieces Together
- Automated Analysis with Zero Wine and QEMU
- Automated Analysis with Sandboxie and Buster
- Logging API Calls with Process Monitor
- Change Detection with Regshot
- Receiving File System Change Notifications
- Receiving Registry Change Notifications
- Handle Table Diffing
- Exploring Code Injection with HandleDiff
- Watching Bankpatch.C Disable Windows File Protection
- Building an API Monitor with Microsoft Detours
- Following Child Processes with your API Monitor
- Capturing Process, Thread, and Image Load Events
- Preventing Processes from Terminating
- Preventing Malware from Deleting Files
- Preventing Drivers from Loading
- Using the Data Preservation Module
- Creating a Custom Command Shell with ReactOS
- Discovering Alternate Data Streams with TSK
- Detecting Hidden Files and Directories with TSK
- Finding Hidden Registry Data with Microsoft's Offline API
- Bypassing Poison Ivy's Locked Files
- Bypassing Conficker's File System ACL Restrictions
- Scanning for Rootkits with GMER
- Detecting HTML Injection by Inspecting IE's DOM
- Registry Forensics with RegRipper Plug-ins
- Detecting Rogue Installed PKI Certificates
- Examining Malware that Leaks Data into the Registry
- Opening and Attaching to Processes
- Configuring a JIT Debugger for Shellcode Analysis
- Getting Familiar with the Debugger GUI
- Exploring Process Memory and Resources
- Controlling Program Execution
- Setting and Catching Breakpoints
- Using Conditional Log Breakpoints
- Debugging with Python Scripts and PyCommands
- Detecting Shellcode in Binary Files
- Investigating Silentbanker's API Hooks
- Manipulating Process Memory with WinAppDbg Tools
- Designing a Python API Monitor with WinAppDbg
- Reversing XOR Algorithms in Python
- Detecting XOR Encoded Data with yaratize
- Decoding Base64 with Special Alphabets
- Isolating Encrypted Data in Packet Captures
- Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal
- Porting OpenSSL Symbols with Zynamics BinDiff
- Decrypting Data in Python with PyCrypto
- Finding OEP in Packed Malware
- Dumping Process Memory with LordPE
- Rebuilding Import Tables with ImpREC
- Cracking Domain Generation Algorithms
- Decoding Strings with x86emu and Python
- Enumerating DLL Exports
- Executing DLLs with rundll3exe
- Bypassing Host Process Restrictions
- Calling DLL Exports Remotely with rundll32ex
- Debugging DLLs with LOADDLL.EXE
- Catching Breakpoints on DLL Entry Points
- Executing DLLs as a Windows Service
- Converting DLLs to Standalone Executables
- Local Debugging with LiveKd
- Enabling the Kernel's Debug Boot Switch
- Debug a VMware Workstation Guest (on Windows)
- Debug a Parallels Guests (on Mac OS X)
- Introduction to WinDbg Commands and Controls
- Exploring Processes and Process Contexts
- Exploring Kernel Memory
- Catching Breakpoints on Driver Load
- Unpacking Drivers to OEP
- Dumping and Rebuilding Kernel Drivers
- Detecting Rootkits with WinDbg Scripts
- Kernel Debugging with IDA Pro
- Dumping Memory with MoonSols Windows Memory Toolkit
- Remote, Read-only Memory Acquisition with F-Response
- Accessing Virtual Machine Memory Files
- Volatility in a Nutshell
- Investigating Processes in Memory Dumps
- Detecting DKOM Attacks with psscan
- Exploring csrss.exe's Alternate Process Listings
- Recognizing Process Context Tricks
- Hunting Suspicious Loaded DLLs
- Detecting Unlinked DLLs with ldr_modules
- Exploring Virtual Address Descriptors (VAD)
- Translating Page Protections
- Finding Artifacts in Process Memory
- Identifying Injected Code with Malfind and YARA
- Rebuilding Executable Images from Memory
- Scanning for Imported Functions with impscan
- Dumping Suspicious Kernel Modules
- Detecting IAT hooks
- Detecting EAT hooks
- Detecting Inline API hooks
- Detecting Interrupt Descriptor Table (IDT) Hooks
- Detecting Driver IRP Hooks
- Detecting SSDT Hooks
- Automating Damn Near Everything with ssdt_ex
- Finding Rootkits with Detached Kernel Threads
- Identifying System-wide Notification Routines
- Locating Rogue Service Processes with svcscan
- Scanning for Mutex Objects with mutantscan
- Exploring Socket and Connection Objects
- Analyzing the Network Artifacts Left by Zeus
- Detecting Attempts to Hide TCP/IP Activity
- Detecting Raw Sockets and Promiscuous NICs
- Analyzing Registry Artifacts with Memory Registry Tools
- Sorting Keys by Last Written Timestamp
- Using Volatility with RegRipper
9 comments:
Congratulations you guys! Nice work.
Nice! Ordered :)
The book is excellent - the best I've ever seen on the topic. Current, relevant cutting edge material. I expect my copy to become quite dog-eared as a serious go-to reference as well as a learning aide. A cast of very bright authors, all professionals in the field of malware analysis make this book a must-have.
Hello Michael, really awesome books. If you don't mind I just post my news blog about the books. Just want to ask your permission.
Congrats on the book. I'll be adding it to my reading list.
But the Kindle price is a tad high though, especially when you don't get the DVD. -$1.78 difference for me (norwegian customer)
Right, the Kindle version doesn't come with the DVD - something we've discussed with many people here (http://www.malwarecookbook.com/?p=25#comments). Just send us an email at malwarecookbook at gmail dot com and we'll get you set up. Regarding price...we have nothing to do with that - its a complaint for Amazon/Wiley.
Congratulations on your excellent book!
The only problem is I can not send files collected with the Dionaea honeypot to a central server using a technique that you suggested and scripts that are on dvd in the recipe 2-3.
The recipe is correct?!
Thank you in advance and congratulations again.
Hi merlinX,
Unfortunately you'll have to be a bit more descriptive with any errors you're seeing or the steps that are giving you problems...
You can also email us at malwarecookbook at gmail dot com if you need some support.
An excellent book on this intriguing topic of MALWARE ANALYSIS. I'm going to use it as a reference and learning aid. Thanks a lot for bringing out such a resourceful book and sharing the knowledge with the rest of us. God Bless You. :)
ivadval at gmail dot com
Post a Comment