Malware Analysis Road Map and essential tools

T

teto2005

Level 1
Thread author
May 14, 2017
3
Hello Guys
I am new here and I am not sure if I am at the right place or not.
I am seeking your advice to learn Malware Analysis "static" as I am not good at Assembly.
Besides, to the required tools to perform the analysis and the road map.
Thanks alot :)
 
  • Like
Reactions: askmark and Rengar
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Hello

Well the static analysis consists in analyzing a malware without starting it, studying the code, and the functions to determine its behavior but it is really very difficult to explain concepts, especially if you don't know assembly.

Lets say that usually .NET malware (not obfuscated) can be investigated by accessing the code with ILSpy for example.
About malware written in C/C++, it is more complex because it is virtually impossible to go back to the source code, starting from the executable.

Here you can use PEiD, which can be useful for the investigation of strings and file sections both useful to understand the malware's behavior.

For example here the files sections:

- .text contains instructions that CPU will run (the executable code);
- .rdata usually contains the information to import and export. It can also save from the read-only data used by malware;
- .data contains the global data of the executable;
- .rsrc contains the resources used by the executable that are not considered to be part of it, such as icons, images, and strings.

Of course the topic is very complex.
 
  • Like
Reactions: Game Of Thrones, askmark, Parsh and 3 others
T

teto2005

Level 1
Thread author
May 14, 2017
3
Thanks alot for your reply.
Would you please recommend assembly ref.?
Winter Soldier said:
Hello

Well the static analysis consists in analyzing a malware without starting it, studying the code, and the functions to determine its behavior but it is really very difficult to explain concepts, especially if you don't know assembly.

Lets say that usually .NET malware (not obfuscated) can be investigated by accessing the code with ILSpy for example.
About malware written in C/C++, it is more complex because it is virtually impossible to go back to the source code, starting from the executable.

Here you can use PEiD, which can be useful for the investigation of strings and file sections both useful to understand the malware's behavior.

For example here the files sections:

- .text contains instructions that CPU will run (the executable code);
- .rdata usually contains the information to import and export. It can also save from the read-only data used by malware;
- .data contains the global data of the executable;
- .rsrc contains the resources used by the executable that are not considered to be part of it, such as icons, images, and strings.

Of course the topic is very complex.
Click to expand...
 
  • Like
Reactions: Game Of Thrones
You must log in or register to reply here.

Similar threads

hmattyarty25
Malware Analysis Help
Replies
7
Views
467
Malware Analysis
Practical Response
Practical Response
L
    • Applause
    • Like
    • +Reputation
VileRAT malware analysis
Replies
2
Views
372
Malware Analysis
Sandbox Breaker
Sandbox Breaker
Xeno1234
    • Like
    • Applause
Serious Discussion How to set up a safe environment for Malware Testing
Replies
18
Views
975
General Security Discussions
ForgottenSeer 97327
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top