Malware Mondays
Episode 1: Procmon
Start with Process ID (PID) When seeing the initial process drop new files, hash both files to compare whether they are the same.
From the Process-Tree select the top process executing other processes and select include-subtree. Gives a filter that includes child processes.
Filters
CreateFile not only creates a file, but also means creating a handle to a file, which happens a lot. Instead filter on WriteFile: if a file is important, data will be probably written to it. #RegSetValue #DeleteFile
Tip: save filters as a baseline, include process tree, take that as the baseline for analysing new samples.
Hotkeys
Ctrl-J to jump to file location
Done with particular events? Right-click → remove events before
source code
tip: check out my repositories with source code link and analyse executables in Procmon.
Reverse Engineering Malware with Ghidra
Overview notes
Native code (IDA (Pro), Ghidra, Binary Ninja) Interpreted code (.NET, Java, dnSpy, JD)
Check out the courses:
- Identifying and defeating code obfuscation
- Identifying and defeating packing
- Identifying and defeating anti-reverse engineering and anti-analysis
Menu and windows
Windows:
- Program trees (provides an overview of the binary structure of the program)
- Symbol tree (breakdown and overview of all program symbols such as imports, way to identify functions)
- Data type manager (structures and other data types, typically from header files, or created by you)
- Listing (disassembly of the executable code from the program)
- sidebar displays program overview, entropy and a number of different bookmarks
- default is a linear view, may open a graph view per function
- can patch/modify the listing
- options change based on area of program you are exploring
- create bookmarks and add labels to help with analysis
- modify register values and convert data types (convert data into code)
Decompiler
Listed to the right of the Listing window Converts machine code to assembly then PCode then C Warning: there’s not necessarily a direct match in the decompiled code from the original source code You can modify the decompiler output: - edit local variables, data structures, return types - consider changing a signature instead of a local instance - changes in signature are also reflected in the listing window - leverage header files when possible (usually not available)
The decompiler creates structures which help with program analysis and comprehension It can lock analysis through the ‘Decompiler Parameter ID’ (locking signatures) and committing parameters, return values and local variables trace variable usage and highlight variables that may be impacted going forwards/backwards (navigate through a function by way of a variable) Provides the ability to export functions to use with different tools