Basic Techniques

Static Analysis

Running it through multiple antivirus which may have already identified the malware, although they are not perfect
They rely on identifiable pieces of suspicious code (file signatures) and behavior/pattern matching analysis (heuristics)
Virustotal is great help here as it runs the malware through multiple antivirus systems

Hashing is common method where you run the malware through hashing programs
They use algorithms such as MD5 or SHA-1 to produce unique hash (fingerprint)
Hash then can be used as label or sharing it to other analyst to identify the malware or see if it has been already identified

Strings can be great method to find texts within the malware
ASCII and Unicode format are used to store strings
They store by characters in sequence and ending with a NULL terminator to indicate that string is complete
ASCII uses 1byte per character while Unicode uses 2bytes per character

Sometimes if strings program identifies a sequence of characters which end with null terminator, it might think of it as string while it could be just some CPU instruction or memory address

Obfuscated malware are the one whose execution are hidden
Packed malware is subset of obfuscated malware where the program is compressed making it harder to analyze
When packed program is ran, a small wrapper program, it de-compresses the packed program and then executes unpacked program
When packed program is analyzed statically, only wrapper program can be dissected

PE format is used by windows executables, object code and DLLs
It contains necessary information for the Windows OS loader to manage the wrapped executable code
PE files begin with a header that includes information about the code, type of the application, required library functions and space requirements

Imports are function that are used by program whilst they are stored in another program, such as code libraries that contain common functionality which are connected by linking
Code libraries can be linked statically, at runtime or dynamically
Static linking is not used often although it’s common in UNIX programs
When code is statically linked, all the code from the library are copied to our main executable making it grow in size which makes analyzing code harder
Runtime linking is commonly used in malwares especially when it’s obfuscated or packed
Some linked functions can be imported without being listed in program headers liked LoadLibrary, LdrGetProcAddress , LdrLoadDlland GetProcAddress
Dynamic linking is the most common method of linking, where OS searches for all necessary linked libraries when the program is loaded
Libraries used and called are very important for us to understand what the program does
Functions can also be imported by ordinals making it harder for us to anaylze
Below are some common DLLs

Ex is a suffix used when the function is updated by Microsoft
A and W appearing at the end is extra information about suffix which doesn’t appear in actual documentation and is just there to tell us that function accepts ASCII string and word respectively
Like imports, there are also exports, which are functions exported by programs so that other programs can import and utilize them, these are most common in DLLs

.text section contains instructions code that CPU will execute
.rdata section contains information about imports and exports, storing read only data
.data contains global data accessible from anywhere in the program
.idata stores data about import functions, usually not present
.edata stores data about export functions, usually not present
.pdata present only in 64bit applications storing exception-handling information
.rsrc contains other data such as icons, images, menus and strings
.reloc contains information about relocation of library files

All Delphi programs use compile time of June 19, 1992
Virtual size (space allocated for section during loading) and raw data (how big section is on disk) should be equal (small differences are fine), if they aren’t that means it’s a packed program

Last updated 4 months ago