Malware Analysis Tools

00:01

Okay, so now that we've taken a look at now analysis and reverse engineering, let's take a few minutes to examine some of the tools that will help us in our analysis process.

00:13

As we perform our analysis and reverse engineering, we want to understand the meaning of the bits and bytes of the target file. So to help aid us in our malware analysis, we have a set of tools that help us parse objects, deconstruct or run the file, or simply give us an output of the contents.

00:30

So with that mind, we've categorized tools into binary analysis tools, dis assemblers, de compilers, the buggers and monitoring tools,

00:44

our first set of tools. Binary analysis tools. These air used to parse files and extract information from our sample. As a malware analyst, we should be able to identify which applications are able to be read by the target file by looking at the first few bites. The file types are generally identified by their magic header bites,

01:03

as you can see in the screenshot below.

01:04

Magic headers are usually located at the very beginning of the file.

01:08

So when you open up a target file, for instance, in a hex editor. You might see a Microsoft Execute herbal file or any XY with the text MZ at the very beginning of the file. This is famously known as the MZ Header Adobe. PdF. So, on the other hand, they have the first eight bytes set 2%

01:26

PdF fouled by the version number.

01:30

Also using binary tools, we can examine other information such as text strings. These could give us hints to as the purpose of the file. The following screenshot shows information indicating that this particular PdF was possibly created and exported from Microsoft Word.

01:47

These days, most binary analysis tools such as hex editors and dis assemblers

01:51

can read the binary information of most files. So the tool you choose to perform your analysis is up to you.

02:00

Another set of tools. We must add toe arsenal when we reverse engineer or perform malware analysis is dis assemblers and D compilers

02:08

dis assemblers. He used to view the low level code of a program in reading. This low level code requires the knowledge of us some assembly.

02:15

The analysis that you do with the dis assembler gives us information about how the program will interact with the system when we execute it and reveal code architecture er and data structures. The low level assembly code is shown in this screenshot on the right. Now, if you're unfamiliar with assembly code or you need some review not to worry, we're gonna cover this a bit Later.

02:36

In the screenshot, we can see a code snippet that uses an application programming interface to possibly look at messages as they're being passed between the user system and or application.

02:47

The compilers are similar to dis assemblers. In fact, they're tool that are typically bundled together with the dis assembler, such as the case with Ida Pro or Godhra.

02:58

These tools attempt to restore the high level source code of a program in the image on the right, you can see that the low level source code has been compiled to show you high level source code.

03:12

Additionally, we have the buggers to buggers. Allow an analyst to move through code flows by executing them line by line

03:20

by using a D bugger. We can trace through loops, examine conditional statements and view a P I execution. So since now we're analysis, aided by Do bugger is part of the dynamic analysis procedure.

03:31

This is usually done in an enclosed environment,

03:37

and finally, we have monitoring tools. So system monitoring tools, of course. Monitor system behaviors, thes tools. Look at the file system modifications, registering modifications, how piece of malware is running in memory and how the sample interacts with the network.

03:52

Usually, these tools tap into the Windows system using a p i s. And then they log the information so that you can review change and repeat the simulations to observe how the malware interacts with the system. Now, these are just a few of the modifications that a piece of malware could make to a system.

04:09

But we're going to cover these a bit later in upcoming modules.