Aye p33ps! Seeing as WannaCry took the world by storm recently, I thought that it’s probably a good time to introduce the world of malware analysis to this forum. In this post, I will write about how you guys can join in on the mayhem and play with some fire (and hopefully not get burnt in the process). Do note that this is my take on this and it may not actually be correct or optimal, it is something taken from my own experience. You can most probably find many other guides on malware analysis on the interwebz but I will put this here because it’s convenient (and some people are lazy to actually do the research themselves), and @oaktree and @pry0cc love it when new content is released here. The focus of this
guide general directional pointer is specifically targeted towards the Windows platform.
Disclaimer: Again, I will say that this is purely my view on this and if you have a problem with that, click away now. If there are any errors in this thread, please notify me and I will fix it ASAP.
For those who are keen to get into this area, it’s probably a good idea to have the following:
Must be able to read a lot of books or other texts Must have a thirst for knowledge Must be able to problem solve Self-motivation Persistence Courageousness Patience
Where to Start?
You may have noticed that I did not list any technical skills under the prerequisite list and that’s because these can be learned. What’s more important in the general field of reverse engineering - and I cannot stress this enough - is developing or having the appropriate mindset and without this, no matter how technically competent you are, at some stage you will most likely never be able to approach a task at hand as effectively. Keep in mind that in this current age, there is nothing that cannot be reverse engineered  and there is nothing that can restrain you from doing so - unless, of course, you were doing something illegal and are actually physically inhibited. Mind over matter. If you believe your mind is tamed and has transcended, you may continue.
Technical Skills and General Knowledge
Now that that’s out of the way, we can move onto building up our skillset. This section is mainly for those who are relatively new to this.
1. Reverse Engineering
When I say reverse engineering, I mean in a technical sense involving computing, not the general umbrella term that can apply to everything. For example, reverse engineering binaries will probably be the bulk of what malware analysts will do. A lot of decent malware are built using compiled languages which include C, C++, Pascal (Delphi). The result of these compiled languages are native binaries which contain machine code which is translatable to the assembly language. It is your goal to be able to read this assembly code and understand the functionalities of the binary.
2. Disassembly and Debugging
Yeah, okay, this is a part of how2reverse. What you want to do is use disassembling to actually provide the assembly of the native binary so you can begin translating the code. This is a static method as opposed to debugging where you actually step through and look at what is being executed to see the interaction between the malware and the system. Knowing how to do both of this is absolutely essential because if you don’t, well, you probably can’t understand what’s under the hood and what’s exactly happening.
Knowing what other mysterious content that malware comes packed with is crucial in understanding what it can achieve. Being able to identify file types and analyse network traffic can help gain a bigger picture or give hints towards specific functionality such as file dropping/downloading or contacting C2s (or checking kill switches).
4. The Environment
As a malware analyst, it’s definitely helpful to know how the underlying system of the platform which is being attacked - yes, you heard me right, you should understand the Windows OS! Knowing the Windows API and how it interacts with the environment (processes, memory, disk, registry, network) makes life very easy and can definitely hint at what suspicious things malware are up to.
5. The PE Format
The Portable Executable (PE) format is the executable format for Windows much like ELF is for Linux. Though this is a combination of
The Environment, I believe it’s important enough to be in its own section. Knowing how the PE file works and what details it offers can boost your knowledge of what tricks a sample of malware might have up its sleeve and can, at times, win you half the battle just by taking a peek.
6. Malware Functionality
Even better, knowing how malware works makes them easier to analyse! It makes them predictable (by predict, I mean make assumptions and then verify it) and your life much, much more forgiving. “What does this chunk of assembly instructions mean?” Doesn’t matter, found a string that looks like a registry key which ends with the subkeys
CurrentVersion\\Run which means it’s most likely setting up persistence. Done. It might even be… * cough cough * …advisable to research the methods employed by malware and then… * nudge nudge * … ethically making your own… * cough * …em55am5lcg==… * wink wink *.
You know what? I just won’t put them here because to be honest, I can’t spoonfeed y’all everyday. Also, I’m lazy. Better start working on your Google-fu!
General Analysis Techniques
In most, if not all, phases of hacking - or un-hacking(?) in this case - we
usually should start out with reconnaissance. Here are some things you might do when performing an analysis.
Dig out as many strings as you can because there is a wealth of information just lying there in plain sight. Error messages, suspicious strings like URLs, registry keys, etc., file names, function names, base64-encoded strings, file signatures, EVERYTHING!
Have the executable analysed and check if there are sections or resources with any high entropy values. If there are, it’s probably compressed and/or encrypted!
Find something unusual in the PE file’s resources? Extract it and analyse it!
Found weird data? Just throw it into a hex editor! Find a signature!
DLL Imports / Exports
Check out what functions it uses! Maybe it’s trying to contact a server? or even logging your keystrokes? Maybe it’s a DLL and is providing functions for the main executable to use?
Packed Malware / Data
Let it execute under a debugger! Try to find its unpacking routine and where it ends, then breakpoint it there. Pull the damned thing straight out of memory! Show them who’s boss!
Pretty obvious one here, throw it in a disassembler and literally read what it does! From previous methods, back trace the instructions and figure out what it’s doing or how it’s doing something.
Grab a hot beverage, detonate it (in a securely isolated environment), sit back and watch what it does! Record registry or file changes, networking activity, everything.
As a reverse engineer, it’s ideal if you learn everything you lay your eyes on because you’ll never know if you’ll come across it some day.
- Reverse engineering challenges section
- @0x00pf’s Reverse Engineering 101
- @TheDoctor’s C# Reversing - MSIL Patching
- @TheDoctor’s C# Reversing - Unpacking a Packer
- @TheDoctor’s C# Reversing - Unpacking a Packer ~ MegaDumper
- Malware section
Books / PDFs
Message me privately for direct links.
- Hacking: The Art of Exploitation by Jon Erickson (HIGHLY RECOMMENDED FOR BEGINNERS)
- Practical Malware Analysis - The Hands on Guide to Dissecting Malware, by Michael Sikorski and Andrew Honig
- Reversing - Secrets Of Reverse Engineering by Eldad Eilam
- Windows Internals by Mark Russinovich, David A. Solomon, Alex Ionescu
- Reverse Engineering for Beginners by Dennis Yurichev (HIGHLY RECOMMENDED FOR BEGINNERS)
- Malware Analysts Cookbook by Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard
- Malware Unicorn - Reverse Engineering Malware 101
- Open Security Training
- theZoo - Repository of LIVE Malware
- HackForums (laugh all you want but there’s actually some decent content there if you look hard enough)
- Rohitab forums (malware development)
- HackThisSite Application missions (mostly VB stuff here, some native binaries)
- Any other hacking forums
- MSDN - Windows API Index
StealLearn from others
- Download some HF skid malware and reverse that