aljaz/securedorg.github.io

mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-19 07:04:20 +01:00

Files

SECURED.ORG 681a795996 Fixing procmon and procexp

2017-06-30 15:26:37 -07:00

3.8 KiB

Raw Blame History

layout, permalink, title

layout	permalink	title
default	/RE101/section3/	RE Tools

Go Back to Reverse Engineering Malware 101

Section 3: Reverse Engineering (RE) Tools

Disassemblers

Ida
- Free (Used in this workshop)
- Pro (Most Popular)
Radare
Capstone

Debuggers

x64dbg (Used in this workshop)
Immunity
OllyDbg (Most Popular)
WinDbg

Decompilers

Snowman (Integrated with x64dbg)
dotPeek .NET decompiler

Information Gathering

CFF Explorer - PE header parser (Used in this workshop)
PE Explorer - PE inspection tool (Used in this workshop)
BinText - Extract string from a binary
Sysinternals Suite (Used in this workshop)
- procmon
- procexplorer
InetSim: Internet Services Simulation Suite (Used in this workshop)
Yara: pattern matching rule engine
Wireshark - network sniffing (Used in this workshop)
API Monitor

Helpful Websites

virustotal.com - free service that analyzes suspicious files and URLs
malwr.com - Malwr is a free malware analysis service
hyrbid-analysis - free malware analysis service
whois.domaintools.com - look up domains
robtex.com - free DNS lookup tool
www.debuggex.com - Online Visual Regex Tester

Support

HxD Hex Editor (Used in this workshop)
Python - used for automating tasks

Tools Used in the Workshop

Disassembler: IdaFree

Visual Modes
- Graph Mode - control flow diagram
- Text Mode - default view of disassembled code
Command Cheatsheet
- Please refer to this Ida cheatsheet
Common Commands

Action	Command
Jump to xref to operand	X
Jump to address	G
Enter comment	Shift+;

Debugger: x64dbg

Common Commands

Action	Command
Enter comment	;
BreakPoint	F2
Step into	F7
Step over	F8
Run	F9
Edit Instruction	Space

Keyboard Layout for IdaFree and x64dbg

Information Gathering: CFF Explorer

Parses the PE headers
Explores Resources
Unpacks UPX

Information Gathering: Sysinternals Suite

advanced system utilities
ProcMon - Monitor processes/thread, files system, network, and registry activity on the system
ProcExp - Monitor processes running on the system

Section 2.1 <- Back | Next -> Section 4