diff --git a/RE101/dynamic.md b/RE101/dynamic.md
index 915b926..10c9581 100644
--- a/RE101/dynamic.md
+++ b/RE101/dynamic.md
@@ -7,7 +7,7 @@ title: Dynamic Analysis
# Section 6: Dynamic Analysis #
-
+
## LAB 3
Dynamic analysis is a deeper analysis of the program to understand hidden functionality not understood statically. The static analysis will serve as a guide for stepping through the program in a debugger.
@@ -22,7 +22,7 @@ Typically programs start at **004010000** but your debugger might start the prog
Edit->Segements->Rebase Program.
-
+
---
@@ -32,30 +32,30 @@ You will need to sync the debugger and disassembler addresses so you can follow
* In IDA, open the functions tab and look for function xxxx1530. Where xxxx should match your rebase address ( If rebase is **0190**1000, then **0190**1530 ).
* In x64dbg, CTRL+G to jump to a specific address xxxx1530.
-
-
+
+
---
### XOR Decode Function
-Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking .
+Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking .
-
+
In **IDA**, get the offset of the XorDecode function you saved prior.
-
+
In **x64bdg** find that same offset and add a comment that it is the Xor Decode function. Set a breakpoint using **F2** on that function. Then run the program until the breakpoint using **F9**. Step into that function using **F7**.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn5.gif)
+[](https://securedorg.github.io/RE101/images/dyn5.gif)
Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the same instructions shown below. Right click on the EBX register and select Follow in Dump. This location is where the decoded string will be stored. After you set your break points, press **F9** to get to the start of the loop, then step through the loops until you see the decoded string in the dump.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn9.png)
+[](https://securedorg.github.io/RE101/images/dyn9.png)
---
@@ -64,12 +64,12 @@ Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the
We want to manipulate the control flow instructions so that we can get to the network connection API call. We know that the program will first **copy** and then **delete** itself after it checks if the file doesn't exists using GetFileAttributes API. Continue to step to the **jne** (jump if not equal) instruction. By double clicking the **ZF flag** we can manipulate the result 1 to 0. This means it will make the jump past the Copfile API.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn10.gif)
+[](https://securedorg.github.io/RE101/images/dyn10.gif)
Once you get past the delete API, there is that weird string you saw during static analysis. Step over (**F8**) the XorDecode function and notice the EAX register. It is the URL that was in the internet traffic from the triage analysis.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn11.png)
+[](https://securedorg.github.io/RE101/images/dyn11.png)
---
@@ -78,7 +78,7 @@ Once you get past the delete API, there is that weird string you saw during stat
The VM was not connected to the internet but instead InetSim. What will happen when you manipulate the control flow to get past the internet connection failure? Go ahead and step past the internet connection and manipulate the control flow flag ZF to do so.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn12.gif)
+[](https://securedorg.github.io/RE101/images/dyn12.gif)
It must have been a very funny joke. **l** **m** **a** **o**
@@ -89,7 +89,7 @@ It must have been a very funny joke. **l** **m** **a** **o**
It seems that the malware was waiting for the word **lmao** to display a message. Navigate to the Messagebox api. Set a breakpoint on and after the function call, this will ensure that it will prevent you from skipping any hidden functionality. Go ahead and press **F9** to run the MessageBox function.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn13.gif)
+[](https://securedorg.github.io/RE101/images/dyn13.gif)
---
@@ -98,7 +98,7 @@ It seems that the malware was waiting for the word **lmao** to display a message
The CFF explorer from the triage analysis revealed that there was a resource called **BIN**. Step through the program to get the location of the loaded resource after **LockResource**. Remember function return the output in register **EAX**. Notice `mov edi,eax` is where the output is stored in **EDI**.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn14.png)
+[](https://securedorg.github.io/RE101/images/dyn14.png)
---
@@ -119,12 +119,12 @@ BOOL WINAPI CryptStringToBinary(
```
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn15.png)
+[](https://securedorg.github.io/RE101/images/dyn15.png)
We know that Arg 1 is register **EDI** which is the resource we just loaded into memory and Arg 3 is 1. The CryptStringToBinary dwflag `0x00000001` means `CRYPT_STRING_BASE64`. Dump the address of EDI into one of the dump windows. This data definitely looks like base64 encoded strings. Step over these functions until past the second CryptStringToBinary call. The result will be placed in register **ESI**. Dump the address in the ESI register. Notice anything weird about the first 3 characters?
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn16.png)
+[](https://securedorg.github.io/RE101/images/dyn16.png)
---
@@ -133,7 +133,7 @@ We know that Arg 1 is register **EDI** which is the resource we just loaded into
Step over the create and write file functions to save the decrypted resource to the file system. Note that this file is saved as **icon.gif**. Next step until the start of the arguments for the ShellExecute call. It looks as if it's using the environment to open the newly created file. The program will finally be done. Open the image and record what you see.
*Click to Enlarge*
-[](https://securedorg.github.io/images/dyn17.gif)
+[](https://securedorg.github.io/RE101/images/dyn17.gif)
---
diff --git a/RE101/dynamic2.md b/RE101/dynamic2.md
index 4cf93a5..100002f 100644
--- a/RE101/dynamic2.md
+++ b/RE101/dynamic2.md
@@ -10,7 +10,7 @@ title: Dynamic Analysis
Congrats, you made it through the workshop. All of your notes and debugging should have gotten you to come up with a similar control flow like the diagram and report below.
*Click to Enlarge*
-[](https://securedorg.github.io/images/Diagram.png)
+[](https://securedorg.github.io/RE101/images/Diagram.png)
## Simple Report
diff --git a/RE101/fundamentals.md b/RE101/fundamentals.md
index 3e6f92f..5abcaf6 100644
--- a/RE101/fundamentals.md
+++ b/RE101/fundamentals.md
@@ -17,7 +17,7 @@ For windows and osx, follow the instructions in the install binary.
| Windows | Mac OSX | Linux |
| --- | --- | --- |
-| [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [](https://www.virtualbox.org/wiki/Linux_Downloads) |
+| [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [](https://www.virtualbox.org/wiki/Linux_Downloads) |
### Download Victim and Sniffer VMs ###
@@ -70,11 +70,11 @@ Please use the utility [7zip](http://www.7-zip.org/download.html). Unzip the fil
* Open terminal and run: `ps -ef | grep inetsim`
* If no output, run: `/etc/init.d/inetsim start`
* Run the ps command again to confirm it's running.
- * Expected output: 
+ * Expected output: 
7. Victim VM: test connection to Sniffer VM
* In the search bar, type `cmd.exe` to open terminal
* Run command: `ping 192.168.0.1`
- * Expected output: 
+ * Expected output: 
8. Sniffer VM: Devices->Shared Folders->Shared Folders Settings
* On your Host, create a folder called `sniffershare`
* In virtual box select Add New Shared Folder icon and navigate to the folder you just created (sniffershare)
diff --git a/RE101/fundamentals2.md b/RE101/fundamentals2.md
index e5119a1..32e0257 100644
--- a/RE101/fundamentals2.md
+++ b/RE101/fundamentals2.md
@@ -11,7 +11,7 @@ title: Fundamentals
Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.
-
+
---
@@ -28,7 +28,7 @@ In this workshop we will be focusing on user-mode applications.
[1]: https://msdn.microsoft.com/en-us/windows/hardware/drivers/gettingstarted/user-mode-and-kernel-mode?f=255&MSPPError=-2147217396
This diagram shows the relationship of application components for user-mode and kernel-mode.
-
+
---
@@ -43,12 +43,12 @@ The executable code has designated regions that require a different memory prote
This diagram shows how this header is broken up.
*Click to Enlarge*
-[](https://securedorg.github.io/images/PE32.png)
+[](https://securedorg.github.io/RE101/images/PE32.png)
Here is a hexcode dump of a PE header we will be working with.
*Click to Enlarge*
-[](https://securedorg.github.io/images/PEHeader.gif)
+[](https://securedorg.github.io/RE101/images/PEHeader.gif)
---
@@ -67,7 +67,7 @@ Here is a hexcode dump of a PE header we will be working with.
[5]: https://en.wikipedia.org/wiki/Process_Environment_Block
This diagram illustrates how the PE is placed into memory.
-
+
---
@@ -77,6 +77,6 @@ This diagram illustrates how the PE is placed into memory.
- **EBP** - Base Pointer is the register that used to store the references in the stack frame
This diagram represents a typical stack frame.
-
+
[Environment Setup <- Back](https://securedorg.github.io/RE101/section1) | [Next -> x86 Assembly](https://securedorg.github.io/RE101/section1.3)
diff --git a/RE101/fundamentals3.md b/RE101/fundamentals3.md
index ddd12ca..12afb8f 100644
--- a/RE101/fundamentals3.md
+++ b/RE101/fundamentals3.md
@@ -47,16 +47,16 @@ Example below is moving value at 0xaaaaaaaa into ecx.
| --- | --- |
| `mov ecx,[0xaaaaaaaa];` | `8B 0D AA AA AA AA` |
-Use the search page below or open the [Search Instructions](https://securedorg.github.io/x86.html) page to search for functions discussed above
+Use the search page below or open the [Search Instructions](https://securedorg.github.io/RE101/x86.html) page to search for functions discussed above
-
+
---
## Registers ###
The image below is what registers will look like in a debugger.
-
+
#### General-Purpose Registers [[1]][1]
@@ -114,19 +114,19 @@ The **EIP** register contains the address of the next instruction to be executed
## Hello World ##
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/helloworld.gif)
+[](https://securedorg.github.io/RE101/images/helloworld.gif)
## Calling a Function ##
### Arguments on the Stack ###
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/FunctionCall.gif)
+[](https://securedorg.github.io/RE101/images/FunctionCall.gif)
### Local Variables on the Stack ###
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/FunctionCall2.gif)
+[](https://securedorg.github.io/RE101/images/FunctionCall2.gif)
[1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture
diff --git a/RE101/idacheatsheet.html b/RE101/idacheatsheet.html
index eea3900..dfad7c3 100644
--- a/RE101/idacheatsheet.html
+++ b/RE101/idacheatsheet.html
@@ -14,86 +14,86 @@
Navigation
| Jump to operand | Enter |
-| Jump in new window |  + |
+| Jump in new window |  + |
| Jump to previous position | Esc |
-| Jump to Next position |  + |
+| Jump to Next position |  + |
| Jump to address | G |
-| Jump by name | +L |
-| Jump to function | +P |
-| Jump to segment | +S |
-| Jump to segment register | +G |
-| Jump to problem | +Q |
-| Jump to cross reference | +X |
+| Jump by name | +L |
+| Jump to function | +P |
+| Jump to segment | +S |
+| Jump to segment register | +G |
+| Jump to problem | +Q |
+| Jump to cross reference | +X |
| Jump to xref to operand | X |
-| Jump to entry point | +E |
-| Mark Position | +M |
+| Jump to entry point | +E |
+| Mark Position | +M |
Search
-| Next code | +C |
-| Next data | +D |
-| Next explored | +A |
-| Next unexplored | +U |
-| Immediate value | +I |
-| Next immediate value | +I |
-| Text | +T |
-| Next text | +T |
-| Sequence of bytes | +B |
-| Next sequence of bytes | +B |
-| Not function | +U |
+| Next code | +C |
+| Next data | +D |
+| Next explored | +A |
+| Next unexplored | +U |
+| Immediate value | +I |
+| Next immediate value | +I |
+| Text | +T |
+| Next text | +T |
+| Sequence of bytes | +B |
+| Next sequence of bytes | +B |
+| Not function | +U |
Graphing
| Flow chart | F12 |
-| Function calls | +F12 |
+| Function calls | +F12 |
Comments
-| Enter comment |  +; |
+| Enter comment |  +; |
| Enter repeatable comment | ; |
| Enter anterior lines | Ins |
-| Enter posterior lines | +Ins |
-| Insert predefined comment | +F1 |
+| Enter posterior lines | +Ins |
+| Insert predefined comment | +F1 |
Data Format Options
-| ASCII strings style | +A |
-| Setup data types | +D |
+| ASCII strings style | +A |
+| Setup data types | +D |
Open Subviews
-| Names | +F4 |
-| Functions | +F3 |
-| Strings | +F12 |
-| Segments | +F7 |
-| Segment registers | +F8 |
-| Signatures | +F5 |
-| Type libraries | +F11 |
-| Structures | +F9 |
-| Enumerations | +F10 |
+| Names | +F4 |
+| Functions | +F3 |
+| Strings | +F12 |
+| Segments | +F7 |
+| Segment registers | +F8 |
+| Signatures | +F5 |
+| Type libraries | +F11 |
+| Structures | +F9 |
+| Enumerations | +F10 |
File Operations
-| Parse C header file | +F9 |
-| Create ASM file | +F10 |
-| Save database | +W |
+| Parse C header file | +F9 |
+| Create ASM file | +F10 |
+| Save database | +W |
Debugger
| Star process | F9 |
-| Terminate process | +F2 |
+| Terminate process | +F2 |
| Step into | F7 |
| Step over | F8 |
-| Run until return | +F7 |
+| Run until return | +F7 |
| Run to cursor | F4 |
| Breakpoints |
-| Breakpoint list | ++B |
+| Breakpoint list | ++B |
@@ -103,29 +103,29 @@
Tracing
-| Stack trace | ++S |
+| Stack trace | ++S |
Miscellaneous
-| Calculator | +/ |
-| Cycle through open views | +Tab |
-| Select tab | + [1…N] |
-| Close current view | +F4 |
-| Exit | +X |
-| IDC Command | +F2 |
+| Calculator | +/ |
+| Cycle through open views | +Tab |
+| Select tab | + [1…N] |
+| Close current view | +F4 |
+| Exit | +X |
+| IDC Command | +F2 |
Edit (Data Types – etc)
-| Copy | +Ins |
-| Begin selection | +L |
-| Manual instruction | +F2 |
+| Copy | +Ins |
+| Begin selection | +L |
+| Manual instruction | +F2 |
| Code | C |
| Data | D |
-| Struct variable | +Q |
+| Struct variable | +Q |
| ASCII string | A |
| Array | Num * |
| Undefine | U |
@@ -136,11 +136,11 @@
Operand Type
| Offset (data segment) | O |
-| Offset (current segment) | +O |
-| Offset by (any segment) | +R |
-| Offset (user-defined) | +R |
+| Offset (current segment) | +O |
+| Offset by (any segment) | +R |
+| Offset (user-defined) | +R |
| Offset (struct) | T |
-| Number (default) | +3 |
+| Number (default) | +3 |
| Hexadecimal | Q |
| Decimal | H |
| Binary | B |
@@ -148,32 +148,32 @@
| Segment | S |
| Enum member | M |
| Stack variable | K |
-| Change sign | +- |
-| Bitwise negate | +` |
-| Manual | +F1 |
+| Change sign | +- |
+| Bitwise negate | +` |
+| Manual | +F1 |
Segments
-| Edit segment | +S |
- | Change segment register value | +G |
+| Edit segment | +S |
+ | Change segment register value | +G |
Structs
-| Struct var | +Q |
- | Force zero offset field | +Z |
-| Select union member | +Y |
+| Struct var | +Q |
+ | Force zero offset field | +Z |
+| Select union member | +Y |
Functions
| Create function | P |
-| Edit function | +P |
+| Edit function | +P |
| Set function end | E |
-| Stack variables | +K |
-| Change stack pointer | +K |
+| Stack variables | +K |
+| Change stack pointer | +K |
| Rename register | V |
| Set function type | Y |
diff --git a/RE101/intro.md b/RE101/intro.md
index d58f7f6..8272bf2 100644
--- a/RE101/intro.md
+++ b/RE101/intro.md
@@ -7,7 +7,7 @@ title: Intro
# Introduction #
-
+
# Reverse Engineering #
@@ -27,7 +27,7 @@ title: Intro
* Constantly learn new things
-
+
## Game Plan ##
diff --git a/RE101/malware.md b/RE101/malware.md
index beb648f..92a0c1c 100644
--- a/RE101/malware.md
+++ b/RE101/malware.md
@@ -11,7 +11,7 @@ title: Malware Techniques
| Perimeter Recon | Infiltrate | Internal Recon | Entrench | Exfiltrate | Purge |
| ------------ |:------------:|:------------:|:------------:|:------------:|:------------:|
-|  |  |  |  |  |  |
+|  |  |  |  |  |  |
## Malware Classes
diff --git a/RE101/malware2.md b/RE101/malware2.md
index 0246c00..65d190e 100644
--- a/RE101/malware2.md
+++ b/RE101/malware2.md
@@ -68,7 +68,7 @@ The malware classes may exhibit one or more of the following techniques. [Mitre
* Control-Flow Flattening
* String Encryption
-
+
### Example Malware
@@ -86,11 +86,11 @@ The malware classes may exhibit one or more of the following techniques. [Mitre
* Once malware gains access to a system, it often looks to be there for a long time.
* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
-
+
Example: Dll Search Order Hijacking
-
+
### Example Malware
@@ -154,7 +154,7 @@ Example: Dll Search Order Hijacking
Example: Mimikatz
Credential theft
-
+
### Example Malware
diff --git a/RE101/retools.md b/RE101/retools.md
index ceab61e..f6654ff 100644
--- a/RE101/retools.md
+++ b/RE101/retools.md
@@ -69,7 +69,7 @@ title: RE Tools
### Disassembler: IdaFree
-
+
* **Visual Modes**
* **Graph Mode** - control flow diagram
@@ -88,7 +88,7 @@ title: RE Tools
### Debugger: x64dbg
-
+
**Common Commands**
@@ -103,7 +103,7 @@ title: RE Tools
### Keyboard Layout for IdaFree and x64dbg
-
+
---
@@ -113,7 +113,7 @@ title: RE Tools
* Explores Resources
* Unpacks UPX
-
+
## Information Gathering: Sysinternals Suite
@@ -121,7 +121,7 @@ title: RE Tools
* **ProcMon** - Monitor processes/thread, files system, network, and registry activity on the system
* **ProcExp** - Monitor processes running on the system
-
+
[Section 2.1 <- Back](https://securedorg.github.io/RE101/section2.1) | [Next -> Section 4](https://securedorg.github.io/RE101/section4)
diff --git a/RE101/static.md b/RE101/static.md
index 325681a..8a5477e 100644
--- a/RE101/static.md
+++ b/RE101/static.md
@@ -7,7 +7,7 @@ title: Static Analysis
# Section 5: Static Analysis #
-
+
Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey.
@@ -20,17 +20,17 @@ This section will teach you how to jump into code in static disassembly then ren
### Possible Packer?
Notice in CFF explorer that there is UPX in the header.
-
+
When you open the executable in IDA, you will notice large section of non-disassembled code.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/triage4.png)
+[](https://securedorg.github.io/RE101/images/triage4.png)
Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/triage5.png)
+[](https://securedorg.github.io/RE101/images/triage5.png)
---
@@ -52,14 +52,14 @@ Navigate to the **Strings** window.
Here is an interesting string that we should start with:
-
+
This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string.
Using the **X** key we can jump to the reference of that string in the assembly code.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static2.gif)
+[](https://securedorg.github.io/RE101/images/static2.gif)
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
@@ -103,24 +103,24 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static3.png)
+[](https://securedorg.github.io/RE101/images/static3.png)
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static4.png)
+[](https://securedorg.github.io/RE101/images/static4.png)
We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static5.png)
+[](https://securedorg.github.io/RE101/images/static5.png)
Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe
```XORSearch.exe "A string to test"```
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static6.png)
+[](https://securedorg.github.io/RE101/images/static6.png)
**"Yo this is dope!"** How weird.
@@ -131,14 +131,14 @@ Let's use the tool **XORSearch** to see if we can find some interesting xor deco
Let's navigate to the start of the program using the **X** key. Use the spacebar to toggle between graph view and text view.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static7.gif)
+[](https://securedorg.github.io/RE101/images/static7.gif)
It's easy to trace back through the program disassembly, but let's look at some control flow assembly instructions. Remember **jmp, jne, jnz, jnb** are control flow functions.
**Jump Examples**
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static9.gif)
+[](https://securedorg.github.io/RE101/images/static9.gif)
```assembly
jz loc_401962 ; jump to offset loc_401962 if the previous condition is zero
@@ -151,7 +151,7 @@ jle short loc_401634 ; jump to relative offset 401634 if the previous condition
Next scroll down through and find the order of API function calls in the program. You should make note of all the function offsets.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/static8.gif)
+[](https://securedorg.github.io/RE101/images/static8.gif)
Some of the more interesting API Calls from the image above. Look up what each function does, many are self explanatory.
@@ -171,6 +171,6 @@ Some of the more interesting API Calls from the image above. Look up what each f
Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6.
-
+
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
diff --git a/RE101/triage.md b/RE101/triage.md
index 7843b6d..5a5f0dc 100644
--- a/RE101/triage.md
+++ b/RE101/triage.md
@@ -7,7 +7,7 @@ title: Triage Analysis
# Section 4: Triage Analysis #
-
+
Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital.
@@ -82,7 +82,7 @@ Questions to ask:
You will want to capture this information throughout your investigation either through notes or report documents.
-You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/ReportForm.html)
+You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/RE101/ReportForm.html)
---
@@ -92,30 +92,30 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
2. Copy over the unknown file
3. Check the file header by opening the file in the hex editor **HxD**
* Notice the first 2 bytes are **MZ** meaning it's a PE Binary
-
+
4. Add the file extension **.exe** to the **Unknown** file so that it reads as **Unknown.exe**. Now right click the file and select **CFF explorer** to check the PE header
* Note the imports it's using
-
+
5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
6. Open the file in **BinText** and record any interesting strings
7. Quick Detonation
The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM.
-
+
On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.
On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/triageVMs2.gif)
+[](https://securedorg.github.io/RE101/images/triageVMs2.gif)
Go ahead and detonate the the malware.
On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware.
*Click Image to Enlarge*
-[](https://securedorg.github.io/images/triageVMs3.gif)
+[](https://securedorg.github.io/RE101/images/triageVMs3.gif)
[Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)
diff --git a/RE101/x86.html b/RE101/x86.html
index e9b59bf..97936ce 100644
--- a/RE101/x86.html
+++ b/RE101/x86.html
@@ -25,7 +25,7 @@ function loadXMLDoc(dname)
}
function searchXML()
{
- xmlDoc=loadXMLDoc("https://securedorg.github.io/x86.xml");
+ xmlDoc=loadXMLDoc("https://securedorg.github.io/RE101/x86.xml");
x=xmlDoc.getElementsByTagName("Instruction");
input = document.getElementById("input").value;
size = input.length;
| |