-
Advanced static analysis involves looking into the assembly instructions (ASM), and loading malware into decompilers and disassemblers - reverse engineering.
-
Advanced dynamic analysis involves running the malware in debuggers.
-
Cuttercan be used for advanced static analysis of malware - open the unarmed malware file in the app. -
It gives an overview of the malware with some basic info, but the key use of the disassembler/decompiler is to view all the called functions in the program - we can view the
mainfunction too (the Graph view can be used for simplification). -
x86 CPU instructions, Memory registers & Stack:
-
The compiler translates the high-level code into CPU instructions
-
Three major types of CPU instructions - arithmetic, data movement & control flow instructions
-
x86 - little-endian arch - data is written from right to left
mov edx, eax ; move eax data into edx ; as it is little-endian, read from right to left jmp 0x04 ; jump to certain part of program ; used in logical flow ; jnz - jump if not zero sub ; for subtraction push pop ; used to deal with stack ; as we keep on adding to stack, it goes to lower addresses call ret ; used with subroutines ; main() calls functions, which return to main()
-
Memory registers - hold & handle diff parts of data at runtime:
- eax - accumulator register
- edx - data register
- ebx - base register
- esp - extended stack pointer
- ebp - extended base pointer
- eip - extended instruction pointer
-
-
Assembly instructions:
push ebp mov ebp, esp ; setup for calling a function
push 0 push 0 push 0 push 0 push str.Mozilla_5.0 call dword [InternetOpenW] ; API call - we can check its documentation ; for which the parameters need to be pushed ; in LIFO order as it is a stack
-
Patterns to identify process injection:
; certain API calls indicate process injection call dword [OpenProcess] ; certain parameters would have been pushed into stack before this call dword [VirtualAllocEx] call dword [WriteProcessMemory] call dword [CreateRemoteThread]