Professional Documents
Culture Documents
z80.Eu-Tools For Virus Analysis
z80.Eu-Tools For Virus Analysis
z80.eu/tools.html
=> You will be able to compare the current behaviour with a unusual behaviour (e.g. harddisk
activity even if you do nothing with your system, additional files and/or processes)
Also, if you identified a suspicious file, you can analyze the file by using several tools.
Typically a normal user trust on his Antivirus-program only. That's really not enough, because
these programs do not know new viruses until somebody found them and publish it. Some
Antivirus-programs offer additional features like heuristic detection and a guard for registry
changes. Heuristic is often overstrained, if too weak, doesn't detect much, if too strong, detect
even wanted, harmless programs. And the user can't decide which changes are needed and
which changes are unwanted, if a guard reports every change.
There was a real useful program (at least for 32bit Windows), but it's not very often mentioned:
"API Guard" from Jakub Debski
Source code is even supplied too, it has a simple interface, and it works.
It controls API call, so you can allow or disallow any action just with a checkbox, and run a
suspicious file in a controlled shell. This does not work with more sophisticated call methods of
system functions, but it's worth a try - possibly in a virtual machine, so if nothing is blocked with
the tool itself, your real system is still not affected.
Newer but also very useful: > Sandboxie<. More sophisticated compared to API Guard, but also
larger. It stores changes to the file system and registry in his own area.
If you want to find out, if any antivirus program on the market detects anything bad, try to
upload the file at >Virustotal<.
1/3
Also, there are some approaches to analyze it automatically via sandboxes or modified x86
emulators.
Try >Joebox< (a secure sandbox application) or > Anubis< (analyzing unknown binaries) to get
an overview of the used API calls or used files/registry entries.
Promising is also "Zerowine", a project which uses Wine to let the malware run in a controlled
way.
To look into PE header and related infos, use > PPEE (Professional PE file Explorer)< - very
useful !
Also very helpful: CFF Explorer, it can show you PE infos but can also disassemble sections.
Also good to change parameters like Large Address Aware bit (to give programs more than 2GB
RAM when running with x64 Windows).
To unpack packer like FSG 2.0, try > FUU< (Faster Universal Unpacker).
Many script kiddies are coding VBA and compile it , so to decompile it, try a decompiler, an
overview can be found at woodman.com >here<
To analyze program code , you need some knowledge of assembly language. But this is not
rocket science.
- A very good disassembler tool: IDA Pro, see >here< for more details
- A discontinued disassembler, but still useful: >W32Dasm<
- A very good 32bit debugger: >OllyDbg<, even API spying is possible (feature is called
"Intermodular Calls")
- A promising x64 capable debugger: >x64dbg<
- A very good (free) debugger also: >Syser Win32 debugger<
- If you need to debug also deep into the kernel (Ring 0), you have to use >Syser Kernel
Debugger< - looks like this:
Update: Unfortunately Syser seems to be no more available meanwhile. Try out > Bugchecker<
as another "SoftIce" replacement. Or >ArkDasm<.
2/3
Please take also a look at > Immunity Debugger< , and don't forget the "volkswagon" of the
debuggers, >Microsoft's WinDbg<.
- A very good debugging tool was > SoftIce<, a part of a driver development suite, unfortunately
it's >no more available since 2006<.
Really interesting:
How to hide your process from all above mentioned tools.... ok, except from the rootkit
discovering tools, but from all others:
Hackers Defender 1.0 ... it was published in 2004 but it is still worth to analyze and learn from it
(source included, written in Delphi).
This virus will be detected for sure from all known virus scanner - so don't worry about my offer,
IT IS FOR EDUCATIONAL PURPOSES ONLY. The archive is password protected (password =
'rootkit'). You can d/l it from my local mirror >here<.
Also an interesting web site: > GreyHatHacker.net< with many hints about (current)
exploits/weaknesses and how to mitigate them.
If you're still interested how exploits work (and then how to avoid them), read all parts of the
>really good tutorial at corelan.be <.
3/3