Learn Windows system design from the PE binary structure to modern and practical attack techniques used by red teams to implement advanced prevention Purchase of the print or Kindle book includes a free PDF eBook Key Features Understand how malware evades modern security products Learn to reverse engineer standard PE format program files Become familiar with modern attack techniques used by multiple red teams Book Description An Advanced Persistent Threat (APT) is a severe form of cyberattack that lies low in the system for a prolonged time and locates and then exploits sensitive information. Preventing APTs requires a strong foundation of basic security techniques combined with effective security monitoring. This book will help you gain a red team perspective on exploiting system design and master techniques to prevent APT attacks. Once you've understood the internal design of operating systems, you'll be ready to get hands-on with red team attacks and, further, learn how to create and compile C source code into an EXE program file. Throughout this book, you'll explore the inner workings of how Windows systems run and how attackers abuse this knowledge to bypass antivirus products and protection. As you advance, you'll cover practical examples of malware and online game hacking, such as EXE infection, shellcode development, software packers, UAC bypass, path parser vulnerabilities, and digital signature forgery, gaining expertise in keeping your system safe from this kind of malware. By the end of this book, you'll be well equipped to implement the red team techniques that you've learned on a victim's computer environment, attempting to bypass security and antivirus products, to test its defense against Windows APT attacks. What you will learn Explore various DLL injection techniques for setting API hooks Understand how to run an arbitrary program file in memory Become familiar with malware obfuscation techniques to evade antivirus detection Discover how malware circumvents current security measures and tools Use Microsoft Authenticode to sign your code to avoid tampering Explore various strategies to bypass UAC design for privilege escalation Who this book is for This book is for cybersecurity professionals- especially for anyone working on Windows security, or malware researchers, network administrators, ethical hackers looking to explore Windows exploit, kernel practice, and reverse engineering. A basic understanding of reverse engineering and C/C++ will be helpful.
Source of description
Description based on print version record.
Contents
Cover
Title Page
Copyright and Credits
Dedication
Foreword
Contributors
Disclaimer
Table of Contents
Preface
Part 1 - Modern Windows Compiler
Chapter 1: From Source to Binaries - The Journey of a C Program
The simplest Windows program in C
C compiler - assembly code generation
Assembler - transforming assembly code into machine code
Compiling code
Windows linker - packing binary data into PE format
Running static PE files as dynamic processes
Summary
Chapter 2: Process Memory - File Mapping, PE Parser, tinyLinker, and Hollowing
Sample programs
The memory of the static contents of PE files
NT Headers
Section Headers
PE Parser example
Dynamic file mapping
PE infection (PE Patcher) example
tinyLinker example
Examples of process hollowing
PE files to HTML
Chapter 3: Dynamic API Calling - Thread, Process, and Environment Information
Function calling convention
Calling convention
Thread Environment Block (TEB)
Process Environment Block
Examples of process parameter forgery
Examples of enumerating loaded modules without an API
Examples of disguising and hiding loaded DLLs
Part 2 - Windows Process Internals
Chapter 4: Shellcode Technique - Exported Function Parsing
EATs in PE
Examples of a DLL file analyzer
Dynamic crawling function in PE
Examples of writing shellcode in x86
A shellcode generator in Python
Chapter 5: Application Loader Design
Import Address Table in PE
Import API analyzer example
Calling programs directly in memory
Examples of IAT hijack
DLL side-loading example
Chapter 6: PE Module Relocation
Relocation table of PE
tinyLoader example
Part 3 - Abuse System Design and Red Team Tips.
Chapter 7: PE to Shellcode - Transforming PE Files into Shellcode
The open source project pe_to_shellcode analysis
Parsing Kernel32's export table in x86 assembly
Getting API addresses in x86 assembly
File mapping and repairing an import table in x86
Handling relocation in x86
An example of PE to shellcode
Chapter 8: Software Packer Design
What is a software packer?
Packer builder
Stub - the main program of an unpacker
Examples of software packers
Chapter 9: Digital Signature - Authenticode Verification
Authenticode digital signatures
Signature verification
WinVerifyTrust under the hood
Signature data in PE files
PKCS#7 information
Examples of mock signatures
Examples of bypassing hash verification
Examples of signature steganography
Getting signed by abusing path normalization
Chapter 10: Reversing User Account Control and Bypassing Tricks
UAC overview
RAiLaunchAdminProcess callback
Two-level authentication mechanism
Authentication A
Authentication B
UAC interface program, ConsentUI
Elevated privilege conditions
Improper registry configuration triggered by privilege hijacking privileges
Examples of bypassing UAC
Elevated COM Object (IFileOperation)
CMSTP arbitrary privilege elevation execution
Achieving elevated privileges through trusted path collisions
Appendix - NTFS, Paths, and Symbols
Win32 and NT path specification
DOS Path 1.0
DOS Path 2.0
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7
Example 8
Index
About Packt
Other Books You May Enjoy.
ISBN
9781804617212
1804617210
OCLC
1371483974
Statement on responsible collection description
Princeton University Library aims to describe library materials in a manner that is respectful to the individuals and communities who create, use, and are represented in the collections we manage. Read more...