Practical Malware Analysis

Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig

Chapter 1 - Basic Static Techniques

File signature: Identifiable pieces of known suspicious code.
Heuristics: Behavioral and pattern-matching analysis.
Hashing: Cryptographic fingerprint.
Strings: Always end with a NULL byte.
- ASCII (1 byte per character).
- Unicode (2 bytes per character), always ends with a NULL byte.
Packed programs:
- Compressed/obfuscated programs.
- Contains a wrapper/stub to unpack and run itself.
Linked libraries:
- Static linking: Libraries are inside the executable.
- Runtime linking: Import libraries at execution (i.e. LoadLibrary, GetProcAddress...).
- Dynamic linking: The OS searches for the necessary libraries.
Function naming conventions:
- Ex suffix: Means a new version of the function (i.e. CreateFile & CreateFileEx).
- A (ASCII) or W (Wide) suffixes (i.e. FindFirstFileA & FindFirstFileW).
Imported/Exported functions: List of imported and exported function by an executable or a library.
PE file and sections:
- .text: Code instructions.
- .rdata: Import & export information, also read-only data used by the program.
- .data: Program's global data accessible from anywhere.
- .rsrc: Resources (icons, images, menus, strings...)
Virtual & Raw Size: Virtual means in-memory and raw means on disk. If a section has no size on disk but a virtual size, this often means that it will be filled at runtime.

skipped...

Use a sandbox: Quick and dirty approach.
Running a malware: rundll32.exe name.dll,#1 (or function name)
Monitoring:
- Process Monitor (ProcMon): You can filter on PID or Process name.
- Process Explorer Display: Process tree view (some processes could have been replaced by another, you need to compare memory).
- Regshot: Snapshot and comparaison of two registry.
Network:
- ApateDNS or flare-fakenet-ng: Custom DNS to redirect and see network traffic.
- Wireshark: Open source sniffer.
- INetSim: Simulates commin Internet services.

Opcodes and Endianness:
- Instructions: mov ecx, 0x42
- Opcodes: B9 42 00 00 00 (little endian)
Registers:
- General registers: EAX, EBX, ECX, EDX, EBP, ESP, ESI
- Segment registers: CS, SS, DS, ES, FS, GS (track sections of memory)
- Status flags: EFLAGS (used to make decisions)
- Intruction pointer: EIP (address of the next instruction to execute)
Flags:
- ZF (Zero Flag): Result is 0
- CF (Carry Flag): Result is too large/small
- SF (Sign Flag): Result is negative
- TF (Trap Flag): For debugging, execute one instruction at a time
MOV vs LEA:
- lea eax, [ebx+8] will put the address of EBX+8 into EAX
- mov eax, [ebx+8] will loads the data inside EBX+8 into EAX
Multiplication and division:
- mul 0x50: Multiplies EAX by 0x50 and stores the result in EDX:EAX
- div 0x75: Divides EDX:EAX by 0x75 and stores the result in EAX and the remainder in EDX

Stack frame

Register size

Rep Instructions: Set of instructutions for manipulating data buffers.
- esi: source index, edi: destination index, ecx: counter
- Rep instructions: Increments esi & edi and decrements ecx
- rep: Repeat until ecx = 0
- repe, repz: Repeat until ecx = 0 or zf = 0
- repne, repnz: Repeat until ecx = 0 or zf = 1
- Operands of rep instructions:
  - movsx, cmpsx, scasx where x = b (byte), w (word) or d (dword).
  - movsx: Move a buffer into another one (like memcpy).
  - cmpsx: Compare two buffers (like memcmp).
  - scasx: Search for a value (in eax) in a sequence of bytes starting at edi.
  - stosx: Initialize a buffer to a specific value (like memset).

In a dedicated page on ctf-docs.