Essential tools and basic procedures for virus analysis

 

If you are about to graduate, you should set a clear direction for yourself. You are still interested in the knowledge of Virus analysis. I have collected some materials to share with you.

 

The following are slightly changed from turtles:

 

Let's talk about the hardware:

If conditions permit, two lines provided by different network operators and two or more computers can be configured.

Although you can use a virtual machine, some malicious code may have a virtual machine detection mechanism, so you can use a real machine as much as possible.

 

Required tools:

Windows XP)

IDA Pro (although there are other disassembly tools available on the market, one is because IDA is powerful, and the other is because it is essential for the anti-virus industry. If any brother wants to use other tools, BS should never be reminded during the interview. In addition, The Decompilation plug-in of Hex-rays is indeed very powerful, but it is too expensive and free to buy it, but there is a cracked version. On the other hand, it is not worse to develop the plug-in after developing a good habit of doing it yourself)

OllyDbg (same as above, essential for the industry. But to be honest, I rarely use it, not to say it is not good, but the IDA comments are too important. Static IDA debugging is never required, even if debugging is required, you can use the built-in debugger of IDA to solve the problem directly, but you cannot change the OD)

WinDbg (same as above, essential in the industry, debugging driver tool, most drivers directly use IDA static is enough. I usually use it to debug the kernel)

Wireshark (an essential tool for packet capture. Like the former, it is rarely used by individuals. It does not mean that it is not good. It is just that during analysis, I rarely let malicious code run completely. If necessary or statically reversed, or capture it from the debugger)

 

There are also some small software that I like, but not necessary.

010 Editor, DeDe, Ghost, Hiew, LordPE, WinHex, c32, etc.

 

In addition, some small monitoring software is also needed. In fact, there are a lot of free or shared software, but in order to reduce the risk of being fooled by malicious code, I personally think that I can write it myself, even if you cannot write, try to select an unknown one.

Mainly include: system change monitoring, API monitoring, Rootkit monitoring

 

Other backup software for testing:

Various servers (HTTP, SMTP, FTP, IRC, etc)

Common IM (QQ, MSN, YAHOO, etc)

Microsoft Office (installation files of various versions)

Adobe Acrobat Reader (installation files of various versions)

Adobe Flash Player (installation files of various versions)

 

Finally, let's take a look at the basic analysis process of malicious code samples (excluding signature extraction ):

1. Restore the system image (avoid being misled by other information in an infected environment)

2. Quickly check for any suspicious string

3. Quickly check whether the code entry address is infected

4. Run, monitor and record system changes to determine whether the code is malicious

5. If necessary, use IDA Static Analysis

6. If necessary, write some auxiliary scripts or code to assist in analysis.

7. Use the debugger for debugging if necessary.

8. If necessary, perform background checks on relevant domain names, servers, and email addresses.

9. documentation-related content

10. Back up all related files

 

 

Of course, for those who are working on the software program, they usually need to extract signatures (usually before static analysis), or they may need to write repair tools, however, there are different requirements and procedures for different companies in terms of work details, so we will not discuss them here.