About the Book

The Antivirus Hacker's Handbook guides you through the process of reverse engineering antivirus software. You explore how to detect and exploit vulnerabilities that can be leveraged to improve future software design, protect your network and anticipate attacks that may sneak through your antivirus' line of defense. You'll begin building your knowledge by diving into the reverse engineering process, which details how to start from a finished antivirus software program and work your way back through its development using the functions and other key elements of the software.

About the Author

Joxean Koret is a security researcher at Coseinc, a Singapore-based security service company. He started working as a database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowledge to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, especially Oracle software. He also specialized in malware analysis and anti-malware software development developing IDA Pro at Hex-Rays. Joxean is a frequent presenter at security conferences around the world.

Table of Contents:
Introduction Part I Antivirus Basics Chapter 1 Introduction to Antivirus Software ·What is Antivirus Software? ·Antivirus Software: Past and Present ·Antivirus Scanners, Kernels and Products ·Typical Misconceptions about Antivirus Software ·Antivirus Features ·Basic Features ·Making Use of Native Languages ·Scanners ·Signatures ·Compressors and Archives ·Unpackers ·Emulators ·Miscellaneous File Formats ·Advanced Features ·Packet Filters and Firewalls ·Self-Protection ·Anti-Exploiting Chapter 2 Reverse-Engineering the Core ·Reverse-Engineering Tools ·Command-Line Tools versus GUI Tools ·Debugging Symbols ·Tricks for Retrieving Debugging Symbols ·Debugging Tricks ·Backdoors and Configuration Settings ·Kernel Debugging ·Debugging User-Mode Processes with a Kernel-Mode Debugger ·Analyzing AV Software with Command-Line Tools ·Porting the Core ·A Practical Example: Writing Basic Python Bindings for Avast for Linux ·A Brief Look at Avast for Linux ·Writing Simple Python Bindings for Avast for Linux ·The Final Version of the Python Bindings ·A Practical Example: Writing Native C/C++ Tools for Comodo Antivirus for Linux ·Other Components Loaded by the Kernel Chapter 3 The Plug-ins System ·Understanding How Plug-ins Are Loaded ·A Full-Featured Linker in Antivirus Software ·Understanding Dynamic Loading ·Advantages and Disadvantages of the Approaches for Packaging Plug-ins ·Types of Plug-ins ·Scanners and Generic Routines ·File Format and Protocol Support ·Heuristics ·Bayesian Networks ·Bloom Filters ·Weights-Based Heuristics ·Some Advanced Plug-ins ·Memory Scanners ·Non-native Code ·Scripting Languages ·Emulators Chapter 4 Understanding Antivirus Signatures ·Typical Signatures ·Byte-Streams ·Checksums ·Custom Checksums ·Cryptographic Hashes ·Advanced Signatures ·Fuzzy Hashing ·Graph-Based Hashes for Executable Files Chapter 5 The Update System ·Understanding the Update Protocols ·Support for SSL/TLS ·Verifying the Update Files ·Dissecting an Update Protocol ·When Protection Is Done Wrong Part II Antivirus Software Evasion Chapter 6 Antivirus Software Evasion ·Who Uses Antivirus Evasion Techniques? ·Discovering Where and How Malware Is Detected ·Old Tricks for Determining Where Malware Is Detected: Divide and Conquer ·Evading a Simple Signature-Based Detection with the Divide and Conquer Trick ·Binary Instrumentation and Taint Analysis Chapter 7 Evading Signatures ·File Formats: Corner Cases and Undocumented Cases ·Evading a Real Signature ·Evasion Tips and Tricks for Specific File Formats ·PE Files ·JavaScript ·String Encoding ·Executing Code on the Fly ·Hiding the Logic: Opaque Predicates and Junk Code ·PDF Chapter 8 Evading Scanners ·Generic Evasion Tips and Tricks ·Fingerprinting Emulators ·Advanced Evasion Tricks ·Taking Advantage of File Format Weaknesses ·Using Anti-emulation Techniques ·Using Anti-disassembling Techniques ·Disrupting Code Analyzers through Anti-analysis ·More Anti-Anti-Anti... ·Causing File Format Confusion ·Automating Evasion of Scanners ·Initial Steps ·Installing ClamAV ·Installing Avast ·Installing AVG ·Installing F-Prot ·Installing Comodo ·Installing Zoner Antivirus ·MultiAV Configuration ·peCloak ·Writing the Final Tool Chapter 9 Evading Heuristic Engines ·Heuristic Engine Types ·Static Heuristic Engines ·Bypassing a Simplistic Static Heuristic Engine ·Dynamic Heuristic Engines ·Userland Hooks ·Bypassing a Userland HIPS ·Kernel-Land Hooks Chapter 10 Identifying the Attack Surface ·Understanding the Local Attack Surface ·Finding Weaknesses in File and Directory Privileges ·Escalation of Privileges ·Incorrect Privileges in Files and Folders ·Incorrect Access Control Lists ·Kernel-Level Vulnerabilities ·Exotic Bugs ·Exploiting SUID and SGID Binaries on Unix-Based Platforms ·ASLR and DEP Status for Programs and Binaries ·Exploiting Incorrect Privileges on Windows Objects ·Exploiting Logical Flaws ·Understanding the Remote Attack Surface ·File Parsers ·Generic Detection and File Disinfection Code ·Network Services, Administration Panels and Consoles ·Firewalls, Intrusion Detection Systems and Their Parsers ·Update Services ·Browser Plug-ins ·Security Enhanced Software Chapter 11 Denial of Service ·Local Denial-of-Service Attacks ·Compression Bombs ·Creating a Simple Compression Bomb ·Bugs in File Format Parsers ·Attacks against Kernel Drivers ·Remote Denial-of-Service Attacks ·Compression Bombs ·Bugs in File Format Parsers Part III Analysis and Exploitation Chapter 12 Static Analysis ·Performing a Manual Binary Audit ·File Format Parsers ·Remote Services Chapter 13 Dynamic Analysis ·Fuzzing ·What is a Fuzzer? ·Simple Fuzzing ·Automating Fuzzing of Antivirus Products ·Using Command-Line Tools ·Porting Antivirus Kernels to Unix ·Fuzzing with Wine ·Problems, Problems and More Problems ·Finding Good Templates ·Finding Template Files ·Maximizing Code Coverage ·Blind Code Coverage Fuzzer ·Using Blind Code Coverage Fuzzer ·Nightmare, the Fuzzing Suite ·Configuring Nightmare ·Finding Samples ·Configuring and Running the Fuzzer Chapter 14 Local Exploitation ·Exploiting Backdoors and Hidden Features ·Finding Invalid Privileges, Permissions and ACLs ·Searching Kernel-Land for Hidden Features ·More Logical Kernel Vulnerabilities Chapter 15 Remote Exploitation ·Implementing Client-Side Exploitation ·Exploiting Weakness in Sandboxing ·Exploiting ASLR, DEP and RWX Pages at Fixed Addresses ·Writing Complex Payloads ·Taking Advantage of Emulators ·Exploiting Archive Files ·Finding Weaknesses in Intel x86, AMD x86_64 and ARM Emulators ·Using JavaScript, VBScript, or ActionScript ·Determining What an Antivirus Supports ·Launching the Final Payload ·Exploiting the Update Services ·Writing an Exploit for an Update Service ·Server-Side Exploitation ·Differences between Client-Side and Server-Side Exploitation ·Exploiting ASLR, DEP and RWX Pages at Fixed Addresses Part IV Current Trends and Recommendations Chapter 16 Current Trends in Antivirus Protection ·Matching the Attack Technique with the Target ·The Diversity of Antivirus Products ·Zero-Day Bugs ·Patched Bugs ·Targeting Home Users ·Targeting Small to Medium-Sized Companies ·Targeting Governments and Big Companies ·The Targets of Governments Chapter 17 Recommendations and the Possible Future ·Recommendations for Users of Antivirus Products ·Blind Trust Is a Mistake ·Isolating Machines Improves Protection ·Auditing Security Products ·Recommendations for Antivirus Vendors ·Engineering Is Different from Security ·Exploiting Antivirus Software Is Trivial ·Perform Audits ·Fuzzing ·Use Privileges Safely ·Reduce Dangerous Code in Parsers ·Improve the Safety of Update Services and Protocols ·Remove or Disable Old Code Summary Index