MUST USE TOOLS AND REFERENCES FOR MALWARE ANALYSIS.
There are some important tools and tutorials that one MUST read and use in order to be successfull in malware analysis. I will briefly explain some of them here and trying to provide download links. Some links might be broken or dead. If you face any problem downloading these softwares or books, just email me and I will provide you a new link.
Books and Tutorials
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Software by Michael Sikorsli and Andrew Honig
For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way. You'll learn how to:
- Set up a safe virtual environment to analyze malware
- Quickly extract network signatures and host-based indicators
- Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
- Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
- Use your newfound knowledge of Windows internals for malware analysis
- Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
- Analyze special cases of malware with shellcode, C++, and 64-bit code.
Potrable Executable File Format - A Reverse Engineer View(Code Breakers Magazine Volume 1, issue 2, 2006)
If you want to know the exact structure of windows Portable Executable (PE) files, this is the article you want to read.
Win32 Assembly Tutorials.
This is pretty old but usefull tutorial about win32 assembly programming includes how to write a simple win32 applications, how to use windows API and a nice PE tutorial in assembly. BUT you must know assembly language programming in order to understand it. So to know more assembly programming see the next book.
Assembly Language for x86 processors seventh edition by Kip Irvine.
Assembly Language for x86 Processors, 7e is intended for use in undergraduate courses in assembly language programming and introductory courses in computer systems and computer architecture. This title is also suitable for embedded systems programmers and engineers, communication specialists, game programmers, and graphics programmers. Proficiency in one other programming language, preferably Java, C, or C++, is recommended. Written specifically for 32- and 64-bit Intel/Windows platform, this complete and fullyupdated study of assembly language teaches students to write and debug programs at the machine level. This text simplifies and demystifies concepts that students need to grasp before they can go on to more advanced computer architecture and operating systems courses. Students put theory into practice through writing software at the machine level, creating a memorable experience that gives them the confidence to work in any OS/machine-oriented environment.
Tools and Softwares
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can use it for free.
IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Well thats true. This is a very sophisticated software that you can do almost everything with it. debugging, reading, patching code is very easy with this interactive assembler but you need to take some time to learn it.
This is an old but very handy tool. PEiD is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files. Its detection rate is higher than that of other similar tools since the app packs more than 600 different signatures in PE files.
PE Explorer lets you open, view and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL and ActiveX Controls, to the less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS Windows Mobile platform). But the problem is that it's not free. don't wory there are lots of free tools that you can use instead of PE Explorer.
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. Note that it works under Windows 95 as well.
Resource Hacker has been designed to be the complete resource editing tool: compiling, viewing, decompiling and recompiling resources for both 32bit and 64bit Windows executables. Resource Hacker can open any type of Windows executable (*.exe; *.dll; *.scr; *.mui etc) so that individual resources can be added modified or deleted within these files. Resource Hacker can create and compile resource script files (*.rc), and edit resource files (*.res) too.
A set of tools to compute and compare MD5, SHA1, SHA256, Tiger and Whirlpool Message digests.
These are all the tools, books and tutorials I can remember. I will add new resources If I remember or find new ones.