I’m currently trying to reverse windows x86 malware to identify small sections of code of the malware that make it malicious. I’m using immunity debugger and running into issues.
As i’m stepping through the code I can see certain win32 api calls in the code, while there is a string like c73rfg.exe
in a register. Which makes me think i’m about to see something happen, however I then run into what seems like an infinite loop and never reaching those win32 calls. I set breakpoints just before the win32 calls, however when running it instead exits execution. I’m quite confused and have a few questions
-
How does malware actually run differently under analysis? I.e. does the binary actually change or does it just take a different branch of execution when running?
-
What can I do to make it behave normally under analysis?
-
Do Malware authors write these anti analysis techniques into the malware themself or is there a tool to optimize the code?
thank you