We're told at an introductory level, the process of Disassembly - the translation of the binary code within a sample, into a higher-level, more readable language such as machine-instruction - Assembly, and the basic timeline from Authorship to Execution of Malware. As a summary:

  1. Sample is written in high-level language such as C++ or C
  2. Sample is compiled into Assembly.
  3. This Assembly is human-friendly representing binary instruction

This is of course in a ideal world, where no reverse-engineering prevention methods often employed to thwart the Analyzer off the scent. We're given an intro into CPU registers, and the functions that .DLL's function within Windows.

Sample Assembly Instructions:

Instruction Description
add (value), (register) increments a value and stores the new (or first) result
sub (value), (register) subtracts a value and then stores the new (or first result)
mov (registerA), (registerB) move the value of registerA to registerB
mov (registerA), (memory address) moves value within a memory address into a register

Using PEFile & Capstone on IRCBot.exe:

pip install pefile
pip install capstone

We'll use the provided dissasembley_example.py for us and pipe it. I had to rename the file the script looks for due to capitalization error:

pe = pefile.PE(IRCBot.exe")
changing to: pe = pefile.PE(ircbot.exe")

And this is where the problems began...

Now I'm starting to understand why they heavily recommended the provided .OVA. So... I hesitantly put my ego aside, and imported the VM and tried this whole thing again.

If I can reliably-figure out the necessary packages and libraries, I will create a write-up to detail the necessary steps to follow this book from a fresh OS Install. Until then...

username: osboxes.org, password: osboxes.org

And yup...Definitely an environment problem. grumble grumble

The chapter then goes to summarize a few possible ways authors of malicious code can obfuscate their sample. And why that may be. For example, encrypting using keys held on external-servers when the sample is executed - of which static analysis will not decrypt, nor indicate.