References
Understanding Windows Shellcode www.hick.org/code/skape/papers/win32-shellcode.pdf
ilo, Advances in Remote Anti-Forensics www.phrack.org/issues.html?issue=63&id=
12&mode=txt
LordPE http://scifi.pages.at/yoda9k/LordPE/info.htm
Unpackng with OllyBonE www.joestewart.org/ollybone/tutorial.html
OllyDump www.woodmann.com/ollystuph/g_ollydump300110.zip
PE Dumper www.woodmann.com/ollystuph/ollydbgpedumper301.zip
IDA x86emu plug-in http://ida-x86emu.sourceforge.net/
Reverse Engineering Malware
Assuming that you have managed to obtain an unpacked malware sample via some
unpacking mechanism, where do you go next? Chapter 20 covered some of the techniques
for performing black-box analysis on malware samples. Is it any easier to analyze
malware when it is fully exposed in IDA? Unfortunately, no. Static analysis is a very
tedious process and there is no magic recipe for making it easy. A solid understanding of
typical malware behaviors can help speed the process.
Malware Setup Phase
The first actions that most malware takes generally center on survival. Functions typically
involved in the persistence phase often include file creation, registry editing, and service
installation. Some useful information to uncover concerning persistence includes the
names of any files or services that are created and any registry keys that are manipulated.
Pages:
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926