Practical Malware Analysis, a complete starter kit

Anyone who works in cybersecurity should read Practical Malware Analysis.

Topics covered are the following:

  • Set up a safe virtual environment to analyze malware
  • Quickly extract network signatures and host-based indicators
  • Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
  • Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
  • Use your newfound knowledge of Windows internals for malware analysis
  • Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
  • Analyze special cases of malware with shellcode, C++, and 64-bit code

Throughout the text, there are references to a set of utilities to be used for analysis, not all very easy to find.

bluesoul [dot] me has prepared a package containing all the tools mentioned in the book, and made it freely available from his website

It contains:

  • MD5DEEP 4.4 and related tools (sha1deep, hashdeep, whirlpooldeep, etc) and 64-bit equivalents.
  • WinMD5Free v1.20
  • PEiD v0.95 with KANAL plugin
  • Strings v2.52
  • upx 3.91
  • PEview v0.9.9
  • Resource Hacker v4.2.5
  • PEBrowse Professional v10.1.4
  • PEBrowse64 Professional v6.3.1
  • PE Explorer 1.99 R6 (Trial)
  • Process Monitor (procmon) v3.2
  • Process Explorer (procexp) v16.10
  • Regshot v1.9.0
  • ApateDNS v1.0
  • Netcat (nc) 1.11 and 64-bit build
  • Wireshark v2.0.3
  • FakeNet 1.0c (INetSim alternative for Windows)
  • Combined Volume Set of Intel® 64 and IA-32 Architectures Software Developer’s Manuals
  • IDA Pro Free v5.0 with FindCrypt plugin, IDA Entropy Plugin
  • Autoruns v13.51 and autorunsc
  • OllyDbg v1.10 and v2.01d
  • OllyDump Plugin
  • WinDbg x86 and x64 v6.11.1.404
  • Immunity Debugger (ImmDbg) v1.85
  • SoftICE 4.05 for w98 and NT/XP (SEE FOOTER)
  • SoftIceNT 4.2.7 (from 2.7 Driver Studio build) for XP (SEE FOOTER)
  • OSR Driver Loader v3.0
  • Poison Ivy RAT 2.3.2 (Password is “malware” with no quotes, if the exe is eaten by your AV)
  • pwdump6 (as PwDump.exe)
  • pwdump7
  • Pass-The-Hash Toolkit v1.4
  • Metasploit Framework v4.11.7
  • PyCrypto (Requires Python 2.7)
  • Snort 2.9.8.2
  • ScoopyNG v1.0
  • Mandiant Red Curtain 1.0
  • ASPack 2.39 (Trial)
  • PETite v2.4
  • WinUPack v0.39 Final
  • Themida 2.4.1.0 (Trial)
  • shellcode_launcher.exe (Gone from practicalmalwareanalysis.com)
  • Bochs 2.6.8
  • Burp Suite 1.7.03
  • CaptureBAT 2.0.0–5574
  • Cuckoo 2.0-RC1 (Requires Python)
  • CFF Explorer (As Explorer Suite 4)
  • WinHex 18.8.0.0
  • Import REConstructor (ImpREC) 1.7e
  • LordPE 1.41 Deluxe
  • Malcode Analyst Pack
  • Memoryze 3.0
  • OfficeMalScanner 0.5
  • Zynamics BinDiff 4.20 (Key provided by Zynamics)
  • pdfid.py and pdf-parser.py (Requires Python, obviously)
  • Sandboxie v5.10
  • Buster Sandbox Analyzer v1.88 Update 4
  • TCPView v3.05
  • The Sleuth Kit 4.2.0 for Windows
  • VERA v0.3
  • Volatility 2.5
  • Yara v1.7.1 x86 and x64

Docs and Licenses when given are in their own folders.

bluesoul warns:

This is not a toy. There are malicious code samples provided in the labs. Poison Ivy is real C2 malware. Use extreme caution with this software.

Download: zip or torrent.

The password to open the zip is “malware” with no quotes. You will likely need to make exceptions in your AV for the folder you place and extract this package.


P.S. — I’m not sure that is completely legal, but on this site is available a PDF version of the book.

Comments