Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this part of module, we'll recap and discuss the tricks malware use to make analysis difficult. You'll learn that malware employ several tricks like stack corruption to fool the disassembler, import hiding such as using the dynamic function resolving technique, and string obfuscation.

Video Transcription

00:04
So in conclusion,
00:07
why did we do this? Why go into stack analysis mode instead of just executing in of'em?
00:14
Well, we were able to understand them. Our a lot better and relatively quickly to wouldn't didn't take us a few hours to get this done. It it took us a few minutes. Uh, we were able to discover some indicators to compromise. So if someone was doing dynamic analysis and another person was doing stack analysis, they could
00:34
both
00:35
produce indicators of compromise. But you'll notice we didn't really watch for any mu texts created or uh
00:42
attempted to create
00:45
when we were analyzing normal where dynamically, That's something we could
00:50
and plant a tool in our environment to do. But, uh, it's not something I usually do.
00:57
And
00:58
so we could confirm dynamic analysis. With a lot of our static analysis, we could say, Oh, yes, I saw manipulating the registry for
01:07
open up or disable the firewall. I saw
01:11
that it was had some stuff toe some code to create a service,
01:19
and I saw anti debugging code. So if the dynamic person was trying to execute any d bugger on it failed, you could say, Oh, I think I know why. And you could go follow those functions and say, Okay, there is something I could do about that and
01:34
actually modify the malware to handle that. And in the future, we can see that there's some plug ins for Ali
01:42
debug
01:42
that will defend against a lot of that anti debugging code. So it would be anti anti debugging code.
01:52
And we also saw some tricks used by malware such a stack corruption to tryto fool or disassemble er.
02:00
We also saw import hiding through dynamic function. Resolving it was trying to dynamically resolve all the functions that needed from libraries that needed,
02:10
um, rather than list them in its import address table. So if we ever looked at the imports just by themselves in the P Header with a P Explorer, we could only find a few function calls. We wouldn't really know what it's trying to do,
02:28
such as messed with registry or access the Internet or access certain files.
02:35
And we also saw there was using some string office cation.
02:38
And while we didn't fully reverse engineer
02:43
how the strings were being a few skated,
02:46
there's a little trick I'll show you in the next video
02:49
on the easy way
02:51
to handle that.
02:53
Thanks for watching this video

Up Next

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor