Notes from Practical Malware Analysis
This book is about reverse engineering malwares.
Malware is an umbrella term to describe badware in general (another umbrella term): software that damages your machine and could potentially leads to data loss, destruction, unauthorized sharingâŠ
The purpose of malware analysis is to understand when a malware surface what it does, if it does connect to somewhere, file manipulations, registry entries⊠everything!
There are two types of signatures (symptoms of infection):
- host-based sig: visible on hosts â file creation, cryptographyâŠ
- network sig: malware tries to connect to somewhere, to do what?
After this, we can proceed in analyzing the malware.
Chapter 1: basic static techniques
Malware analysis types
- Static: determines if a malware is malicious or not, based on evaluating things without messing with code
- Advanced Static: examine assembly code without running it
- Dynamic: run malware, understand whatâs going on
- Advanced Dynamic: run assembly code with breakpoints
Basic Static
Do not run the malware, just run tools on it and understand what it could do.
Techniques:
- Hashing: MD5 or SHA1 hash is a unique fingerprint you can send it online on virustotal or compare it with already known malware to find out if itâs new or is wide known
- Strings: using strings.exe one could find if a program contains specific strings, such as addresses, debug messages leftovers, DLL, IPs⊠They should be at least >= 3 chars long.
- Packing: to hide themselves, they use to hides into other programs. If a program has few strings, it means that probably is obfuscated or packed. A packed program almost always will contain functions LoadLibrary and GetProcAddress. Usually in a packed executable, we have the wrapper program at the beginning and the packed executable at the end. PeID is the best tool to understand what packer has been used, simply open it, drag the executable and evaluates.
- Analyze imports: functions used by one program that are actually stored in a different program, such as code libraries that contain functionality common to many programs. Code libraries can be connected to the main executable by linking. Programmers link imports to their programs so that they donât need to re-implement certain functionality in multiple programs. Code libraries can be linked statically, at runtime, or dynamically
- static: copy 1:1 usually LoadLibrary and GetProcAddress
- runtime:
- dynamically: The Dependency Walker program lists only dynamically linked functions in an executable. Clicking on a specific DLL gives a list of functions. The most interesting ones are kernel32, advapi32, user32, ntdll, wsock32 and ws2_32, wininet
When searching drops the suffixes Ex and A to W. They are only useful to understand what to provide at the function or if it is an updated version.
PE Header
- portable execution header: the header of a program in Windows
it contains:
- .text contains the instructions that the CPU exe cutes.
- .rdata typically contains the import and export infor mation, which is the same information available from both Dependency Walker and PEview
- .data contains the programâs global data, which is accessible from anywhere in the program.
- .rsrc resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings.
Chapter 2: Virtual machines
- use a VM to prevent damages
- set up Flare-VM or whatever, in host-only network mode
Chapter 3: Basic Dynamic Analysis
Dynamic analysis is any examination performed after executing malware.
Procmon
Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity.
Procmon monitors all system calls it can gather as soon as it is run.
To set a filter, choose Filter â Filter to open the Filter menu, as shown in the top image of Figure 3-3. When setting a filter, first select a column to fil ter on using the drop-down box at the upper left, above the Reset button. The most important filters for malware analysis are Process Name, Opera tion, and Detail. Next, select a comparator, choosing from options such as Is, Contains, and Less Than. Finally, choose whether this is a filter to include or exclude from display.
Finding persistance or any other interesting change
Use Regshot.
Regshot is an open source registry compari son tool that allows you to take and compare two registry snap shots. To use Regshot for malware analysis, simply take the first shot by clicking the 1st Shot button, and then run the malware and wait for it to finish making any system changes. Next, take the second shot by clicking the 2nd Shot button. Finally, click the Compare button to compare the two snapshots