 LNNY ZLTSR (HTTPS://ZLTSR.

COM/)  
(https://twitt
(http

Tips for Reverse-

ngineering Malicious
Code

MOR ON

Information Securit
(https://zeltser.com/information-
securit)

This cheat sheet outlines tips for reversing malicious Windows exe- Malicious Software
cutales via static and dnamic code analsis with the help of a de- (https://zeltser.com/malicious-

ugger and a disassemler. To print it, use the one-page PDF (/me-
software)

dia/docs/reverse-engineering-malicious-code-tips.pdf) version; ou

can also edit the Word (/media/docs/reverse-engineering-malicious-
code-tips.docx) version to customize it for ou own needs.
The SANS malware analsis
course
Overview of the Code Analsis Process
(https://sans.org/for610) I’ve co-
1. xamine static properties of the Windows executale for initial authored explains the malicious
assessment and triage. code analsis and related tech-
niques that are summarized in
2. Identif strings and API calls that highlight the program’s
this cheat sheet.
suspicious or malicious capailities.
3. Perform automated and manual ehavioral analsis to gather If ou like this reference, take a
additional details. look at m other IT and securit
cheat sheets (/cheat-sheets/).
4. If relevant, supplement our understanding  using memor
forensics techniques.
SHAR 
5. Use a disassemler for static analsis to examine code that
references risk strings and API calls.
6. Use a deugger for dnamic analsis to examine how risk
strings and API calls are used.
7. If appropriate, unpack the code and its artifacts.
8. As our understanding of the code increases, add comments,
laels; rename functions, variales.
9. Progress to examine the code that references or depends upon
the code ou’ve alread analzed.
10. Repeat steps 5-9 aove as necessar (the order ma var) until
analsis ojectives are met.

Common 32-it Registers and Uses

AX Addition, multiplication, function results

CX Counter; used  LOOP and others

P aseline/frame pointer for referencing function

arguments (P+value) and local variales (P-value)

SP Points to the current “top” of the stack; changes via

PUSH, POP, and others

IP Instruction pointer; points to the next instruction;

shellcode gets it via call/pop

FLAGS Contains ags that store outcomes of computations

(e.g., Zero and Carr ags)

FS F segment register; FS[0] points to SH chain,

FS[0x30] points to the P.

Common x86 Asseml Instructions

mov Put the value 0x8 in AX.
EAX,0xB8

push EAX Put AX contents on the stack.

pop EAX Remove contents from top of the stack and put
them in AX .

lea EAX, Put the address of variale P-4 in AX.

[EBP-4]
 call EAX Call the function whose address resides in the
AX register.

add esp,8 Increase SP  8 to shrink the stack  two 4-

te arguments.

sub Shift SP  0x54 to make room on the stack for

esp,0x54 local variale(s).

xor Set AX contents to zero.

EAX,EAX

test Check whether AX contains zero, set the

EAX,EAX appropriate FLAGS its.

cmp Compare AX to 0x8, set the appropriate

EAX,0xB8 FLAGS its.

Understanding 64-it Registers

AX→RAX, CX→RCX, X→RX, SP→RSP, IP→RIP
Additional 64-it registers are R8-R15.
RSP is often used to access stack arguments and local variales,
instead of P.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

R8 (64 its)
________________________________||||||||||||||||||||||||||||||||

R8D (32 its)

________________________________________________||||||||||||||||

R8W (16 its)

________________________________________________________||||||||

R8 (8 its)

Passing Parameters to Functions

arg0 [P+8] on 32-it, RCX on 64-it

arg1 [P+0xC] on 32-it, RDX on 64-it

arg2 [P+0x10] on 32-it, R8 on 64-it

arg3 [P+14] on 32-it, R9 on 64-it

Decoding Conditional Jumps
JA / JG Jump if aove/jump if greater.

JB / JL Jump if elow/jump if less.

JE / JZ Jump if equal; same as jump if zero.

JNE / JNZ Jump if not equal; same as jump if not zero.

JGE/ JNL Jump if greater or equal; same as jump if not less.

Some Risk Windows API Calls

Code injection: CreateRemoteThread, OpenProcess,
VirtualAllocx, WriteProcessMemor, numProcesses
Dnamic DLL loading: LoadLirar, GetProcAddress
Memor scraping: CreateToolhelp32Snapshot, OpenProcess,
ReadProcessMemor, numProcesses
Data stealing: GetClipoardData, GetWindowText
Kelogging: GetAsncKeState, SetWindowsHookx
medded resources: FindResource, LockResource
Unpacking/self-injection: VirtualAlloc, VirtualProtect
Quer artifacts: CreateMutex, CreateFile, FindWindow,
GetModuleHandle, RegOpenKex
xecute a program: Winxec, Shellxecute, CreateProcess
We interactions: InternetOpen, HttpOpenRequest,
HttpSendRequest, InternetReadFile

Additional Code Analsis Tips

e patient ut persistent; focus on small, manageale code
areas and expand from there.
Use dnamic code analsis (deugging) for code that’s too
di cult to understand staticall.
Look at jumps and calls to assess how the specimen ows from
“interesting” code lock to the other.
If code analsis is taking too long, consider whether ehavioral
or memor analsis will achieve the goals.
 When looking for API calls, know the o cial API names and the
associated native APIs (Nt, Zw, Rtl).

Post-Scriptum
Authored  Lenn Zeltser (/) with feedack from Anuj Soni
(https://malwolog.com/). Malicious code analsis and related topics
are covered in the SANS Institute course FOR610: Reverse-ngi-
neering Malware (https://sans.org/for610), which the’ve co-au-
thored. This cheat sheet, version 1.0, is released under the Creative
Commons v3 “Attriution” License (https://creativecommons.org/li-
censes//3.0/).

Updated Septemer 20, 2017

DID YOU LIK THIS?

Follow me for more of the good stu .

Aout the Author

Lenn Zeltser is a seasoned usiness and technolog leader with

extensive information securit experience. He uilds innovative endpoint
defense solutions as VP of Products at Minerva Las
(https://www.minerva-las.com/). He also trains incident response and
digital forensics professionals at SANS Institute (https://sans.org/). Lenn
frequentl speaks at industr events, writes articles and has co-authored
ooks. He has earned the prestigious GIAC Securit xpert designation,
has an MA from MIT Sloan and a Computer Science degree from the
Universit of Pennslvania.

Learn more (https://zeltser.com/aout)

Copright © 1995-2017 Lenn Zeltser. All rights reserved.