Let’s kick it off. The first chapter of PMA was an introduction to Basic Static Analysis. Although there’s a unique set of tools used in the book, I’d be improvising and testing other tools which might achieve the same purpose. Tooling I’ll be using the following tools/services for this chapter: [I’m diverting from the toolset used by the author… mainly because they’re outdated] PEStudio PEView PEID ExeInfoPE VirusTotal Exercise 1 Hash Filename BB7425B82141A1C0F7D60E5106676BB1 Lab01-01....

Previously, we covered Basic Static Analysis and Basic Dynamic Analysis in Chapter 1 and 3 of Practical Malware Analysis. That marks an end to the first part of the book. The fourth chapter kicks off the second part of the book and takes a slight detour to cover one of the most important pre-requisites to perform malware analysis; assembly language. However, the crash course doesn’t have any exercises. It’s why we’ll be proceeding to exercises of the fifth chapter i....

What are DLLs? Dynamic-link Libraries (DLLs) are Microsoft’s implementation of shared code on the Windows Operating System. By means of modularizing code into smaller segments and individual files, Windows applications can utilize this shared code. This allows them to avoid including the same piece of code, again and again. Usually, the functions written in a DLL file are exportable. The DllMain function in a particular file carries out the basic tasks, whereas the individual functions can then be imported into code as well....

Windows API, in short, the WinAPI, is a set of functions and procedures, which can abstract much of the tasks you perform everyday on the Windows OS. The Application Programming Interface (API) calls exposes these functions to programmers to make use of procedures when writing one of your own isn’t the most effective. Although the API calls are a bit hard to work with, they can still help you achieve much of what you’d like, without further coding....

‘osquery’ is an open-source tool which can be used to audit an operating system and all its configurations as an SQL-based relational database. It does so by exposing the OS, and representing abstract concepts of the OS (eg. processes, open sockets, kernel modules, etc.) as a series of SQL tables. It was developed by Facebook and was later open-sourced for the community to take part in its development. It’s cross-platform and has support for major operating systems like Windows, macOS, and Linux....