Malicious code Analysis--Basic technology of dynamic and static analysis

First, static analysis of the basic technology


2, by retrieving the malicious code string to obtain the corresponding function call interpretation, functional behavior and module invocation. When the retrievable string is very young, it is possible to shell, (note "LoadLibrary" and "GetProcAddress" two strings, which are used to load or invoke other function functions), at this time need to use the shell detection tool for detection, shelling processing "string retrieval: Strings Shell detection: Peid "

3, the PE file header contains code information, malicious generation of application types, required library functions and space requirements, very useful. You can retrieve its dynamic-link library (function) from a tool, and then find its functionality in the MSDN document library. "Dynamic Link (library) function search: Dependency Walker, Peview, Pebrowse Professional, PE Explorer"

4. View the resource section of the suspect code to obtain a subset of the visible features, such as "Resource Hacker (can extract embedded files)" From the Standard, menu interface, code version, etc.


Second, dynamic analysis of basic technology

1. Configure "sandbox" environment to simulate real execution results "Norman Sandbox, GFI Sandbox, Joe Sandbox, Threatexpert, Bitblaze, Comodo Malicious Code Analysis" (GFI for example)
?? The shortcomings of the sandbox * * *
The sandbox can only automatically run the executable program, to treat the need to provide command line parameters or require specific conditions of the backdoor, will not be started and analyzed, may not be able to produce test results, and may be associated with the operating system, file invocation and other factors, resulting in incomplete or even accurate analysis results.

******************************

2, DLL type file start-up run
The Windows command-line environment is called with the Rundll32.exe program, in the following format:
"Rundll32.exe dllname,export arguments"
*dllname:dll File name *
*export: Function name or ordinal in a DLL file export function table, view "Peview, PE Exporer" by tool

3, to run malicious code, you can use some system monitoring software to capture its system calls, from the captured information can get its registry, file read and write a series of operations, easy to further analysis, "Process Monitor, Process Explorer, Regshot"

4, when necessary, the need to simulate a virtual network response from the computer to respond to malicious code network access, monitoring its network dynamics, so as to understand the network-related features "apate Dns (detection of malicious code domain name access), Netcat (Network monitoring), Wireshark sniffer, Inetsim (Analog Network Service, Linux environment) "

Basic analysis technology is mainly the application of some basic tools, starting from the most fundamental analysis of string and basic behavior, doing the most fundamental behavioral analysis, and then the behavior of the use of advanced analysis techniques to analyze and verify, advanced analysis technology, including dynamic and static analysis of two aspects, will be put forward in a future summary.

Malicious code Analysis--Basic technology of dynamic and static analysis