Analysis Tricks

This is about … .

Windows

How to find out …

• … which processes used a certain dll ❓ In Process Explorer choose Find Handle or DLL.
• … if a DLL is loaded into a process after load time ❓ Compare the DLL list in Process Explorer to the imports shown in Dependency Walker.
• … if a .doc or .pdf or another document is malicious ❓ Open Process Explorer, launch the suspicios doc in sandboxed environment and check whether it has spawned any processes. Open this process’s Properties window, Image tab to check the location of the malware file.
• If there is an open socket, you can open nc -nv <IP> <port> to see what it wants to get.
• If the malware is looking for a DNS record and iNetSim doesn’t work (because it’s something very custom), try adding 127.0.0.1 <DNS name> and observing the activity with a tool like ProcMon. Then, do ncat -nvlp <port>. Try ipconfig /flushdns (Windows) if this doesn’t help.
• If process injection took place, find the victim in Process Hacker (or some analogue) and open Properties -> Memory. Sort by Protection and find all that have RWX permissions (that’s usually what a shellcode will require to run). No name in the Use column usually indicates.

Delphi

This one is particularly tiresome to reverse. Some advice:

• Set calling convention for fastcall if it’s not set properly (IDA Pro doesn’t, not sure about radare2)
• Delphi programs have a lot of structures.

Go

• When compiled are huge in size.

References