Malware analysis

From ForensicsWiki
Jump to: navigation, search

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [1]

See Also

External Links

Analysis techniques and tools

Remnux

Malware techniques

Reflective DLL injecting

Process hollowing

Malware analysis

APT28

Black POS

Careto

China Chopper

Gh0st Rat

Dark Hotel

Dridex

Equation group

FinFisher

Hacking Team

Hikit

Icefog

Kriptovor

LeoUncia, OrcaRat

PlugX

Riptide, Hightide, Threebyte, Watersprout

Rombertik

Sednit

Shell Crew

Uroburos

Winnti

Wiper

Sources