Internet Anthropologist Think Tank: Reverse-Engineering Malware Cheat Sheet

  • Search our BLOG


  • HOME
    Terrorist Names SEARCH:
    Loading

    Friday, September 03, 2010

    Reverse-Engineering Malware Cheat Sheet




    Reverse-Engineering Malware Cheat Sheet

    This is a cheat sheet of shortcuts and tips for reverse-engineering malware. It covers the general malware analysis process, as well as useful tips for OllyDbg, IDA Pro, and other tools. Feel free to customize it to your own needs. My reverse-engineering malware course explores these, and other useful techniques.

    General Approach

    1. Set up a controlled, isolated laboratory in which to examine the malware specimen.
    2. Perform behavioral analysis to examine the specimen’s interactions with its environment.
    3. Perform static code analysis to further understand the specimen’s inner-workings.
    4. Perform dynamic code analysis to understand the more difficult aspects of the code.
    5. If necessary, unpack the specimen.
    6. Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met.
    7. Document findings and clean-up the laboratory for future analysis.

    Behavioral Analysis

    Be ready to revert to good state via ddVMware snapshots,CoreRestoreGhostSteadyState, etc.
    Monitor local (Process MonitorProcess Explorer) and network (Wiresharktcpdump) interactions.
    Detect major local changes (RegShotAutoruns).
    Redirect network traffic (hosts file, DNS, Honeyd).
    Activate services (IRC, HTTP, SMTP, etc.) as needed to evoke new behavior from the specimen.

    IDA Pro for Static Code Analysis

    Text searchAlt+T
    Show strings windowShift+F12
    Show operand as hex valueQ
    Insert comment:
    Follow jump or call in viewEnter
    Return to previous viewEsc
    Go to next viewCtrl+Enter
    Show names windowShift+F4
    Display function's flow chartF12
    Display graph of function callsCtrl+F12
    Go to program's entry pointCtrl+E
    Go to specific addressG
    Rename a variable or functionN
    Show listing of namesCtrl+L
    Display listing of segmentsCtrl+S
    Show cross-references to selected functionSelect function name » Ctrl+X
    Show stack of current functionCtrl+K

    OllyDbg for Dynamic Code Analysis

    Step into instructionF7
    Step over instructionF8
    Execute till next breakpointF9
    Execute till next returnCtrl+F9
    Show previous executed instruction-
    Show next executed instruction+
    Return to previous view*
    Show memory mapAlt+M
    Follow expression in viewCtrl+G
    Insert comment;
    Follow jump or call in viewEnter
    Show listing of namesCtrl+N
    New binary searchCtrl+B
    Next binary search resultCtrl+L
    Show listing of software breakpointsAlt+B
    Assemble instruction in place of selected oneSelect instruction » Spacebar
    Edit data in memory or instruction opcodeSelect data or instruction » Ctrl+E
    Show SEH chainView » SEH chain
    Show patchesCtrl+P

    Bypassing Malware Defenses

    To try unpacking quickly, infect the system and dump from memory via LordPE or OllyDump.
    For more surgical unpacking, locate the Original Entry Point (OEP) after the unpacker executes.
    If cannot unpack cleanly, examine the packed specimen via dynamic code analysis while it runs.
    When unpacking in OllyDbg, try SFX (bytewise) and OllyDump's "Find OEP by Section Hop".
    Conceal OllyDbg via HideOD and OllyAdvanced.
    A JMP or CALL to EAX may indicate the OEP, possibly preceded by POPA or POPAD.
    Look out for tricky jumps via SEH, RET, CALL, etc.
    If the packer uses SEH, anticipate OEP by tracking stack areas used to store the packers' handlers.
    Decode protected data by examining results of the decoding function via dynamic code analysis.
    Correct PE header problems with XPELister, LordPE, ImpREC,PEiD, etc.
    To get closer to OEP, try breaking on unpacker’s calls to LoadLibraryA or GetProcAddress.

    In the day I used to have quite a collection of bugs/virii.
    But now its so risky, some can get to root and turn invisible,
    hide in unusual places, even mark sectors bad and hide there.

    Used to lock everything down and then watch them go.
    You can't lock everything down any more.
    We have special PC for this now, and reformat after.
    But even then I'm not 100% confident its gone.
    Become a very high risk game.
    Its like juggling nitro, could go off even though
    you've taken every percaution. It's happened to me
    before.
    But every once in a while you discover something
    than can be used as a cyber sidearm or some other 
    mischief.

    G

    Thanks to:

    .


    0 Comments:

    Post a Comment

    Subscribe to Post Comments [Atom]

    << Home