Introduction.
On The Book's DVD.
1 Anonymizing Your Activities.
Recipe 1-1: Anonymous Web Browsing with Tor.
Recipe 1-2: Wrapping Wget and Network Clients with Torsocks.
Recipe 1-3: Multi-platform Tor-enabled Downloader in Python.
Recipe 1-4: Forwarding Traffic through Open Proxies.
Recipe 1-5: Using SSH Tunnels to Proxy Connections.
Recipe 1-6: Privacy-enhanced Web browsing with Privoxy.
Recipe 1-7: Anonymous Surfing with Anonymouse.org.
Recipe 1-8: Internet Access through Cellular Networks.
Recipe 1-9: Using VPNs with Anonymizer Universal.
2 Honeypots.
Recipe 2-1: Collecting Malware Samples with Nepenthes.
Recipe 2-2: Real-Time Attack Monitoring with IRC Logging.
Recipe 2-3: Accepting Nepenthes Submissions over HTTP with Python.
Recipe 2-4: Collecting Malware Samples with Dionaea.
Recipe 2-5: Accepting Dionaea Submissions over HTTP with Python.
Recipe 2-6: Real-time Event Notification and Binary Sharing with XMPP.
Recipe 2-7: Analyzing and Replaying Attacks Logged by Dionea.
Recipe 2-8: Passive Identification of Remote Systems with p0f.
Recipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot.
3 Malware Classification.
Recipe 3-1: Examining Existing ClamAV Signatures.
Recipe 3-2: Creating a Custom ClamAV Database.
Recipe 3-3: Converting ClamAV Signatures to YARA.
Recipe 3-4: Identifying Packers with YARA and PEiD.
Recipe 3-5: Detecting Malware Capabilities with YARA.
Recipe 3-6: File Type Identification and Hashing in Python.
Recipe 3-7: Writing a Multiple-AV Scanner in Python.
Recipe 3-8: Detecting Malicious PE Files in Python.
Recipe 3-9: Finding Similar Malware with ssdeep.
Recipe 3-10: Detecting Self-modifying Code with ssdeep.
Recipe 3-11: Comparing Binaries with IDA and BinDiff.
4 Sandboxes and Multi-AV Scanners.
Recipe 4-1: Scanning Files with VirusTotal.
Recipe 4-2: Scanning Files with Jotti.
Recipe 4-3: Scanning Files with NoVirusThanks.
Recipe 4-4: Database-Enabled Multi-AV Uploader in Python.
Recipe 4-5: Analyzing Malware with ThreatExpert.
Recipe 4-6: Analyzing Malware with CWSandbox.
Recipe 4-7: Analyzing Malware with Anubis.
Recipe 4-8: Writing AutoIT Scripts for Joebox.
Recipe 4-9: Defeating Path-dependent Malware with Joebox.
Recipe 4-10: Defeating Process-dependent DLLs with Joebox.
Recipe 4-11: Setting an Active HTTP Proxy with Joebox.
Recipe 4-12: Scanning for Artifacts with Sandbox Results.
5 Researching Domains and IP Addresses.
Recipe 5-1: Researching Domains with WHOIS.
Recipe 5-2: Resolving DNS Hostnames.
Recipe 5-3: Obtaining IP WHOIS Records.
Recipe 5-4: Querying Passive DNS with BFK.
Recipe 5-5: Checking DNS Records with Robtex.
Recipe 5-6: Performing a Reverse IP Search with DomainTools.
Recipe 5-7: Initiating Zone Transfers with dig.
Recipe 5-8: Brute-forcing Subdomains with dnsmap.
Recipe 5-9: Mapping IP Addresses to ASNs via Shadowserver.
Recipe 5-10: Checking IP Reputation with RBLs.
Recipe 5-11: Detecting Fast Flux with Passive DNS and TTLs.
Recipe 5-12: Tracking Fast Flux Domains.
Recipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip.
Recipe 5-14: Interactive Maps with Google Charts API.
6 Documents, Shellcode, and URLs.
Recipe 6-1: Analyzing JavaScript with Spidermonkey.
Recipe 6-2: Automatically Decoding JavaScript with Jsunpack.
Recipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness.
Recipe 6-4: Triggering exploits by Emulating Browser DOM Elements.
Recipe 6-5: Extracting JavaScript from PDF Files with pdf.py.
Recipe 6-6: Triggering Exploits by Faking PDF Software Versions.
Recipe 6-7: Leveraging Didier Stevens's PDF Tools.
Recipe 6-8: Determining which Vulnerabilities a PDF File Exploits.
Recipe 6-9: Disassembling Shellcode with DiStorm.
Recipe 6-10: Emulating Shellcode with Libemu.
Recipe 6-11: Analyzing Microsoft Office Files with OfficeMalScanner.
Recipe 6-12: Debugging Office Shellcode with DisView and MalHost-setup.
Recipe 6-13: Extracting HTTP Files from Packet Captures with Jsunpack.
Recipe 6-14: Graphing URL Relationships with Jsunpack.
7 Malware Labs.
Recipe 7-1: Routing TCP/IP Connections in Your Lab.
Recipe 7-2: Capturing and Analyzing Network Traffic.
Recipe 7-3: Simulating the Internet with INetSim.
Recipe 7-4: Manipulating HTTP/HTTPS with Burp Suite.
Recipe 7-5: Using Joe Stewart's Truman.
Recipe 7-6: Preserving Physical Systems with Deep Freeze.
Recipe 7-7: Cloning and Imaging Disks with FOG.
Recipe 7-8: Automating FOG Tasks with the MySQL Database.
8 Automation.
Recipe 8-1: Automated Malware Analysis with VirtualBox.
Recipe 8-2: Working with VirtualBox Disk and Memory Images.
Recipe 8-3: Automated Malware Analysis with VMware.
Recipe 8-4: Capturing Packets with TShark via Python.
Recipe 8-5: Collecting Network Logs with INetSim via Python.
Recipe 8-6: Analyzing Memory Dumps with Volatility.
Recipe 8-7: Putting all the Sandbox Pieces Together.
Recipe 8-8: Automated Analysis with ZeroWine and QEMU.
Recipe 8-9: Automated Analysis with Sandboxie and Buster.
9 Dynamic Analysis.
Recipe 9-1: Logging API calls with Process Monitor.
Recipe 9-2: Change Detection with Regshot.
Recipe 9-3: Receiving File System Change Notifications.
Recipe 9-4: Receiving Registry Change Notifications.
Recipe 9-5: Handle Table Diffing.
Recipe 9-6: Exploring Code Injection with HandleDiff.
Recipe 9-7: Watching Bankpatch.C Disable Windows File Protection.
Recipe 9-8: Building an API Monitor with Microsoft Detours.
Recipe 9-9: Following Child Processes with Your API Monitor.
Recipe 9-10: Capturing Process, Thread, and Image Load Events.
Recipe 9-11: Preventing Processes from Terminating.
Recipe 9-12: Preventing Malware from Deleting Files.
Recipe 9-13: Preventing Drivers from Loading.
Recipe 9-14: Using the Data Preservation Module.
Recipe 9-15: Creating a Custom Command Shell with ReactOS.
10 Malware Forensics.
Recipe 10-1: Discovering Alternate Data Streams with TSK.
Recipe 10-2: Detecting Hidden Files and Directories with TSK.
Recipe 10-3: Finding Hidden Registry Data with Microsoft's Offline API.
Recipe 10-4: Bypassing Poison Ivy's Locked Files.
Recipe 10-5: Bypassing Conficker's File System ACL Restrictions.
Recipe 10-6: Scanning for Rootkits with GMER.
Recipe 10-7: Detecting HTML Injection by Inspecting IE's DOM.
Recipe 10-8: Registry Forensics with RegRipper Plug-ins.
Recipe 10-9: Detecting Rogue-Installed PKI Certificates.
Recipe 10-10: Examining Malware that Leaks Data into the Registry.
11 Debugging Malware.
Recipe 11-1: Opening and Attaching to Processes.
Recipe 11-2: Configuring a JIT Debugger for Shellcode Analysis.
Recipe 11-3: Getting Familiar with the Debugger GUI.
Recipe 11-4: Exploring Process Memory and Resources.
Recipe 11-5: Controlling Program Execution.
Recipe 11-6: Setting and Catching Breakpoints.
Recipe 11-7: Using Conditional Log Breakpoints.
Recipe 11-8: Debugging with Python Scripts and PyCommands.
Recipe 11-9: Detecting Shellcode in Binary Files.
Recipe 11-10: Investigating Silentbanker's API Hooks.
Recipe 11-11: Manipulating Process Memory with WinAppDbg Tools.
Recipe 11-12: Designing a Python API Monitor with WinAppDbg.
12 De-Obfuscation.
Recipe 12-1: Reversing XOR Algorithms in Python.
Recipe 12-2: Detecting XOR Encoded Data with yaratize.
Recipe 12-3: Decoding Base64 with Special Alphabets.
Recipe 12-4: Isolating Encrypted Data in Packet Captures.
Recipe 12-5: Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal.
Recipe 12-6: Porting OpenSSL Symbols with Zynamics BinDiff.
Recipe 12-7: Decrypting Data in Python with PyCrypto.
Recipe 12-8: Finding OEP in Packed Malware.
Recipe 12-9: Dumping Process Memory with LordPE.
Recipe 12-10: Rebuilding Import Tables with ImpREC.
Recipe 12-11: Cracking Domain Generation Algorithms.
Recipe 12-12: Decoding Strings with x86emu and Python.
13 Working with DLLs.
Recipe 13-1: Enumerating DLL Exports.
Recipe 13-2: Executing DLLs with rundll32.exe
Recipe 13-3: Bypassing Host Process Restrictions.
Recipe 13-4: Calling DLL Exports Remotely with rundll32ex.
Recipe 13-5: Debugging DLLs with LOADDLL.EXE.
Recipe 13-6: Catching Breakpoints on DLL Entry Points.
Recipe 13-7: Executing DLLs as a Windows Service.
Recipe 13-8: Converting DLLs to Standalone Executables.
14 Kernel Debugging.
Recipe 14-1: Local Debugging with LiveKd.
Recipe 14-2: Enabling the Kernel’s Debug Boot Switch.
Recipe 14-3: Debug a VMware Workstation Guest (on Windows).
Recipe 14-4: Debug a Parallels Guest (on Mac OS X).
Recipe 14-5: Introduction to WinDbg Commands And Controls.
Recipe 14-6: Exploring Processes and Process Contexts.
Recipe 14-7: Exploring Kernel Memory.
Recipe 14-8: Catching Breakpoints on Driver Load.
Recipe 14-9: Unpacking Drivers to OEP.
Recipe 14-10: Dumping and Rebuilding Drivers.
Recipe 14-11: Detecting Rootkits with WinDbg Scripts.
Recipe 14-12: Kernel Debugging with IDA Pro.
15 Memory Forensics with Volatility.
Recipe 15-1: Dumping Memory with MoonSols Windows Memory Toolkit.
Recipe 15-2: Remote, Read-only Memory Acquisition with F-Response.
Recipe 15-3: Accessing Virtual Machine Memory Files.
Recipe 15-4: Volatility in a Nutshell.
Recipe 15-5: Investigating processes in Memory Dumps.
Recipe 15-6: Detecting DKOM Attacks with psscan.
Recipe 15-7: Exploring csrss.exe’s Alternate Process Listings.
Recipe 15-8: Recognizing Process Context Tricks.
16 Memory Forensics: Code Injection and Extraction.
Recipe 16-1: Hunting Suspicious Loaded DLLs.
Recipe 16-2: Detecting Unlinked DLLs with ldr_modules.
Recipe 16-3: Exploring Virtual Address Descriptors (VAD).
Recipe 16-4: Translating Page Protections.
Recipe 16-5: Finding Artifacts in Process Memory.
Recipe 16-6: Identifying Injected Code with Malfind and YARA.
Recipe 16-7: Rebuilding Executable Images from Memory.
Recipe 16-8: Scanning for Imported Functions with impscan.
Recipe 16-9: Dumping Suspicious Kernel Modules.
17 Memory Forensics: Rootkits.
Recipe 17-1: Detecting IAT Hooks.
Recipe 17-2: Detecting EAT Hooks.
Recipe 17-3: Detecting Inline API Hooks.
Recipe 17-4: Detecting Interrupt Descriptor Table (IDT) Hooks.
Recipe 17-5: Detecting Driver IRP Hooks.
Recipe 17-6: Detecting SSDT Hooks.
Recipe 17-7: Automating Damn Near Everything with ssdt_ex.
Recipe 17-8: Finding Rootkits with Detached Kernel Threads.
Recipe 17-9: Identifying System-Wide Notification Routines.
Recipe 17-10: Locating Rogue Service Processes with svcscan.
Recipe 17-11: Scanning for Mutex Objects with mutantscan.
18 Memory Forensics: Network and Registry.
Recipe 18-1: Exploring Socket and Connection Objects.
Recipe 18-2: Analyzing Network Artifacts Left by Zeus.
Recipe 18-3: Detecting Attempts to Hide TCP/IP Activity.
Recipe 18-4: Detecting Raw Sockets and Promiscuous NICs.
Recipe 18-5: Analyzing Registry Artifacts with Memory Registry Tools.
Recipe 18-6: Sorting Keys by Last Written Timestamp.
Recipe 18-7: Using Volatility with RegRipper.
Index.