ebook img

Windows APT Warfare: Identify and prevent Windows APT attacks effectively PDF

258 Pages·2023·60.742 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Windows APT Warfare: Identify and prevent Windows APT attacks effectively

Windows APT Warfare Identify and prevent Windows APT attacks effectively Sheng-Hao Ma BIRMINGHAM—MUMBAI Windows APT Warfare Copyright © 2023 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Mohd Riyan Khan Publishing Product Manager: Neha Sharma Senior Editor: Runcil Rebello Technical Editor: Nithik Cheruvakodan Copy Editor: Safis Editing Project Coordinator: Ashwin Kharwa Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Production Designer: Alishon Mendonca Marketing Coordinator: Marylou De Mello First published: March 2023 Production reference: 1100223 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80461-811-0 www.packtpub.com I would like to thank all the anonymous researchers in the Cheat Engine forum; all of you taught me the reverse engineering skills of analyzing online games since my childhood. Now it is time for me to share this wonderful knowledge with others. – Sheng-Hao Ma Forewords I was both happy and touched when I heard that Sheng-Hao is going to write a new book, Windows APT Warfare. He has shared his unique insights on x86, vulnerability techniques, compiler practices, and operating system principles at Black Hat USA, DEFCON, CODE BLUE, HITB, HITCON, and other conferences for many years. It’s great to see he’s willing to share his years of learning and experience in this book. Lots of beginners might find themselves in the world of reverse engineering or cyber-attack and defense due to the research on online game cheats in the early days. Even though there are a lot of learning resources on the internet, there are more reasons to get stuck. Therefore, through this book, Sheng-Hao shares the results of his research and experiments for years so that you can enjoy learning the secrets of Windows PE design, which I think is a significant contribution to the community. When I got the first draft of this book, I couldn’t wait to read it, but I also followed all the practical examples in the book following the chapter schedule, so that you can effectively gain Windows knowledge. But it is also a book that is difficult enough to demand repetitive practice. I would suggest to beginners that you should try to do the examples in the book, not only to deepen your impression but also to discover the author’s thoughts on the design of the examples. This book will not only help you to build a strong foundation but also to learn how real-world cyber warriors use this knowledge to break through the defenses of the security vendors. You can use this book as a basis for malware-related analysis, software protection, or for finding exploits in applications. With the basic knowledge of this book, it can serve as a guide for your future learning path. Don’t forget to come back to the book when you’re stuck for ideas. Maybe you’ll be surprised with new inspiration when you do IDA-Pro F7, F8, or F5 numerous times late at night. In the world of offense and defense, there is no secure system, and there is no absolute winner; both the offense and defense rely on the knowledge and practice of the basics. This book provides you with basic knowledge, the research methods of new techniques, and the way people use this basic knowledge to attack and defend. This is a good book to lay the groundwork. I recommend it to everyone. Ziv Chang Vice President of Automotive CyberThreat Research Lab, VicOne Inc. and Senior Director of CoreTech, TrendMicro Inc. I had the pleasure of meeting Sheng-Hao in the summer of 2022, right after he delivered a talk at Black Hat US, which is one of the most selective industry conferences in the field of cybersecurity. As a member of the European Black Hat Review Board, I can say that only very few submissions are accepted among the many that we receive every year. I was impressed by how Sheng-Hao and his colleagues went beyond pure reverse-engineering tasks, and created tools based on symbolic execution to extract evasive behaviors from malware. Sheng-Hao and his colleagues made concrete steps toward making symbolic execution practical for the specific reversing task, which is quite challenging because symbolic execution can quickly become resource-demanding. Back in the summer of 2022, I could already foresee that something more based on that research would come up, so I was not too surprised when I saw that he open-sourced a tool based on the research. I was pleased when I was contacted to review this book. Sheng-Hao was able to explain his findings to the audience using clear technical language, so he certainly has the required skills needed to produce educational material. I’ve been an instructor for graduate-level cybersecurity courses at Politecnico di Milano, teaching cybersecurity to thousands of students, so I know exactly what it takes not only to produce teaching material but also to convey messages in a clear way. This is what I see when reading this book: a curated selection of deep technical topics, explained at the right level, with spot-on examples, practical snippets, and references to extra resources for the avid reverser. Reverse engineering is a blend of technical knowledge, dedication, and art. The Web is riddled with an immense amount of free learning resources and little orientation, which creates the risk that newcomers may feel overwhelmed and just walk away. Books like this one are much needed, because they select, consolidate, and create new content, infused with practical experience and real-world examples, giving a new life to fundamental techniques and resources that would otherwise remain only in the brain of the seasoned reverser. Sheng-Hao works with TX One, a spin-off of Trend Micro, where I worked between 2016 and 2022 as a senior threat researcher. I’ve had the opportunity to collaborate with Sheng-Hao’s colleagues at TX One on various projects, some of them involving a good deal of reverse engineering of proprietary, closed- source binaries. Whoever joins TX One is either an experienced, hands-on cybersecurity researcher or will become one very quickly, because such research activities require being able to dig deep. I can see this book in the bags of new hires, to quickly build skills, as well as on the bookshelf of experienced researchers, to review fundamentals as needed by the most challenging projects. Federico Maggi, Ph.D., Cybersecurity Researcher, Review Board Member of Black Hat Europe Contributors About the author Sheng-Hao Ma (@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has served as a speaker and instructor for various international conferences and organizations such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. I would like to thank those who supported my research, my professor Shin-Ming Cheng, and research partners, Canaan Kao and Mars Cheng. In particular, my father, Shun-Rong Ma (late), who inspired me to learn reverse engineering when we played online games during my childhood. To all the enthusiasts who motivated me to write this content and the team at Packt for their help and support throughout the process. About the translator Pei-Te Chen received his Ph.D. in electrical engineering from National Cheng Kung University (NCKU) in Taiwan and has been a lecturer at organizations such as the National Taiwan University of Science and Technology (NTUST) and the Hacker College Institute. His expertise lies in cryptanalysis, intrusion detection, red team exercises, and penetration testing, and he has obtained several cybersecurity licenses such as OSSTMM OPST and GIAC GXPN. He has participated in many of Taiwan’s major cybersecurity projects, such as the Local Government Information Security Operations project and the Digital National Information Security Technology Services project. He is currently working as a senior engineer at the Cybersecurity Technology Institute (CSTI) department of the Institute for Information Industry (III), where he is responsible for cybersecurity talent training. I would like to extend my sincerest gratitude to all those who have helped me in the field of cybersecurity, particularly to Professor Chi-Sung Laih for his guidance in introducing me to the field, to Ms. Lan-Ying Jiang for her spiritual encouragement, and to Sheng-Hao Ma for the cooperation and technical discussion. Your support and advice have been invaluable in my growth as a cybersecurity professional. I am deeply grateful for your contributions and support. About the reviewers Ta-Lun Yen is a security researcher with interests in reverse engineering, protocol analysis, wireless security, and embedded and IoT/ICS device security. He has been a member of a Taiwanese InfoSec community, “UCCU Hacker,” and has presented various research at well-known conferences and events. Ta-Lun is currently working for TXOne Networks (Trend Micro) with a focus on offensive research. Fyodor Yarochkin is a researcher with Trend Micro Taiwan and holds a Ph.D. from EE, National Taiwan University. An open source evangelist as well as a “happy” programmer, Fyodor has a strong interest in both offensive and defensive security. Prior to his position at Trend Micro, Fyodor spent several years as a threat analyst and over 8 years as an information security analyst responding to network security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor, and telecommunication organizations. Fyodor is an active member of the local security community and has spoken at a number of conferences regionally and globally. Disclaimer The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with properly written authorizations from the appropriate persons responsible. Table of Contents Preface xiii Part 1 – Modern Windows Compiler 1 From Source to Binaries – The Journey of a C Program 3 The simplest Windows program in C 3 Windows linker – packing binary C compiler – assembly code generation 4 data into PE format 10 Assembler – transforming assembly Running static PE files as dynamic code into machine code 6 processes 11 Compiling code 7 Summary 14 2 Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing 15 Sample programs 15 PE infection (PE Patcher) example 24 The memory of the static contents of tinyLinker example 29 PE files 16 Examples of process hollowing 32 NT Headers 16 PE files to HTML 38 Section Headers 19 Summary 39 PE Parser example 21 Dynamic file mapping 23

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.