This is about … .
Windows
How to find out …
- … which processes used a certain dll â In Process Explorer choose
Find Handle or DLL
. - … if a DLL is loaded into a process after load time â Compare the DLL list in Process Explorer to the imports shown in Dependency Walker.
- … if a
.doc
or.pdf
or another document is malicious â Open Process Explorer, launch the suspicios doc in sandboxed environment and check whether it has spawned any processes. Open this process’sProperties
window,Image
tab to check the location of the malware file. - If there is an open socket, you can open
nc -nv <IP> <port>
to see what it wants to get. - If the malware is looking for a DNS record and iNetSim doesn’t work (because it’s something very custom), try adding
127.0.0.1 <DNS name>
and observing the activity with a tool like ProcMon. Then, doncat -nvlp <port>
. Tryipconfig /flushdns
(Windows) if this doesn’t help. - If process injection took place, find the victim in Process Hacker (or some analogue) and open Properties -> Memory. Sort by Protection and find all that have RWX permissions (that’s usually what a shellcode will require to run). No name in the Use column usually indicates.
Delphi
This one is particularly tiresome to reverse. Some advice:
- Set calling convention for fastcall if it’s not set properly (IDA Pro doesn’t, not sure about radare2)
- Delphi programs have a lot of structures.
Go
- When compiled are huge in size.
References
Expand…
[1] Practical Malware Analysis, M. Silkorski, A. Honig
[2] SANS cheatsheet on malware analysis
[3] SANS tips on malware analysis
Automating the Process. Use Jupyter Notebooks and malware sandboxes to automate the analysis process. Tell the World! Write YARA rules to aid in the detection of malware samples and learn how to write effective analysis reports to publish findings.
Wardle, Patrick. The Art of Mac Malware (p. xxii). No Starch Press. Kindle Edition. https://www.magnetforensics.com/resources/investigate-malware-ransomware-with-speed-and-efficiency/
[1] Practical Malware Analysis, M. Silkorski, A. Honig
[2] SANS cheatsheet on malware analysis
[3] SANS tips on malware analysis