mirror of
https://github.com/aljazceru/securedorg.github.io.git
synced 2025-12-18 14:44:23 +01:00
updating image paths
This commit is contained in:
Amanda Rousseau
@@ -7,7 +7,7 @@ title: Dynamic Analysis
|
||||
|
||||
# Section 6: Dynamic Analysis #
|
||||
|
||||
|
||||
|
||||
|
||||
## LAB 3
|
||||
Dynamic analysis is a deeper analysis of the program to understand hidden functionality not understood statically. The static analysis will serve as a guide for stepping through the program in a debugger.
|
||||
@@ -22,7 +22,7 @@ Typically programs start at **004010000** but your debugger might start the prog
|
||||
|
||||
Edit->Segements->Rebase Program.
|
||||
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
@@ -32,30 +32,30 @@ You will need to sync the debugger and disassembler addresses so you can follow
|
||||
* In IDA, open the functions tab and look for function xxxx1530. Where xxxx should match your rebase address ( If rebase is **0190**1000, then **0190**1530 ).
|
||||
* In x64dbg, CTRL+G to jump to a specific address xxxx1530.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
### XOR Decode Function
|
||||
|
||||
Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking .
|
||||
Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking .
|
||||
|
||||
|
||||
|
||||
|
||||
In **IDA**, get the offset of the XorDecode function you saved prior.
|
||||
|
||||
|
||||
|
||||
|
||||
In **x64bdg** find that same offset and add a comment that it is the Xor Decode function. Set a breakpoint using **F2** on that function. Then run the program until the breakpoint using **F9**. Step into that function using **F7**.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn5.gif)
|
||||
[](https://securedorg.github.io/RE101/images/dyn5.gif)
|
||||
|
||||
Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the same instructions shown below. Right click on the EBX register and select Follow in Dump. This location is where the decoded string will be stored. After you set your break points, press **F9** to get to the start of the loop, then step through the loops until you see the decoded string in the dump.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn9.png)
|
||||
[](https://securedorg.github.io/RE101/images/dyn9.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -64,12 +64,12 @@ Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the
|
||||
We want to manipulate the control flow instructions so that we can get to the network connection API call. We know that the program will first **copy** and then **delete** itself after it checks if the file doesn't exists using GetFileAttributes API. Continue to step to the **jne** (jump if not equal) instruction. By double clicking the **ZF flag** we can manipulate the result 1 to 0. This means it will make the jump past the Copfile API.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn10.gif)
|
||||
[](https://securedorg.github.io/RE101/images/dyn10.gif)
|
||||
|
||||
Once you get past the delete API, there is that weird string you saw during static analysis. Step over (**F8**) the XorDecode function and notice the EAX register. It is the URL that was in the internet traffic from the triage analysis.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn11.png)
|
||||
[](https://securedorg.github.io/RE101/images/dyn11.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -78,7 +78,7 @@ Once you get past the delete API, there is that weird string you saw during stat
|
||||
The VM was not connected to the internet but instead InetSim. What will happen when you manipulate the control flow to get past the internet connection failure? Go ahead and step past the internet connection and manipulate the control flow flag ZF to do so.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn12.gif)
|
||||
[](https://securedorg.github.io/RE101/images/dyn12.gif)
|
||||
|
||||
It must have been a very funny joke. **l** **m** **a** **o**
|
||||
|
||||
@@ -89,7 +89,7 @@ It must have been a very funny joke. **l** **m** **a** **o**
|
||||
It seems that the malware was waiting for the word **lmao** to display a message. Navigate to the Messagebox api. Set a breakpoint on and after the function call, this will ensure that it will prevent you from skipping any hidden functionality. Go ahead and press **F9** to run the MessageBox function.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn13.gif)
|
||||
[](https://securedorg.github.io/RE101/images/dyn13.gif)
|
||||
|
||||
---
|
||||
|
||||
@@ -98,7 +98,7 @@ It seems that the malware was waiting for the word **lmao** to display a message
|
||||
The CFF explorer from the triage analysis revealed that there was a resource called **BIN**. Step through the program to get the location of the loaded resource after **LockResource**. Remember function return the output in register **EAX**. Notice `mov edi,eax` is where the output is stored in **EDI**.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn14.png)
|
||||
[](https://securedorg.github.io/RE101/images/dyn14.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -119,12 +119,12 @@ BOOL WINAPI CryptStringToBinary(
|
||||
```
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn15.png)
|
||||
[](https://securedorg.github.io/RE101/images/dyn15.png)
|
||||
|
||||
We know that Arg 1 is register **EDI** which is the resource we just loaded into memory and Arg 3 is 1. The CryptStringToBinary dwflag `0x00000001` means `CRYPT_STRING_BASE64`. Dump the address of EDI into one of the dump windows. This data definitely looks like base64 encoded strings. Step over these functions until past the second CryptStringToBinary call. The result will be placed in register **ESI**. Dump the address in the ESI register. Notice anything weird about the first 3 characters?
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn16.png)
|
||||
[](https://securedorg.github.io/RE101/images/dyn16.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -133,7 +133,7 @@ We know that Arg 1 is register **EDI** which is the resource we just loaded into
|
||||
Step over the create and write file functions to save the decrypted resource to the file system. Note that this file is saved as **icon.gif**. Next step until the start of the arguments for the ShellExecute call. It looks as if it's using the environment to open the newly created file. The program will finally be done. Open the image and record what you see.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/dyn17.gif)
|
||||
[](https://securedorg.github.io/RE101/images/dyn17.gif)
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ title: Dynamic Analysis
|
||||
Congrats, you made it through the workshop. All of your notes and debugging should have gotten you to come up with a similar control flow like the diagram and report below.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/Diagram.png)
|
||||
[](https://securedorg.github.io/RE101/images/Diagram.png)
|
||||
|
||||
|
||||
## Simple Report
|
||||
|
||||
@@ -17,7 +17,7 @@ For windows and osx, follow the instructions in the install binary.
|
||||
|
||||
| Windows | Mac OSX | Linux |
|
||||
| --- | --- | --- |
|
||||
| [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [](https://www.virtualbox.org/wiki/Linux_Downloads) |
|
||||
| [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [](https://www.virtualbox.org/wiki/Linux_Downloads) |
|
||||
|
||||
### Download Victim and Sniffer VMs ###
|
||||
|
||||
@@ -70,11 +70,11 @@ Please use the utility [7zip](http://www.7-zip.org/download.html). Unzip the fil
|
||||
* Open terminal and run: `ps -ef | grep inetsim`
|
||||
* If no output, run: `/etc/init.d/inetsim start`
|
||||
* Run the ps command again to confirm it's running.
|
||||
* Expected output: 
|
||||
* Expected output: 
|
||||
7. Victim VM: test connection to Sniffer VM
|
||||
* In the search bar, type `cmd.exe` to open terminal
|
||||
* Run command: `ping 192.168.0.1`
|
||||
* Expected output: 
|
||||
* Expected output: 
|
||||
8. Sniffer VM: Devices->Shared Folders->Shared Folders Settings
|
||||
* On your Host, create a folder called `sniffershare`
|
||||
* In virtual box select Add New Shared Folder icon and navigate to the folder you just created (sniffershare)
|
||||
|
||||
@@ -11,7 +11,7 @@ title: Fundamentals
|
||||
|
||||
Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.
|
||||
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
@@ -28,7 +28,7 @@ In this workshop we will be focusing on user-mode applications.
|
||||
[1]: https://msdn.microsoft.com/en-us/windows/hardware/drivers/gettingstarted/user-mode-and-kernel-mode?f=255&MSPPError=-2147217396
|
||||
|
||||
This diagram shows the relationship of application components for user-mode and kernel-mode.
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
@@ -43,12 +43,12 @@ The executable code has designated regions that require a different memory prote
|
||||
This diagram shows how this header is broken up.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/PE32.png)
|
||||
[](https://securedorg.github.io/RE101/images/PE32.png)
|
||||
|
||||
Here is a hexcode dump of a PE header we will be working with.
|
||||
|
||||
*Click to Enlarge*
|
||||
[](https://securedorg.github.io/images/PEHeader.gif)
|
||||
[](https://securedorg.github.io/RE101/images/PEHeader.gif)
|
||||
|
||||
---
|
||||
|
||||
@@ -67,7 +67,7 @@ Here is a hexcode dump of a PE header we will be working with.
|
||||
[5]: https://en.wikipedia.org/wiki/Process_Environment_Block
|
||||
|
||||
This diagram illustrates how the PE is placed into memory.
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
@@ -77,6 +77,6 @@ This diagram illustrates how the PE is placed into memory.
|
||||
- **EBP** - Base Pointer is the register that used to store the references in the stack frame
|
||||
|
||||
This diagram represents a typical stack frame.
|
||||
|
||||
|
||||
|
||||
[Environment Setup <- Back](https://securedorg.github.io/RE101/section1) | [Next -> x86 Assembly](https://securedorg.github.io/RE101/section1.3)
|
||||
|
||||
@@ -47,16 +47,16 @@ Example below is moving value at 0xaaaaaaaa into ecx.
|
||||
| --- | --- |
|
||||
| `mov ecx,[0xaaaaaaaa];` | `8B 0D AA AA AA AA` |
|
||||
|
||||
Use the search page below or open the [Search Instructions](https://securedorg.github.io/x86.html) page to search for functions discussed above
|
||||
Use the search page below or open the [Search Instructions](https://securedorg.github.io/RE101/x86.html) page to search for functions discussed above
|
||||
|
||||
<iframe src="https://securedorg.github.io/x86.html" width="640" height="480" frameborder="0" style="display:block; margin: 0 auto;"></iframe>
|
||||
<iframe src="https://securedorg.github.io/RE101/x86.html" width="640" height="480" frameborder="0" style="display:block; margin: 0 auto;"></iframe>
|
||||
|
||||
---
|
||||
|
||||
## Registers ###
|
||||
|
||||
The image below is what registers will look like in a debugger.
|
||||
|
||||
|
||||
|
||||
#### General-Purpose Registers [[1]][1]
|
||||
|
||||
@@ -114,19 +114,19 @@ The **EIP** register contains the address of the next instruction to be executed
|
||||
## Hello World ##
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/helloworld.gif)
|
||||
[](https://securedorg.github.io/RE101/images/helloworld.gif)
|
||||
|
||||
## Calling a Function ##
|
||||
|
||||
### Arguments on the Stack ###
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/FunctionCall.gif)
|
||||
[](https://securedorg.github.io/RE101/images/FunctionCall.gif)
|
||||
|
||||
### Local Variables on the Stack ###
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/FunctionCall2.gif)
|
||||
[](https://securedorg.github.io/RE101/images/FunctionCall2.gif)
|
||||
|
||||
[1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture
|
||||
|
||||
|
||||
@@ -14,86 +14,86 @@
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Navigation<h3></caption>
|
||||
<tr><td>Jump to operand</td><td>Enter</td></tr>
|
||||
<tr><td>Jump in new window</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+<img src="https://securedorg.github.io/images/Enter-50.png" alt="Enter"></td></tr>
|
||||
<tr><td>Jump in new window</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+<img src="https://securedorg.github.io/RE101/images/Enter-50.png" alt="Enter"></td></tr>
|
||||
<tr><td>Jump to previous position</td><td>Esc</td></tr>
|
||||
<tr><td>Jump to Next position</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Enter-50.png" alt="Enter"></td></tr>
|
||||
<tr><td>Jump to Next position</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/RE101/images/Enter-50.png" alt="Enter"></td></tr>
|
||||
<tr><td>Jump to address</td><td>G</td></tr>
|
||||
<tr><td>Jump by name</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+L</td></tr>
|
||||
<tr><td>Jump to function</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+P</td></tr>
|
||||
<tr><td>Jump to segment</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+S</td></tr>
|
||||
<tr><td>Jump to segment register</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+G</td></tr>
|
||||
<tr><td>Jump to problem</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Q</td></tr>
|
||||
<tr><td>Jump to cross reference</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+X</td></tr>
|
||||
<tr><td>Jump by name</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+L</td></tr>
|
||||
<tr><td>Jump to function</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+P</td></tr>
|
||||
<tr><td>Jump to segment</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+S</td></tr>
|
||||
<tr><td>Jump to segment register</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+G</td></tr>
|
||||
<tr><td>Jump to problem</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+Q</td></tr>
|
||||
<tr><td>Jump to cross reference</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+X</td></tr>
|
||||
<tr><td>Jump to xref to operand</td><td> X</td></tr>
|
||||
<tr><td>Jump to entry point</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+E</td></tr>
|
||||
<tr><td>Mark Position</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+M</td></tr>
|
||||
<tr><td>Jump to entry point</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+E</td></tr>
|
||||
<tr><td>Mark Position</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+M</td></tr>
|
||||
</table>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Search</h3></caption>
|
||||
<tr><td>Next code</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+C</td></tr>
|
||||
<tr><td>Next data</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+D</td></tr>
|
||||
<tr><td>Next explored</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+A</td></tr>
|
||||
<tr><td>Next unexplored</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+U</td></tr>
|
||||
<tr><td>Immediate value</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+I</td></tr>
|
||||
<tr><td>Next immediate value</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+I</td></tr>
|
||||
<tr><td>Text</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+T</td></tr>
|
||||
<tr><td>Next text</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+T</td></tr>
|
||||
<tr><td>Sequence of bytes</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+B</td></tr>
|
||||
<tr><td>Next sequence of bytes</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+B</td></tr>
|
||||
<tr><td>Not function</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+U</td></tr>
|
||||
<tr><td>Next code</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+C</td></tr>
|
||||
<tr><td>Next data</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+D</td></tr>
|
||||
<tr><td>Next explored</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+A</td></tr>
|
||||
<tr><td>Next unexplored</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+U</td></tr>
|
||||
<tr><td>Immediate value</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+I</td></tr>
|
||||
<tr><td>Next immediate value</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+I</td></tr>
|
||||
<tr><td>Text</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+T</td></tr>
|
||||
<tr><td>Next text</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+T</td></tr>
|
||||
<tr><td>Sequence of bytes</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+B</td></tr>
|
||||
<tr><td>Next sequence of bytes</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+B</td></tr>
|
||||
<tr><td>Not function</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+U</td></tr>
|
||||
</table>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Graphing</h3></caption>
|
||||
<tr><td>Flow chart</td><td>F12</td></tr>
|
||||
<tr><td>Function calls</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F12</td></tr>
|
||||
<tr><td>Function calls</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+F12</td></tr>
|
||||
</table>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Comments</h3></caption>
|
||||
<tr><td>Enter comment</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+; </td></tr>
|
||||
<tr><td>Enter comment</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+; </td></tr>
|
||||
<tr><td>Enter repeatable comment</td><td>; </td></tr>
|
||||
<tr><td>Enter anterior lines</td><td>Ins </td></tr>
|
||||
<tr><td>Enter posterior lines</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+Ins </td></tr>
|
||||
<tr><td>Insert predefined comment</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F1</td></tr>
|
||||
<tr><td>Enter posterior lines</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+Ins </td></tr>
|
||||
<tr><td>Insert predefined comment</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F1</td></tr>
|
||||
</table>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Data Format Options</h3></caption>
|
||||
<tr><td>ASCII strings style</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+A</td></tr>
|
||||
<tr><td>Setup data types</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+D</td></tr>
|
||||
<tr><td>ASCII strings style</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+A</td></tr>
|
||||
<tr><td>Setup data types</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+D</td></tr>
|
||||
</table>
|
||||
</td>
|
||||
<td>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Open Subviews</h3></caption>
|
||||
<tr><td>Names</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F4</td></tr>
|
||||
<tr><td>Functions</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F3</td></tr>
|
||||
<tr><td>Strings</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F12</td></tr>
|
||||
<tr><td>Segments</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F7</td></tr>
|
||||
<tr><td>Segment registers</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F8</td></tr>
|
||||
<tr><td>Signatures</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F5</td></tr>
|
||||
<tr><td>Type libraries</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F11</td></tr>
|
||||
<tr><td>Structures</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F9</td></tr>
|
||||
<tr><td>Enumerations</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F10</td></tr>
|
||||
<tr><td>Names</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F4</td></tr>
|
||||
<tr><td>Functions</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F3</td></tr>
|
||||
<tr><td>Strings</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F12</td></tr>
|
||||
<tr><td>Segments</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F7</td></tr>
|
||||
<tr><td>Segment registers</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F8</td></tr>
|
||||
<tr><td>Signatures</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F5</td></tr>
|
||||
<tr><td>Type libraries</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F11</td></tr>
|
||||
<tr><td>Structures</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F9</td></tr>
|
||||
<tr><td>Enumerations</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F10</td></tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>File Operations</h3></caption>
|
||||
<tr><td>Parse C header file</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F9</td></tr>
|
||||
<tr><td>Create ASM file</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F10</td></tr>
|
||||
<tr><td>Save database</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+W</td></tr>
|
||||
<tr><td>Parse C header file</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+F9</td></tr>
|
||||
<tr><td>Create ASM file</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+F10</td></tr>
|
||||
<tr><td>Save database</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+W</td></tr>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Debugger</h3></caption>
|
||||
<tr><td>Star process</td><td>F9</td></tr>
|
||||
<tr><td>Terminate process</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F2</td></tr>
|
||||
<tr><td>Terminate process</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+F2</td></tr>
|
||||
<tr><td>Step into</td><td>F7</td></tr>
|
||||
<tr><td>Step over</td><td>F8</td></tr>
|
||||
<tr><td>Run until return</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F7</td></tr>
|
||||
<tr><td>Run until return</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+F7</td></tr>
|
||||
<tr><td>Run to cursor</td><td>F4</td></tr>
|
||||
<tr><td>Breakpoints</td></tr>
|
||||
<tr><td>Breakpoint list</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+B</td></tr>
|
||||
<tr><td>Breakpoint list</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+B</td></tr>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
@@ -103,29 +103,29 @@
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Tracing</caption>
|
||||
<tr><td>Stack trace</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+S</td></tr>
|
||||
<tr><td>Stack trace</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+S</td></tr>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Miscellaneous</h3></caption>
|
||||
<tr><td>Calculator</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+/ </td></tr>
|
||||
<tr><td>Cycle through open views</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Tab </td></tr>
|
||||
<tr><td>Select tab</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt"> + [1…N] </td></tr>
|
||||
<tr><td>Close current view</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F4</td></tr>
|
||||
<tr><td>Exit</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+X </td></tr>
|
||||
<tr><td>IDC Command</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F2</td></tr>
|
||||
<tr><td>Calculator</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+/ </td></tr>
|
||||
<tr><td>Cycle through open views</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+Tab </td></tr>
|
||||
<tr><td>Select tab</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt"> + [1…N] </td></tr>
|
||||
<tr><td>Close current view</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+F4</td></tr>
|
||||
<tr><td>Exit</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+X </td></tr>
|
||||
<tr><td>IDC Command</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+F2</td></tr>
|
||||
</table>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Edit (Data Types – etc)</h3></caption>
|
||||
<tr><td>Copy</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Ins</td></tr>
|
||||
<tr><td>Begin selection</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+L</td></tr>
|
||||
<tr><td>Manual instruction</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F2</td></tr>
|
||||
<tr><td>Copy</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+Ins</td></tr>
|
||||
<tr><td>Begin selection</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+L</td></tr>
|
||||
<tr><td>Manual instruction</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+F2</td></tr>
|
||||
<tr><td>Code</td><td>C</td></tr>
|
||||
<tr><td>Data</td><td>D</td></tr>
|
||||
<tr><td>Struct variable</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Q</td></tr>
|
||||
<tr><td>Struct variable</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+Q</td></tr>
|
||||
<tr><td>ASCII string</td><td>A</td></tr>
|
||||
<tr><td>Array</td><td>Num *</td></tr>
|
||||
<tr><td>Undefine</td><td>U</td></tr>
|
||||
@@ -136,11 +136,11 @@
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Operand Type</caption>
|
||||
<tr><td>Offset (data segment)</td><td>O</td></tr>
|
||||
<tr><td>Offset (current segment)</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+O</td></tr>
|
||||
<tr><td>Offset by (any segment)</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+R</td></tr>
|
||||
<tr><td>Offset (user-defined)</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+R</td></tr>
|
||||
<tr><td>Offset (current segment)</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+O</td></tr>
|
||||
<tr><td>Offset by (any segment)</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+R</td></tr>
|
||||
<tr><td>Offset (user-defined)</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+R</td></tr>
|
||||
<tr><td>Offset (struct)</td><td>T</td></tr>
|
||||
<tr><td>Number (default)</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+3</td></tr>
|
||||
<tr><td>Number (default)</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+3</td></tr>
|
||||
<tr><td>Hexadecimal</td><td>Q</td></tr>
|
||||
<tr><td>Decimal</td><td>H</td></tr>
|
||||
<tr><td>Binary</td><td>B</td></tr>
|
||||
@@ -148,32 +148,32 @@
|
||||
<tr><td>Segment</td><td>S</td></tr>
|
||||
<tr><td>Enum member</td><td>M </td></tr>
|
||||
<tr><td>Stack variable</td><td>K</td></tr>
|
||||
<tr><td>Change sign</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+-</td></tr>
|
||||
<tr><td>Bitwise negate</td><td> <img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+`</td></tr>
|
||||
<tr><td>Manual</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F1</td></tr>
|
||||
<tr><td>Change sign</td><td><img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+-</td></tr>
|
||||
<tr><td>Bitwise negate</td><td> <img src="https://securedorg.github.io/RE101/images/Shift-50.png" alt="Shift">+`</td></tr>
|
||||
<tr><td>Manual</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+F1</td></tr>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Segments</caption>
|
||||
<tr><td>Edit segment</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+S</td>
|
||||
<tr><td>Change segment register value</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+G</td></tr>
|
||||
<tr><td>Edit segment</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+S</td>
|
||||
<tr><td>Change segment register value</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+G</td></tr>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Structs</caption>
|
||||
<tr><td>Struct var</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Q</td><tr>
|
||||
<tr><td>Force zero offset field</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Z</td></tr>
|
||||
<tr><td>Select union member</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Y</td></tr>
|
||||
<tr><td>Struct var</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+Q</td><tr>
|
||||
<tr><td>Force zero offset field</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+Z</td></tr>
|
||||
<tr><td>Select union member</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+Y</td></tr>
|
||||
</table>
|
||||
|
||||
|
||||
<table>
|
||||
<caption style="text-align: left;"><h3>Functions</caption>
|
||||
<tr><td>Create function</td><td>P</td></tr>
|
||||
<tr><td>Edit function</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+P </td></tr>
|
||||
<tr><td>Edit function</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+P </td></tr>
|
||||
<tr><td>Set function end</td><td>E </td></tr>
|
||||
<tr><td>Stack variables</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+K </td></tr>
|
||||
<tr><td>Change stack pointer</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+K</td></tr>
|
||||
<tr><td>Stack variables</td><td><img src="https://securedorg.github.io/RE101/images/Ctrl-50.png" alt="Ctrl">+K </td></tr>
|
||||
<tr><td>Change stack pointer</td><td><img src="https://securedorg.github.io/RE101/images/Alt-50.png" alt="Alt">+K</td></tr>
|
||||
<tr><td>Rename register</td><td>V</td></tr>
|
||||
<tr><td>Set function type</td><td>Y</td></tr>
|
||||
</table>
|
||||
|
||||
@@ -7,7 +7,7 @@ title: Intro
|
||||
|
||||
# Introduction #
|
||||
|
||||
|
||||
|
||||
|
||||
# Reverse Engineering #
|
||||
|
||||
@@ -27,7 +27,7 @@ title: Intro
|
||||
|
||||
* Constantly learn new things
|
||||
|
||||
|
||||
|
||||
|
||||
## Game Plan ##
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ title: Malware Techniques
|
||||
|
||||
| Perimeter Recon | Infiltrate | Internal Recon | Entrench | Exfiltrate | Purge |
|
||||
| ------------ |:------------:|:------------:|:------------:|:------------:|:------------:|
|
||||
|  |  |  |  |  |  |
|
||||
|  |  |  |  |  |  |
|
||||
|
||||
|
||||
## Malware Classes
|
||||
|
||||
@@ -68,7 +68,7 @@ The malware classes may exhibit one or more of the following techniques. [Mitre
|
||||
* Control-Flow Flattening
|
||||
* String Encryption
|
||||
|
||||
|
||||
|
||||
|
||||
### Example Malware
|
||||
|
||||
@@ -86,11 +86,11 @@ The malware classes may exhibit one or more of the following techniques. [Mitre
|
||||
* Once malware gains access to a system, it often looks to be there for a long time.
|
||||
* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
|
||||
|
||||
|
||||
|
||||
|
||||
Example: Dll Search Order Hijacking
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Example Malware
|
||||
@@ -154,7 +154,7 @@ Example: Dll Search Order Hijacking
|
||||
Example: Mimikatz
|
||||
Credential theft
|
||||
|
||||
|
||||
|
||||
|
||||
### Example Malware
|
||||
|
||||
|
||||
@@ -69,7 +69,7 @@ title: RE Tools
|
||||
|
||||
### Disassembler: IdaFree
|
||||
|
||||
|
||||
|
||||
|
||||
* **Visual Modes**
|
||||
* **Graph Mode** - control flow diagram
|
||||
@@ -88,7 +88,7 @@ title: RE Tools
|
||||
|
||||
### Debugger: x64dbg
|
||||
|
||||
|
||||
|
||||
|
||||
**Common Commands**
|
||||
|
||||
@@ -103,7 +103,7 @@ title: RE Tools
|
||||
|
||||
### Keyboard Layout for IdaFree and x64dbg
|
||||
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
@@ -113,7 +113,7 @@ title: RE Tools
|
||||
* Explores Resources
|
||||
* Unpacks UPX
|
||||
|
||||
|
||||
|
||||
|
||||
## Information Gathering: Sysinternals Suite
|
||||
|
||||
@@ -121,7 +121,7 @@ title: RE Tools
|
||||
* **ProcMon** - Monitor processes/thread, files system, network, and registry activity on the system
|
||||
* **ProcExp** - Monitor processes running on the system
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
[Section 2.1 <- Back](https://securedorg.github.io/RE101/section2.1) | [Next -> Section 4](https://securedorg.github.io/RE101/section4)
|
||||
|
||||
@@ -7,7 +7,7 @@ title: Static Analysis
|
||||
|
||||
# Section 5: Static Analysis #
|
||||
|
||||
|
||||
|
||||
|
||||
Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey.
|
||||
|
||||
@@ -20,17 +20,17 @@ This section will teach you how to jump into code in static disassembly then ren
|
||||
### Possible Packer?
|
||||
Notice in CFF explorer that there is UPX in the header.
|
||||
|
||||
|
||||
|
||||
|
||||
When you open the executable in IDA, you will notice large section of non-disassembled code.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triage4.png)
|
||||
[](https://securedorg.github.io/RE101/images/triage4.png)
|
||||
|
||||
Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triage5.png)
|
||||
[](https://securedorg.github.io/RE101/images/triage5.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -52,14 +52,14 @@ Navigate to the **Strings** window.
|
||||
|
||||
Here is an interesting string that we should start with:
|
||||
|
||||
|
||||
|
||||
|
||||
This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string.
|
||||
|
||||
Using the **X** key we can jump to the reference of that string in the assembly code.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static2.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static2.gif)
|
||||
|
||||
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
|
||||
|
||||
@@ -103,24 +103,24 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e
|
||||
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static3.png)
|
||||
[](https://securedorg.github.io/RE101/images/static3.png)
|
||||
|
||||
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static4.png)
|
||||
[](https://securedorg.github.io/RE101/images/static4.png)
|
||||
|
||||
We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static5.png)
|
||||
[](https://securedorg.github.io/RE101/images/static5.png)
|
||||
|
||||
Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe
|
||||
|
||||
```XORSearch.exe <Path to UnknownUnpacked.exe> "A string to test"```
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static6.png)
|
||||
[](https://securedorg.github.io/RE101/images/static6.png)
|
||||
|
||||
**"Yo this is dope!"** How weird.
|
||||
|
||||
@@ -131,14 +131,14 @@ Let's use the tool **XORSearch** to see if we can find some interesting xor deco
|
||||
Let's navigate to the start of the program using the **X** key. Use the spacebar to toggle between graph view and text view.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static7.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static7.gif)
|
||||
|
||||
It's easy to trace back through the program disassembly, but let's look at some control flow assembly instructions. Remember **jmp, jne, jnz, jnb** are control flow functions.
|
||||
|
||||
**Jump Examples**
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static9.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static9.gif)
|
||||
|
||||
```assembly
|
||||
jz loc_401962 ; jump to offset loc_401962 if the previous condition is zero
|
||||
@@ -151,7 +151,7 @@ jle short loc_401634 ; jump to relative offset 401634 if the previous condition
|
||||
Next scroll down through and find the order of API function calls in the program. You should make note of all the function offsets.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static8.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static8.gif)
|
||||
|
||||
Some of the more interesting API Calls from the image above. Look up what each function does, many are self explanatory.
|
||||
|
||||
@@ -171,6 +171,6 @@ Some of the more interesting API Calls from the image above. Look up what each f
|
||||
|
||||
Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6.
|
||||
|
||||
|
||||
|
||||
|
||||
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
|
||||
|
||||
@@ -7,7 +7,7 @@ title: Triage Analysis
|
||||
|
||||
# Section 4: Triage Analysis #
|
||||
|
||||
|
||||
|
||||
|
||||
Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital.
|
||||
|
||||
@@ -82,7 +82,7 @@ Questions to ask:
|
||||
|
||||
You will want to capture this information throughout your investigation either through notes or report documents.
|
||||
|
||||
You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/ReportForm.html)
|
||||
You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/RE101/ReportForm.html)
|
||||
|
||||
---
|
||||
|
||||
@@ -92,30 +92,30 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
|
||||
2. Copy over the unknown file
|
||||
3. Check the file header by opening the file in the hex editor **HxD**
|
||||
* Notice the first 2 bytes are **MZ** meaning it's a PE Binary
|
||||
|
||||
|
||||
4. Add the file extension **.exe** to the **Unknown** file so that it reads as **Unknown.exe**. Now right click the file and select **CFF explorer** to check the PE header
|
||||
* Note the imports it's using
|
||||
|
||||
|
||||
5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
|
||||
6. Open the file in **BinText** and record any interesting strings
|
||||
7. Quick Detonation
|
||||
|
||||
The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM.
|
||||
|
||||
|
||||
|
||||
|
||||
On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.
|
||||
|
||||
On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triageVMs2.gif)
|
||||
[](https://securedorg.github.io/RE101/images/triageVMs2.gif)
|
||||
|
||||
Go ahead and detonate the the malware.
|
||||
|
||||
On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triageVMs3.gif)
|
||||
[](https://securedorg.github.io/RE101/images/triageVMs3.gif)
|
||||
|
||||
[Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)
|
||||
|
||||
@@ -25,7 +25,7 @@ function loadXMLDoc(dname)
|
||||
}
|
||||
function searchXML()
|
||||
{
|
||||
xmlDoc=loadXMLDoc("https://securedorg.github.io/x86.xml");
|
||||
xmlDoc=loadXMLDoc("https://securedorg.github.io/RE101/x86.xml");
|
||||
x=xmlDoc.getElementsByTagName("Instruction");
|
||||
input = document.getElementById("input").value;
|
||||
size = input.length;
|
||||
|
||||
Reference in New Issue
Block a user