The Cybersecurity Canon – Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Book written by Michael Sikorski and Andrew Honig
Book review by Etay Nir
In the dynamic area that is malware analysis, it can be confusing, if not also bewildering, for the newcomer to know where to start. Look no further: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software is a great starting point for those wanting to enter the field, and an ever-useful refresher for anyone looking to polish their skills.
The attraction of Practical Malware Analysis is that the authors have striven for the book to be self-contained as far as possible. Little prior knowledge is required, yet there is something for everyone here. A logical development of analysis skills is followed throughout the book, with Part 1 introducing basic analysis, covering static analysis (non-executed code), virtual machines, and then dynamic (code executed in a controlled environment).
Part 2 takes on advanced static analysis, developing our skills and knowledge, and introducing X86 Disassembly, IDA-pro, assembly, recognizing C-code constructs in assembly, and finally taking a look at malicious Microsoft Windows programs, looking at the API, the registry, and how to examine malware as it executes in a Windows environment.
Part 3 examines advanced dynamic analysis, looking at debugging, OllyDbg and then kernel debugging with WinDbg.
Having taken us to the foothills of advanced malware analysis, Part 4 of the book then delves into malware functionality, both using and expanding the knowledge gained so far. It guides us through malware behaviour, covert malware launching, data encoding and malware-focused network signatures. This section manages to achieve the fine balance between educating, but not becoming a ‘how-to-hack’ handbook. This section begins to look at things in great technical detail, including assembly, disassembly, registers and opcodes. Yet because of the approach taken by the authors, this section remains accessible at all times.
Part 5 takes us into deeper technical detail, cover anti-reverse-engineering. This section is critical in gaining insight into the mind of the attacker. The authors expand upon many of the themes from Part 4, but from the perspective of the malware author. Covered topics are: anti-disassembly, anti-debugging, anti-virtual machine techniques, and finally packers and unpacking. Mastering these topics will really let you spread your wings as a threat analyst, and provide you with a wealth of information, particularly if you are interested in threat modelling.
Finally, Part 6, covers the ever-topical shellcode analysis, C++ analysis and 64-bit analysis.
At the rear of the book are two appendices, A: Important Windows Functions and B: Tools for Malware Analysis. Both appendices are very useful taxonomies of their subjects.
One of the many strengths of Practical Malware Analysis is that it may both be followed diligently from start to finish as a developmental course (indeed there are lab exercises throughout, and the solutions are provided after the appendices) but also used as a fantastic reference resource. I for one always have it close at hand, either on the shelf if I am in my lab, or with me in PDF format if I am traveling.
‘It does what it says on the tin’ to quote an old advert byline. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software is accessible to the beginner, will help you understand how malware works, and will also help you progress to proficient analysis. Highly recommended – this is the definitive book on the topic, whether you are an aspiring reverse engineer or a network defender. Malware is not going away anytime soon.