-
Notifications
You must be signed in to change notification settings - Fork 166
/
render.article.aux
117 lines (117 loc) · 7.71 KB
/
render.article.aux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
\relax
\@writefile{toc}{\contentsline {section}{\numberline {1}Outline}{1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Background}{1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.2}Basic Analysis}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.3}Advanced Analysis}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.4}Custom Development}{3}}
\@writefile{toc}{\contentsline {part}{I\hspace {1em}Background Information}{3}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Introduction}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Introduction}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Malware Analysis}{5}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Questions to Consider}{6}}
\citation{ACM-17-7}
\@writefile{toc}{\contentsline {section}{\numberline {3}VM's and Live Analysis}{8}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Virtual Machines}{8}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Live Analysis}{9}}
\@writefile{toc}{\contentsline {section}{\numberline {4}Architecture and OS}{13}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}x86 Architecture}{13}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Microsoft Windows OS}{15}}
\@writefile{toc}{\contentsline {section}{\numberline {5}PE File Format}{17}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Overview and Headers}{17}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Interactive Walkthrough}{20}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Import/Export Address Tables}{26}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.4}Updated PE32+ and Usage Examples}{30}}
\citation{tinype}
\citation{MSPECOFF}
\citation{CBJ-PE}
\@writefile{toc}{\contentsline {part}{II\hspace {1em}Basic Analysis}{31}}
\@writefile{toc}{\contentsline {section}{\numberline {6}Overview of Analysis Tools}{31}}
\@writefile{toc}{\contentsline {subsection}{\numberline {6.1}Debuggers}{31}}
\@writefile{toc}{\contentsline {subsection}{\numberline {6.2}Disassemblers / Decompilers}{32}}
\@writefile{toc}{\contentsline {subsection}{\numberline {6.3}Other}{34}}
\@input{basic_analysis/python.aux}
\@writefile{toc}{\contentsline {section}{\numberline {7}(Dis)Assembly}{37}}
\@writefile{toc}{\contentsline {subsection}{\numberline {7.1}Crash Course}{37}}
\@writefile{toc}{\contentsline {subsection}{\numberline {7.2}Assembly Patterns}{39}}
\@writefile{toc}{\contentsline {section}{\numberline {8}IDA Pro}{45}}
\@writefile{toc}{\contentsline {subsection}{\numberline {8.1}Overview}{45}}
\citation{csw06-sotirov}
\@writefile{toc}{\contentsline {subsection}{\numberline {8.2}Overview of Views}{47}}
\@writefile{toc}{\contentsline {subsection}{\numberline {8.3}Driving IDA}{51}}
\@writefile{toc}{\contentsline {subsection}{\numberline {8.4}Customizations}{52}}
\@writefile{toc}{\contentsline {section}{\numberline {9}OllyDbg}{53}}
\@writefile{toc}{\contentsline {subsection}{\numberline {9.1}Overview}{53}}
\@writefile{toc}{\contentsline {subsection}{\numberline {9.2}Overview of Views}{54}}
\@writefile{toc}{\contentsline {subsection}{\numberline {9.3}Driving OllyDbg}{60}}
\@writefile{toc}{\contentsline {part}{III\hspace {1em}Advanced Analysis}{62}}
\@writefile{toc}{\contentsline {section}{\numberline {10}Executable (Un)Packing}{62}}
\@writefile{toc}{\contentsline {subsection}{\numberline {10.1}Executable Packing}{62}}
\@writefile{toc}{\contentsline {subsection}{\numberline {10.2}Executable Unpacking}{66}}
\@writefile{toc}{\contentsline {subsection}{\numberline {10.3}Packer Usage Statistics}{69}}
\@writefile{toc}{\contentsline {subsection}{\numberline {10.4}Unpacking Traces}{71}}
\@writefile{toc}{\contentsline {section}{\numberline {11}Anti Reverse Engineering}{75}}
\@writefile{toc}{\contentsline {subsection}{\numberline {11.1}Anti-Debugging}{75}}
\@writefile{toc}{\contentsline {subsection}{\numberline {11.2}Anti-Disassembling}{78}}
\@input{advanced_analysis/compiler_optimizations.aux}
\citation{SOTM-33}
\@writefile{toc}{\contentsline {subsection}{\numberline {11.3}Anti-PE Analysis}{83}}
\citation{VB2001}
\citation{locreate}
\@writefile{toc}{\contentsline {subsection}{\numberline {11.4}Anti-VM}{87}}
\citation{VMDetection4}
\citation{VMDetection1}
\citation{VMDetection2}
\citation{VMDetection3}
\@writefile{toc}{\contentsline {section}{\numberline {12}Binary Diffing and Matching}{90}}
\@writefile{toc}{\contentsline {subsection}{\numberline {12.1}Binary Diffing}{90}}
\@writefile{toc}{\contentsline {subsection}{\numberline {12.2}Example in Malware Analysis}{91}}
\@writefile{toc}{\contentsline {subsection}{\numberline {12.3}Binary Matching}{93}}
\@writefile{toc}{\contentsline {subsection}{\numberline {12.4}Exercises}{94}}
\@writefile{toc}{\contentsline {section}{\numberline {13}Advanced Malware Techniques}{94}}
\@writefile{toc}{\contentsline {subsection}{\numberline {13.1}Advanced Malware Techniques}{94}}
\@writefile{toc}{\contentsline {subsection}{\numberline {13.2}Anti-Detection/Obfuscation Measures}{94}}
\citation{PFerrie-zmist}
\citation{evol}
\citation{PEferrie-simile}
\@writefile{toc}{\contentsline {subsection}{\numberline {13.3}Runtime Hiding Techniques}{97}}
\@writefile{toc}{\contentsline {subsection}{\numberline {13.4}Counter-Measures}{98}}
\@writefile{toc}{\contentsline {part}{IV\hspace {1em}Analysis and Custom Development}{98}}
\@writefile{toc}{\contentsline {section}{\numberline {14}Analysis}{98}}
\@writefile{toc}{\contentsline {subsection}{\numberline {14.1}Analysis I}{98}}
\@writefile{toc}{\contentsline {subsection}{\numberline {14.2}Analysis II}{104}}
\citation{CarreraErdelyiVB04}
\citation{IDAPythonIntro}
\@writefile{toc}{\contentsline {section}{\numberline {15}IDA Python}{112}}
\@writefile{toc}{\contentsline {subsection}{\numberline {15.1}Overview}{112}}
\@writefile{toc}{\contentsline {subsection}{\numberline {15.2}Examples}{113}}
\@writefile{toc}{\contentsline {subsection}{\numberline {15.3}Exercises}{114}}
\@writefile{toc}{\contentsline {section}{\numberline {16}PEFile and PyDasm}{115}}
\@writefile{toc}{\contentsline {subsection}{\numberline {16.1}Overview}{115}}
\@writefile{toc}{\contentsline {subsection}{\numberline {16.2}pefile}{115}}
\@writefile{toc}{\contentsline {subsection}{\numberline {16.3}pydasm}{118}}
\@writefile{toc}{\contentsline {subsection}{\numberline {16.4}Exercises}{119}}
\@writefile{toc}{\contentsline {section}{\numberline {17}PaiMei}{120}}
\@writefile{toc}{\contentsline {subsection}{\numberline {17.1}Overview}{120}}
\@writefile{toc}{\contentsline {subsection}{\numberline {17.2}Command Line Tools}{127}}
\@writefile{toc}{\contentsline {subsection}{\numberline {17.3}GUI and Tools}{131}}
\@writefile{toc}{\contentsline {subsection}{\numberline {17.4}Exercises}{134}}
\@writefile{toc}{\contentsline {section}{\numberline {A}Appendix}{134}}
\bibcite{csw06-sotirov}{Sotirov, 2006}
\bibcite{ACM-17-7}{Communications of the ACM, 1974}
\bibcite{OpenRCE}{OpenRCE}
\bibcite{MSPECOFF}{Microsoft PE and COFF Specification}
\bibcite{CBJ-PE}{PE File Format Ð A Reverse Engineer View}
\bibcite{PFerrie-zmist}{Zmist Opportunities}
\bibcite{PEferrie-simile}{Simile/MetaPHOR, Striking Similarities}
\bibcite{CarreraErdelyiVB04}{Digital Genome Mapping}
\bibcite{IDAPythonIntro}{Introduction to IDAPython}
\bibcite{SOTM-33}{Scan of the Month 33}
\bibcite{VB2001}{Tricky Relocations}
\bibcite{locreate}{Locreate}
\bibcite{evol}{The Viral Darwinism of W32.Evol}
\bibcite{tinype}{Tiny PE}
\bibcite{VMDetection1}{Methods for Virtual Machine Detection}
\bibcite{VMDetection2}{On the Cutting Edge: Thwarting Virtual Machine Detection}
\bibcite{VMDetection3}{VMM Detection Myths and Realities}
\bibcite{VMDetection4}{Attacks on More Virtual Machine Emulators}
\@writefile{toc}{\contentsline {subsection}{\numberline {A.1}References}{135}}