We’ve very excited about the 5-star reviews on Amazon, which you can read about here. Thank you to the readers who took the time to let others know their thoughts. There are a few other reviews available as well:
* RCE Endeavors calls MACB “very thorough and up-to-date”
* SpiderLabs calls MACB “a great book”
Analysis using Tools in MACB:
* Malware Analysis with ClamAV and YARA @ Infosec Institute by Mourad Ben Lakhoua. This article was heavily based on Chapter 3 of MACB – thanks for the reference Mourad!
* Debugging Fundamentals for Exploit Development @ Infosec Institute by Steven Bradshaw. There’s no reference in this one, but you can tell the introduction was based on Chapter 11 of MACB.
If you purchased a Kindle version of the book from Amazon and didn’t receive the companion DVD, send us an email: malwarecookbook at gmail dot com. Neither Wiley nor Amazon have a way to distribute CDs or DVDs with electronic books.
Stefan from Joebox Security has updated the online version of Joebox reports (version 2.6.0) with static PE file analysis, inspired by the PEScanner module in Chapter 3 of Malware Analyst’s Cookbook. You can see a sample report here.
We received notification from the publisher that the book will be soon be translated into Korean.
We’ve heard reports of people stealing DVDs from books off of bookstore shelves. Before you buy, make sure the DVD is in tact.
Also, there are a ton of warez sites advertising electronic copies of the book. They started making those claims 6 months before we even finished writing it. I do not even have a PDF copy of the book, do you really believe that someone else has one and is going to give it to you for free? Update: OK, I’m wrong, someone has successfully created a ripped PDF copy of the book and distributed it on multiple warez sites. However, it doesn’t include the DVD and most of the images are unreadable.
As an example, there have been some tweets lately pointing to rapidsharedownloads.com. When you click, you’ll see the listing below:
Looks pretty exciting, huh? When you choose an item to download, you’ll be presented with a popup window that looks like a prompt for downloading an executable.
Clicking open or save brings you to the page where you enter personal information, choose to pay $36.95 one-time fee or that one time fee plus 0.33/month and $4.95 extra. Considering the book is only $37.79 brand new on Amazon, why would you buy it from rapidsharedownloads.com? Oh, don’t forget, they don’t actually have a copy to sell.
We will update the following table with fixes as they are discovered. If you see any spelling mistakes, code mistakes, or disagree with any statements, feel free to let us know so we can disperse that information to other readers.
|43||The text “Analyzing and Replaying Attacks Logged by Dionea” should read “…by Dionaea”|
|57||The text “0000000C jmp 0xc” should be “0000000C jmp $+0xc” – thanks to Matthieu Suiche for pointing this out.|
|64||The capabilities.yara file on the DVD has a typo. In particular, the condition for the encoding rule should be “(all of ($zlib*)) or (all of ($ssl*))” Note: this is only incorrect on the DVD file, it is correct in the book’s text.|
|119||The text “The domains and IP addresses that malware uses can you tell you a lot” should read “The domains and IP addresses that malware uses can tell you a lot”|
|194||The text “OfficeMalScaner” should read “OfficeMalScanner”|
|304-305||Step 1 should state “Download, install, and build Detours” instead of just “Download and install Detours.” If you don’t build Detours, then the detours.lib won’t be available when you reach Step 4. For instructions on how to build Detours, see the documentation that comes with Detours.|
|306-307||The 2nd parameter to DetourAttach and DetourDetach should be HookDeleteFileA instead of DeleteFileA. Note: the corresponding source file on the DVD contains the correct parameters – we must have made an error when copy/pasting the code into the book.|
|442||In table 12-2 the header should read “(X ^ Y) ^ Y” and not “(X ^ Y) ^ X”|
|451||The two instances of “decoded = base64.b64encode” should read “decoded = base64.b64decode”|
|483||“areguments” should be “arguments”|
|529||Matthieu Suiche sent us an optimized version of the WinDbg command that doesn’t rely on hard-coded offsets (thus you can use it on any platform). Here is the command: !list “-t nt!_EPROCESS.ActiveProcessLinks.Flink -e -x \”dt nt!_EPROCESS ImageFileName\”(poi(nt!PsActiveProcessHead)-@@c++(#FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks)))”|
Happy reading, everyone!