Let have This book and Go mad —>

WINDOWS INTERNALS - PART 1

Introduction to Malware Analysis

1. What is Malware?
   • Definition and brief history.
   • Goals of malware (e.g., stealing information, disrupting services).
   • Examples: we are malware (just a joke it is a piece of software which can do malicious activity to get your credintial’s)
2. Why Analyze Malware?
   • Understanding threats.
   • Creating defense strategies.
   • Reverse engineering for threat intelligence.

Types of Malware

1. Common Types of Malware
   • Viruses: Self-replicating programs that modify other files.
   • Worms: Standalone programs that spread via networks.
   • Trojans: Disguised as legitimate software to trick users.
   • Ransomware: Encrypts data, demands ransom ( Only decrept after the paid for Attacker : ) ).
   • Rootkits: Deeply embedded to hide malicious activity.
   • Fileless Malware: Operates without leaving traces on disk.
2. Advanced Malware Techniques
   • Polymorphic or ofcusticated malware malware: Changes its appearance to evade detection.
   • Metamorphic malware: Rewrites its code completely while maintaining functionality.

Basic Malware Analysis Methodologies

1. Static Analysis
   • What is Static Analysis?
     • Examining the code without executing it.
   • Tools: PE Explorer, IDA Pro, Ghidra.
   • Steps:
     1. Analyzing the PE header (file format).
     2. Extracting strings to find hints about functionality (e.g., URLs, commands).
     3. Reviewing import/export tables to identify API calls.
   • Example: Analyzing a malicious binary to identify its command-and-control (C2) infrastructure using strings.
2. Dynamic Analysis
   • What is Dynamic Analysis?
     • Observing the behavior of malware in a sandbox or virtual environment.
   • Tools: Cuckoo Sandbox, Process Monitor, Wireshark.
   • Steps:
     1. Running malware in a controlled environment.
     2. Monitoring file system changes, network traffic, and registry modifications.
   • Example: Using Cuckoo Sandbox to observe network connections and identify potential data exfiltration.

Deep Dive into Windows APIs and Malware Interaction

1. Windows Process Management APIs
   • How malware creates, terminates, and manipulates processes.
   • Key APIs: CreateProcess, OpenProcess, TerminateProcess.
   • Example: A malware that uses CreateProcess ,SubProcess to launch a hidden PowerShell script for persistence.
2. Windows Memory Management APIs
   • Techniques used by malware to allocate, read, and write memory.
   • Key APIs: VirtualAlloc, ReadProcessMemory, WriteProcessMemory.
   • Example: Injecting code into legitimate processes using memory allocation APIs.
3. DLL Injection Techniques
   • What is DLL Injection?
     • Forcing a malicious DLL to be loaded into a legitimate process.
   • Key Techniques: Remote Thread Injection, Reflective DLL Injection.
   • Example: Injecting a malicious DLL into explorer.exe to evade detection by security software.
4. Registry Manipulation

• How malware manipulates the Windows Registry to establish persistence.
• Key APIs: RegCreateKeyEx, RegSetValueEx.
• Example: Creating a registry key under Run to ensure malware starts on system boot.