This post will take you through the different technology used for malware analysis. Books have be written about some of these applications, they have complex functionally, here will be a brief overview of each application and the functionally which was helpful.

IDA PRO
The Interactive Disassembler, or simply known as IDA is a disassembler and debugger. It’s an application which has many features such as programmable, extendible and a multi-processor disassemble which can be run on the leading operating systems. IDA both supports the x86 and x64 architectures. IDA supports many file formats such as Portable Executable (PE), Executable and Linking Format (ELF), Common Object (COFF). IDA PRO can disassemble a program and let you perform tasks such as function discovery, local variable identification and stack analysis, plus much more. Using IDA Pro lets you dig deeper into a program, allowing you to dig deeper into what it’s doing and its intentions.

Using IDA PRO
You load an executable into IDA Pro by either dragging it in or by opening up the application and selecting it. First IDA Pro will recognise the files format and its processor architecture.

IDA maps the PE file into memory as if loaded by the operation system loader. Different options are available to disassemble the file either by PE format, MS-DOS executable or binary format.

The different modes available:

Manual Mode
IDA Pro does not load the PE header and the resources sections by default, by clicking Manual mode loads each section manually, so no section would escape analysis.

The Interface
After loading has complete, the disassembly window is opened. This is where the assembly code resides and where you can view the Functions, Imports and Exports and Strings windows, etc. IDA comes with different modes to view the binaries, Graph mode and Text mode, to simply change between modes press the space bar.

Text Mode
The text mode displays a traditional view of the binary data regions, allowing you to view the memory addresses, the section name (.text) and opcodes (83EC18).

Graph mode
Graph mode displays operation codes and line numbers, plus allowing you to view the programs flow. Arrows indicate the paths the program flows in based on particular decisions having been made. The green arrow displays if a conditional jump is taken, red if it is not taken, and blue displays an unconditional jump. Upward arrows indicate loop situations.

IDA windows
Functions window: Displays all functions listed in the executable showing the length of each.

  • Names window: displays address, functions, code, data and strings which has a name attached to it.
  • Imports window: All imported DLL’s the executable uses are listed.
  • Exports window: All exported functions are listed for a file.
  • Structures window: Lists all active data structures.
  • Strings window: Shows all strings of text.

When analysing code these windows are particularly important, allowing you to cross-reference functions, by double clicking on an item of interest, it jumps directory to the main body of the code where that item is located.

Dependency Walker

The Dependency Walker tool can scan for all dependent DLL’s used by a program, including missing DLLs and DLLs which are not valid. Dependency walker checks for import and export function match. Dependency Walker can help correct and prevent problems, with the use of DLLs.

OllyDbg
OllyDbg is an assembler level debugger for windows 32-bit executables. It analyses binary code, can be used to correct programs or go in dept in analysing assembly level code when no source code is available. You can view the assemble as its runs and see what changes its making to memory, what procedures and API calls its making, what DLLs are been used.

  • CPU/Coding Panel: This is the largest panel, and displays all assemble code produced. If
    stepping through it line-by-line, the code is highlighted showing the assemble code as its executing.
  • Registers Panel: The registers panel is at the right hand side, and is used for holding information on the flags, standard and section registers plus extra information
    Stack Panel : The stack panel holds addresses which are used in the disassembles such as CPU section or memory dump section.
  • Memory Dump: This is a dump for the memory addresses. Any raw data displayed alongside these addresses can be displayed in different formats such an ASCII, UNICODE, etc.

WireShark
Wireshark is a network protocol analyser and the standard application used by network analysist’s. Wireshark is a network packet analyser which is used to capture network traffic and analyse the different protocols.

Some of Wiresharks feature set include

  • Deep inspection of all standard and new protocols
  • Live packet capture plus offline analysis
  • Network data can be viewed via a GUI or browsed via the TShare utility or TTY-mode.
  • Can read and write different data capture formats from other sniffer and network
    monitor applications.

Sandboxes
Virtualisation Software provides a save and time saving environment to test malware. Easy to set up and configure a lab environment can be set up in minutes. A virtual machine allows you to investigate the behavioural analysis of the malware sample, by how the specimen interacts with the file system, registry and the network.

  • With a virtual machine, it’s possible to take a snapshot of the systems state before, during and after and infection takes place. This allows identification of what changes to the system were made.
  • The host-only option allows you to interconnect virtual systems.
  • Update the security patches regularly.
  • Don’t enable networking on the virtual machine
  • Do not connect the virtual machine to the host machine
  • Monitor the host for any signs of infection from the virtual machine.

Hex Editor
A hex editor is an application which allow the viewing and editing of binary files. The binary executables instructions and strings can be viewed giving the analyst an idea of what the program does and its intention.

Sysinternals Suite
Sysinternals (Suite) is a collection of Microsoft utilities which allow you to diagnose, monitor and troubleshoot computer problems or hunt down Malware which may be on your system. To find Malware on a System these tools are ideal, but a lot of experience is needed to find the abnormal form the normal.

Process Explorer

Processor Explorer is a monitoring tool which allows you to view running processes or applications. It’s a task manager but gives a lot more information about the state of your system, such as which exe and DLLs processing are currently running and what other resources are they using.

The GUI when opened shows colour coded active processes, the pink processes are windows services, the blue Explorer services and white are start-up services Its’ a suburb tool for malware hunting as it names the company which created the exe or DLL, provides a signature which can be verified and shows that it’s a genuine product from that company, also allows you to run it against VirusTotal.com’s database and 40 antivirus companies, to see if it iactually malware.

Process Monitor

Processor Monitor displays different filters allowing you to display activity from the Registry, File System and the activity of the different process and threads. Only an advanced user could make sense of the extensive amount of information that is constantly streaming through its spreadsheet-like GUI. The user can choose the toolbar to filter information, from the Registry, File system, process and thread, the stack or networking activity.

Autoruns

Autoruns shows the programs which are running at start-up or login. You can review the different start-up folder locations (start-up, RunOnce, Services).Autoruns allows you to look for malware in these locations, it will be highlighted.

Windbg
Windbg is a free Window Debugger from Windows. Its original purpose was to help Window software developers debug code and fix software problems. It can debug user-mode and kernel-mode code, analyse crash dumps and examine the CPU registers while the code executes. To perform Windows kernel analysis, we need a specific setup of the Virtual Machine and Windbg in order to remotely debug the VM from the host. Rootkits leverage level components to facilitate activities such as hiding processes, files, network connections and other common objects.