As that is a legitimate Windows function we wouldn’t want to analyze the assembly code of CreateFileA, we would be interested in the return value of that function and also the arguments that are being passed to the function before it is called or executed.įrom doing this type of analysis we could see what the file is going to be called and where it is going to be installed on disk and also identify from the return value if the function successfully created the file. For example, if the malware needs to create a file it may use the Windows API CreateFileA to create that file. However within this function, the malware will make calls to other functions, these may be written by the malware author or will be Windows APIs that have been imported by the malware. This is the main body of the code written by the malware author. When analyzing a malware sample in 圆4dbg you begin at the main function. The Windows API’s that are imported are known as the Import Address Table (IAT). When the malware imports the DLL’s a malware analyst can use this information to get a rough idea of what the malware may do. Windows contains several libraries that contain unique functions, these libraries are known as DLL’s (Dynamic Linked Libraries).įor example, Kernel32.dll contains the API ‘WriteFile’ so the malware can import this function and use it to write files to disk. The functions that they import are legitimate Windows functions known as Windows APIs. So in some cases rather than write code to perform a certain function they will instead import legitimate Windows API functions that can do some of the work for them. Now the malware author could write a function to do this, however, Windows already contains multiple pre-written functions that can be imported. From analyzing that function using 圆4dbg we could potentially see where that file is written to and what its name will be. The Methodology I Use:įirst of all, always remember that a piece of malware is made up of multiple functions that have either been written by the malware author or have been imported by them.įor example, within the malware, a function may exist which creates a file on disk. Perhaps the malware generates a random filename on each device it infects, a potential use case could be to investigate how these names are generated. From the initial dynamic analysis, there may be some behavior that the malware is exhibiting that you want to investigate further. Unpacking malware is a great skill to have in your arsenal however once the binary is unpacked where do we start with our analysis? First of all, you don’t want to analyze every line of code from start to finish, it’s simply too time-consuming. The good news is that a common use case for 圆4dbg is being able to manually unpack malware, the unpacked file can then be reloaded into 圆4dbg and the actual analysis of the malware can begin! Packed malware is essentially ‘wrapped’ with a layer of code, this additional layer hides the code the malware author has written and it’s this obfuscation technique that is known as malware ‘packing’. Malware is often packed so that the code written by the malware author is obfuscated, the bad guys have taken time to write some malicious code and don’t want it to be an easy task for somebody to take a quick look at the malware and in a short space of time identify what it does and how to stop it. Another issue is that if I haven’t performed some basic analysis I might be stepping through packed code and won’t actually get to analyze anything of interest. Without performing this initial gathering of evidence I would be reluctant to open the malware in 圆4dbg and start blindly stepping through assembly code. I can also get a rough idea of what the malware author’s goals may be in writing a malicious program, perhaps it’s financially motivated such as Ransomware, alternatively, it could be a RAT (Remote Access Trojan) that provides the bad guys with backdoor access to a network. From this, I can determine some key indicators of compromise (IOC’s) such as network traffic, files written to disk, and persistence mechanisms. This initial triage gives me an understanding of what the malware does when it compromises a device. When I use a tool such as 圆4dbg to reverse engineer malware I first make sure I have done some behavioral analysis of the binary first using some freely available tools. Reloading unwrapped malware into 圆4dbg. In this series, we’ll cover these 圆4dbg use cases: This article will serve as an 圆4dbg tutorial in which I will cover the methodology I use when reverse engineering malware and demonstrate how to use the tool to unpack a malware sample. In a previous blog post, I explained what 圆4dbg is and also broke down some of the features of the tool and why they are useful for malware analysis.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |