3
Contents
About the Author .............................................................................................................................................................. 5
Introduction ...................................................................................................................................................................... 7
Practice Exercises ........................................................................................................................................................... 17
Exercise 0: Download, setup and verify your WinDbg installation ............................................................................ 22
Exercise M1A .............................................................................................................................................................. 35
Exercise M1B .............................................................................................................................................................. 48
Exercise M2 ................................................................................................................................................................. 60
Exercise M3 ................................................................................................................................................................. 77
Exercise M4 ............................................................................................................................................................... 130
Exercise M5 ............................................................................................................................................................... 186
Exercise M6 ............................................................................................................................................................... 210
Selected Q&A ................................................................................................................................................................ 232
Appendix ....................................................................................................................................................................... 235
Malware Analysis Patterns ....................................................................................................................................... 237
Deviant Module .................................................................................................................................................... 237
Deviant Token ....................................................................................................................................................... 244
Driver Device Collection ....................................................................................................................................... 245
Execution Residue ................................................................................................................................................ 246
Fake Module ......................................................................................................................................................... 270
Hidden Module ..................................................................................................................................................... 274
Hidden Process ..................................................................................................................................................... 276
Hooksware ............................................................................................................................................................ 278
Namespace ........................................................................................................................................................... 279
No Component Symbols ....................................................................................................................................... 280
Out-of-Module Pointer ......................................................................................................................................... 283
Packed Code ......................................................................................................................................................... 284
Patched Code ........................................................................................................................................................ 287
Pre-Obfuscation Residue ...................................................................................................................................... 288
Raw Pointer .......................................................................................................................................................... 289
RIP Stack Trace ..................................................................................................................................................... 290
Self-Diagnosis (Kernel Mode) ............................................................................................................................... 292
Stack Trace Collection .......................................................................................................................................... 293
Stack Trace Collection (I/O Requests) .................................................................................................................. 301
