Malware Analysis

Malware Analysis

Analysis Methods #

  • Static - methods not involving the running of the malware
    • AV Scanning - gives a quick indication as to whether something is malicious
    • Fingerprinting - checking against other online sources (e.g. VirusTotal)
    • Strings - find domains, IP addresses, function names and can be used to give small clues to the function of malware
    • Packing/Obfuscation - knowing tools used to pack or obfuscate can help in unpacking & executing and knowing the language or tooling that is used
    • PE File Format - finding sections in the executable to be reversed
    • Libraries & Functions - good indication of what the malware is doing
    • Reverse Engineering & Assembly - (e.g. GDB)
  • Dynamic - methods involving running and observing events
    • Run Malware & Monitor Activity - useful to confirm whether it is performing as expected from static analysis
    • Processes - what processes are created?
    • System Calls
    • Registry Keys
    • Network Activity
    • Debugging

Library types #

  • Static - whole code copied and included with program
  • Runtime - program interacts with libraries only when needed
  • Dynamic - program imports referenced libraries as program starts.

PE File Format #

NameDescription
DOS MZ Header
DOS Stub
PE HeaderMetadata - signature, number of sections, executable or DLL, timestamp, machine
.textExecutable code to be copied to RAM
.idataImported data
.dataData loaded to initialise - static & global variables
.rdataRuntime data during execution
.edataExport information
.rsrcResources used by executable (e.g. files)
.reloc

Memory #

NameDescription
DataValues
CodeInstructions to be fetched by the CPU
HeapDynamically allocated variables
StackFunction parameters, controls program flow

Tools #

Calendar June 13, 2023