Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Manual Code Reversing

1. Context of Malware Analysis:

  • Dynamic Analysis Challenges: Encountered a situation where dynamic analysis yielded no useful information. The malware appeared inactive during analysis.

  • Static Analysis Observations: Identified the file as a Windows PE executable with obfuscated code and data, characterized by the absence of text strings.

2. Manual Code Reversing Process:

  • Debugging with X86 Debugger:

    • Used an X86 debugger to reverse engineer the code.

    • Discovered that the malware required a specific command line argument to activate its behavior, which was not evident through dynamic analysis alone.

3. Importance of Understanding Low-Level Language:

  • X86 Assembly Language: Essential for debugging Windows executable files, particularly in Windows 10 environments using X86 or X64 architecture.

  • Windows APIs & C Syntax: Knowledge of these is crucial for effective debugging and understanding the malware's behavior at a deeper level.

4. Recommended Tools for Code Reversing:

  • IDA Pro with Hex-Rays Decompiler:

    • A commercial tool for disassembly and decompilation.

    • Converts binary executables into human-readable code, often in C language syntax.

  • Other Useful Tools:

    • dnSpy: For decompiling .NET compiled executables.

    • Ghidra: An alternative tool with decompilation features, suitable for various binary formats.

5. Decompilers Overview:

  • Purpose: Convert binary executables into readable code, often showing C language syntax.

  • Types of Executables:

    • Some executables are compiled into byte code or pseudo code, which can be decompiled back to source code.

  • Examples:

    • dnSpy for .NET executables.

    • Java Archive Decompilers for Java executables.

    • Hex-Rays for general binary-to-C decompilation.

6. Practical Application:

  • Debugging Demonstration: The importance of using both a debugger (e.g., X64 debugger) and a decompiler on compiled executables, especially for deeper analysis when traditional methods fall short.

PreviousAnalyzing calc.exe and Network ActivityNextReverse Engineering Simple Windows Executable Files

Last updated 9 months ago