An Introductory Guide Into Malware Analysis

dtm · May 19, 2017, 8:03am

Aye p33ps! Seeing as WannaCry took the world by storm recently, I thought that it’s probably a good time to introduce the world of malware analysis to this forum. In this post, I will write about how you guys can join in on the mayhem and play with some fire (and hopefully not get burnt in the process). Do note that this is my take on this and it may not actually be correct or optimal, it is something taken from my own experience. You can most probably find many other guides on malware analysis on the interwebz but I will put this here because it’s convenient (and some people are lazy to actually do the research themselves), and @oaktree and @pry0cc love it when new content is released here. The focus of this ~~guide~~ general directional pointer is specifically targeted towards the Windows platform.

Disclaimer: Again, I will say that this is purely my view on this and if you have a problem with that, click away now. If there are any errors in this thread, please notify me and I will fix it ASAP.

Prerequisites

For those who are keen to get into this area, it’s probably a good idea to have the following:

Must be able to read a lot of books or other texts
Must have a thirst for knowledge
Must be able to problem solve
Self-motivation
Persistence
Courageousness
Patience

Where to Start?

You may have noticed that I did not list any technical skills under the prerequisite list and that’s because these can be learned. What’s more important in the general field of reverse engineering - and I cannot stress this enough - is developing or having the appropriate mindset and without this, no matter how technically competent you are, at some stage you will most likely never be able to approach a task at hand as effectively. Keep in mind that in this current age, there is nothing that cannot be reverse engineered [citation needed] and there is nothing that can restrain you from doing so - unless, of course, you were doing something illegal and are actually physically inhibited. Mind over matter. If you believe your mind is tamed and has transcended, you may continue.

Technical Skills and General Knowledge

Now that that’s out of the way, we can move onto building up our skillset. This section is mainly for those who are relatively new to this.

1. Reverse Engineering

When I say reverse engineering, I mean in a technical sense involving computing, not the general umbrella term that can apply to everything. For example, reverse engineering binaries will probably be the bulk of what malware analysts will do. A lot of decent malware are built using compiled languages which include C, C++, Pascal (Delphi). The result of these compiled languages are native binaries which contain machine code which is translatable to the assembly language. It is your goal to be able to read this assembly code and understand the functionalities of the binary.

2. Disassembly and Debugging

Yeah, okay, this is a part of how2reverse. What you want to do is use disassembling to actually provide the assembly of the native binary so you can begin translating the code. This is a static method as opposed to debugging where you actually step through and look at what is being executed to see the interaction between the malware and the system. Knowing how to do both of this is absolutely essential because if you don’t, well, you probably can’t understand what’s under the hood and what’s exactly happening.

3. Forensics

Knowing what other mysterious content that malware comes packed with is crucial in understanding what it can achieve. Being able to identify file types and analyse network traffic can help gain a bigger picture or give hints towards specific functionality such as file dropping/downloading or contacting C2s (or checking kill switches).

4. The Environment

As a malware analyst, it’s definitely helpful to know how the underlying system of the platform which is being attacked - yes, you heard me right, you should understand the Windows OS! Knowing the Windows API and how it interacts with the environment (processes, memory, disk, registry, network) makes life very easy and can definitely hint at what suspicious things malware are up to.

5. The PE Format

The Portable Executable (PE) format is the executable format for Windows much like ELF is for Linux. Though this is a combination of Forensics and The Environment, I believe it’s important enough to be in its own section. Knowing how the PE file works and what details it offers can boost your knowledge of what tricks a sample of malware might have up its sleeve and can, at times, win you half the battle just by taking a peek.

6. Malware Functionality

Even better, knowing how malware works makes them easier to analyse! It makes them predictable (by predict, I mean make assumptions and then verify it) and your life much, much more forgiving. “What does this chunk of assembly instructions mean?” Doesn’t matter, found a string that looks like a registry key which ends with the subkeys CurrentVersion\\Run which means it’s most likely setting up persistence. Done. It might even be… * cough cough * …advisable to research the methods employed by malware and then… * nudge nudge * … ethically making your own… * cough * …em55am5lcg==… * wink wink *.

Tools

You know what? I just won’t put them here because to be honest, I can’t spoonfeed y’all everyday. Also, I’m lazy. Better start working on your Google-fu!

General Analysis Techniques

In most, if not all, phases of hacking - or un-hacking(?) in this case - we ~~usually~~ should start out with reconnaissance. Here are some things you might do when performing an analysis.

Strings Analysis

Dig out as many strings as you can because there is a wealth of information just lying there in plain sight. Error messages, suspicious strings like URLs, registry keys, etc., file names, function names, base64-encoded strings, file signatures, EVERYTHING!

Entropy

Have the executable analysed and check if there are sections or resources with any high entropy values. If there are, it’s probably compressed and/or encrypted!

Resources

Find something unusual in the PE file’s resources? Extract it and analyse it!

File Signatures

Found weird data? Just throw it into a hex editor! Find a signature!

DLL Imports / Exports

Check out what functions it uses! Maybe it’s trying to contact a server? or even logging your keystrokes? Maybe it’s a DLL and is providing functions for the main executable to use?

Packed Malware / Data

Let it execute under a debugger! Try to find its unpacking routine and where it ends, then breakpoint it there. Pull the damned thing straight out of memory! Show them who’s boss!

Disassembly

Pretty obvious one here, throw it in a disassembler and literally read what it does! From previous methods, back trace the instructions and figure out what it’s doing or how it’s doing something.

Dynamic Analysis

Grab a hot beverage, detonate it (in a securely isolated environment), sit back and watch what it does! Record registry or file changes, networking activity, everything.

Resources

As a reverse engineer, it’s ideal if you learn everything you lay your eyes on because you’ll never know if you’ll come across it some day.

0x00sec

Books / PDFs

Message me privately for direct links.

Hacking: The Art of Exploitation by Jon Erickson (HIGHLY RECOMMENDED FOR BEGINNERS)
Practical Malware Analysis - The Hands on Guide to Dissecting Malware, by Michael Sikorski and Andrew Honig
Reversing - Secrets Of Reverse Engineering by Eldad Eilam
Windows Internals by Mark Russinovich, David A. Solomon, Alex Ionescu
Reverse Engineering for Beginners by Dennis Yurichev (HIGHLY RECOMMENDED FOR BEGINNERS)
Malware Analysts Cookbook by Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard

Websites

Malware Unicorn - Reverse Engineering Malware 101
Open Security Training
theZoo - Repository of LIVE Malware
crackmes.de
HackForums (laugh all you want but there’s actually some decent content there if you look hard enough)
Rohitab forums (malware development)
r/HowToHack
r/Hacking
r/Malware
r/ReverseEngineering
HackThisSite Application missions (mostly VB stuff here, some native binaries)
Any other hacking forums
MSDN - Windows API Index

Other

~~Steal~~ Learn from others
Download some HF skid malware and reverse that

Conclusion

glhf lal

johnt · May 19, 2017, 11:38am

Absolutely off topic comment but after landing on Open Security Training, I followed a few external links and ended up learning about Zero Knowledge proofs and other crazy things, so just wanted to say thanks for the knowledge journey and resources.

dtm · May 19, 2017, 11:40am

Hey, our lecturer just recently taught us ZKP, what a coincidence! If you haven’t already, try looking up Prisoner’s Dilemma and then apply that concept to two strangers both infected with ransomware.

_py · May 19, 2017, 12:56pm

Malware Analysis, Reverse Engineering, Binary Exploitation, all quite technical and related-to-each-other fields.

@dtm just proved to you that the problem isn’t the lack of resources, but the lack of resourcefulness.

anon79434934 · May 19, 2017, 6:21pm

Great resources for those starting out (like me). Let’s hope I am persistent enough to read all this because I’m a bad reader

-Phoenix750

ricksanchez · May 20, 2017, 8:27am

Great overview @dtm .
Everything you need to know if you wanna dive into malware analysis in one post.
Also the recommended books are worth reading. I didn’t finish some of them yet but they are already on my “to buy” list

Black · June 3, 2017, 4:47pm

Hi, @dtm thanks for your article.
PPEE - Professional PE Explorer is also an interesting tool for pe analysis.

Malware_Info · June 14, 2017, 5:25am

Excellent resource! Any tutorials available for learning windows internals.I’m now working on windows internals part 1 to get into the nitty-gritty of operating system,prospective malware analyst has to do read windows internals part 1 and 2 completely or selected chapters?

dtm · June 14, 2017, 6:15am

Personally, I’ve read minimal amounts of Windows Internals but if I ever happen to want to learn something specific I will try and find the chapters which explain it. It really depends on what kind of malware you’ll be dealing with so for example, ransomware doesn’t require an extremely in-depth knowledge of Windows to take apart but if you come across a kernel rootkit, you will have to know a lot more of the underlying system.

To to give a concrete example, I’ve (statically) taken apart WannaCry to a decent extent and understood how the overall program flow works from extracting and dropping its files to file encryption and finally to the point where it demands the ransom by myself without any need to reference other people’s analysis. What I currently know about Windows includes: memory management, the PE file format, the WinAPI, Windows’ command line and its utilities. There are more things which I would like to learn more about such as WMI, IPC, APC, and definitely the kernel but I’ve also other areas on which I am focussing which work in conjunction for malware analysis, e.g. reverse engineering.

As for resources, there aren’t much which I know of, most of what I’ve learned came from developing Windows applications (and malware) so learning how to read the WinAPI documentation from MSDN (I’ve linked above) and just Googling specific things I wanted to know about and then applying that knowledge.

tl;dr don’t have to read everything, depends on the malware you’re dealing with, focus on other skills as well such as RE and understanding how malware works, theory is good but practical experience is better.

z3n · June 14, 2017, 12:01pm

Thank You very much for this informative thread, I learned something new

dtm · January 21, 2018, 12:42am

This topic was automatically closed after 30 days. New replies are no longer allowed.