Basic Static Analysis Part 4B

Video Activity

In this part of module, we'll recap and discuss the tricks malware use to make analysis difficult. You'll learn that malware employ several tricks like stack corruption to fool the disassembler, import hiding such as using the dynamic function resolving technique, and string obfuscation.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this part of module, we'll recap and discuss the tricks malware use to make analysis difficult. You'll learn that malware employ several tricks like stack corruption to fool the disassembler, import hiding such as using the dynamic function resolving technique, and string obfuscation.

Video Transcription
00:03
>> In conclusion, why did we did we do this?
00:03
Why go into stack analysis mode
00:03
instead of just executing that in the VM?
00:03
We were able to understand them our a lot
00:03
better and relatively quickly too.
00:03
Didn't take us a few hours to get this done,
00:03
it took us a few minutes.
00:03
We were able to discover some indicators of compromise.
00:03
If someone was doing dynamic analysis
00:03
and another person was doing stack analysis,
00:03
they can both produce indicators of compromise.
00:03
But you'll notice, we doesn't really watch for any mutex
00:03
created or attempted to create,
00:03
when we were analyzing our malware dynamically.
00:03
But something we could
00:03
plant tool in our environment to do,
00:03
but it's not something I usually do.
00:03
We could confirm dynamic analysis
00:03
with a lot of our static analysis.
00:03
We could say, ''Oh yes, I saw it manipulating
00:03
the registry to open up or disable the firewall.
00:03
I saw that it had some code to create a service.
00:03
I saw anti-debugging code.''
00:03
If the dynamic person was trying to
00:03
execute any debugger and it failed,
00:03
you could say, ''Oh, I think I know why.''
00:03
You can go follow those functions and say,
00:03
''Okay, there's something I can do about that.
00:03
I can actually modify the malware to handle that."
00:03
In the future we can see that there's some plugins for
00:03
all the debug that
00:03
will defend against a lot of that anti-debugging code.
00:03
It would be anti-debugging code.
00:03
We also saw some tricks used by malware,
00:03
such as stack corruption to try to fool our disassembler.
00:03
We also saw import
00:03
hiding through dynamic function resolving.
00:03
It was trying to dynamically
00:03
resolve all the functions it needed,
00:03
from all the libraries it needed,
00:03
rather than list of minutes, import address table.
00:03
If we ever looked at the imports just by
00:03
themselves in the PE header with a PE Explorer,
00:03
we would only find a few function calls.
00:03
We wouldn't really know what it's trying to
00:03
do, such as mass,
00:03
width registry or access the Internet,
00:03
or access certain files.
00:03
We also saw those using some string obfuscation.
00:03
We didn't fully reverse
00:03
engineer how the strings were being obfuscated.
00:03
There's a little trick I'll show you in the next video
00:03
on the easy way to handle that.
00:03
Thanks for watching this video.
Up Next