Reverse Engineering Malware – Foundations – Part 2


Instructions

  • Instructions are the building blocks of assembly programs.
  • In x86 assembly Instructions has two components: Mnemonic and operands.
  • Mnemonic is a word that identifies the instruction to execute, such as mov, which moves data.
  • Operand, used to identify the information used by the instruction, such as registers or data:
    • Mnemonics have 0, 1, or more operands (arguments).
    • Operands can be:
      • A register
      • A memory location
      • An immediate value (e.g, 0x6453).

Mnemonic

Destination Operand

Source Operand

mov

ecx

0x42

Continue reading Reverse Engineering Malware – Foundations – Part 2

Reverse Engineering Malware – Foundations – Part 1


Disassembly

Before we dive into the code analysis and how we can utilize it to serve our purpose of getting a good understanding of the malware and its characteristics, let’s take a basic look into the architecture of a computer and we’ll start this by discussing the levels of abstraction.

Levels of Abstraction

  • A computer architecture can be represented as several levels of abstraction.
  • A windows Operating system can be installed on many different types of hardware because the hardware is abstracted (separated) from the operating system.
  • Malware authors create programs at high level language and use uses compilers to generate machine code to be executed by the CPU.
  • Malware analysts and reverse engineers work at the low-level language level.
  • Disassemblers are used to generate assembly code that we can read and analyse.
  • Computer systems are described with the following six different levels of abstraction, higher levels are placed near the end.
  • The lower you get the less portable the level will be across a computer systems.

Continue reading Reverse Engineering Malware – Foundations – Part 1

2- Basic Malware Analysis – Static – Part 2


OK continuing from Part 1, today’s tutorial’s will involve the following:

  1. We will look at the strings of the program using strings.exe.

  2. We will check if the program is packed?

Examining the Program’s Strings

A string in an application is a set of characters such as “hello”, it is stored in either ASCII or Unicode format. The cases where a program may contain strings are as follows:

  1. I f the program prints a message.

  2. If it accesses a URL.

  3. Or if it copies a file to a certain location.

ASCII and Unicode uses NULL characters to indicate the string is complete.

The reason looking at the strings is important is that the string of a program would give us important information about the program or the codes functionality.

Strings.exe scans the program for any sequence or characters that are 3 characters or more in length, which is why it can produce results that don’t make sense. Therefore when reading the results from the strings.exe always make note of strings the make sense as shown below:

Continue reading 2- Basic Malware Analysis – Static – Part 2

2- Basic Malware Analysis – Static – Part 1


To perform Basic Static Analysis we need to complete several steps, which will allow us to answer some of the following questions:

  1. What the suspicious file is?

  2. What does it do?

  3. When was it made?

  4. Does it depend on other files?

  5. Does it download other files?

  6. How does it work?

  7. What type of Malware is it?

Each of the Malware Analysis stages (Basic and Advanced) will provide us answers to some of the above questions and to be able to answer them all we need to exhaust each of the stages we mentioned in the first tutorial (1- Practical Malware Analysis – Introduction).

In today’s tutorial’s case we will be performing the following:

  1. We will run the suspicious file through multiple Anti Virus scanners such as Virustotal.com to see if the file is already known and have been flagged previously.

  2. We will create an MD5 signature of the file, that we can use to share with our colleagues and we can also use it to search online for a file with the same MD5 hash.

  3. We will look at the strings of the program using strings.exe.

  4. We will check if the program is packed?

  5. Also we will check the Portable Executable File Format (PE) header, which will provide us with valuable information about the code, the type of application, required library functions and space requirements.

  6. To end this we will examine Linked libraries and functions.

Continue reading 2- Basic Malware Analysis – Static – Part 1

1- Practical Malware Analysis – Introduction


Hi everyone it has been a long time since I last updated this site. It’s been very busy and hectic time as I took on a role as an Information Security Analyst, which was a 12 hour shifts early morning and nights in a very busy environment.

Anyway I am really pleased to be back and thought I will start this with a series of malware analysis, where we will go through step by step.

After this series I have a number of other series to come and plenty of skills to share with you.

I will try to be brief and focus on the hands-on topics and those of you who are more interested in the details please look out for a book called: Practical Malware Analysis by Michael Sikorski and Andrew Honig. It is a great book that I’ve learned a lot from, in fact I am still using it and everything we will discuss here will be skills learned from this valuable book.

So Michael/Andrew if you are looking at this please kindly accept my thanks and appreciation for this marvellous piece of work, keep up the good work guys.

Finally don’t forget everyone, no one knows everything and we will always be learning from each other, therefore those with more experience please kindly don’t hesitate to share your knowledge with us and surely don’t hesitate to correct any mistakes you see here or any of my previous or upcoming articles.

So let’s start with laying some grounds…

Continue reading 1- Practical Malware Analysis – Introduction