Tools
Malware is derived from the term Malicious Software. Any software that has a malicious purpose is considered a malware.
The following security professionals perform malware analysis:
- Security Operations → Write detections for malicious activity in their network
- Incident Response → Identify the damage caused by malware and revert back to normal state
- Threat Hunters → Use this knowledge to hunt for malware proactively
- Malware Researchers → Analyze malware to add detection to the security product
- Threat Research → Discover the vulnerabilities exploited in the OS/Environment.
Static Analysis → Malware is analyzed without being executed
Dynamic Analysis → Malware is run in an isolated environment to analyze.
Advanced Malware Analysis → Uses disassemblers and Debuggers
- Disassembler → converts binary into a human-readable representation of what the code is doing. It helps you understand what malware is doing without executing it.
- Debugger → lets you execute a program step-by-step, inspect memory, registers, and modify execution in real time. It will see what malware does during runtime.
PE Header → Contains metadata of PE file. Most of the time PE file re-uses code provided by the OS. Most commonly section in PE file:
- .text: This Section generally contains the CPU instructions executed when the PE file is run. This section is marked as executable.
- .data: This section contains the global variables and other global data used by the PE file.
- .rsrc: This section contains resources that are used by the PE file, e.g. image, icons, etc.
pecheck <suspicious file> #command to display PE information
pe-tree <suspicious file> #command for pecheck GUI
strings <suspicious file> #command to display the string in the file