For anyone who is curious about my book, Windows Forensic Analysis (ToC and sample chapter available), I've had an opportunity to speak to some folks and answer some questions recently:
Andrew Hay's Q&A
29 Apr CyberSpeak Podcast with Ovie and Brett
ForensicFocus
I'm really looking forward to Andrew's review of my book.
Good interview Harlan, I have a question about Perl though. Would it be possible (and relatively easy for a beginner) to do something similar to what you mentioned in your book, and write a program that looked for packed processes that are running in a domain? Given how common packers seem to be with malware and uncommon with legitimate programs, it seems like it would be something worth while keeping track of.
ReplyDeleteFor example if you got a process that was packed, the Company Name was Microsoft Corporation, and it has a creation date of 2 days ago, then that would be suspicious. I'm thinking about learning Perl, but first need to have a lot of specific uses for it to keep me motivated to learn it...
Anonymous,
ReplyDeleteYes, it would be pretty easy to do this...and there are a number of ways to "skin the cat", as it were...
First off, processes aren't packed. Executable images (ie, the .exe file sitting on disk) usually is, in the case of malware, but if you remember from the chapter of my book on EXE analysis, one of the benefits of dynamic malware analysis is that the EXE is unpacked when its in memory.
So, here's what you can do...and this is just an example. Once you have a list of systems you want to examine, you can use WMI to get a list of running processes and their command lines. From there, you can then map a share to the system and query the executable image itself. For a packed executable, you can should look for references to only LoadLibrary and GetProcAddress (from kernel32.dll) in the import table of the PE file; from my book, this is indicative of a packed or encrypted executable.
Hope that helps, and thanks for the question!
Thanks Harlan, I haven't gotten to the executable analysis chapter yet, but I'm certainly looking forward to it!
ReplyDeleteAny recommendations on good books for learning how to use Perl for InfoSec/Network Administration? Too many of the books I've found seem to focus on web app development in Perl. By the way, haven't gotten your book yet but it is on my wish list and I'll probably pick it up sometime in the next few months. First I need to get to Dan Farmer's book which I have sitting on my shelf.
ReplyDeleteAny recommendations on good books for learning how to use Perl for InfoSec/Network Administration? Too many of the books I've found seem to focus on web app development in Perl.
ReplyDeleteFunny you should ask! ;-) Evidently, my publisher posted a book-to-be and even cover art for that book on Amazon before my most recent book was even finished.
One of the big issues right now is getting people lined up to coauthor the book.
By the way, haven't gotten your book yet...
You havent't?! Dude, that is NOT a good way to start a sentence! ;-)
BTW...the Syngress marketing dept had a deal going on for a while (and I had no knowledge of it, so don't blame me) but if you went online and purchased the ebook, you'd receive not just the DVD but the hard copy book, as well, at no additional cost. Had I known about that, I would have said something...that way, folks might not have been saying, "...I'm going to get your book, but first I have to read..." ;-)