Question

Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for basic analysis

1.basic static techniques

2.malware analysis in virtual machines

3. basic Dynamic analysis

Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for advanced static analysis

1.analyzing malicious windows programs.

Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for anti-reverse-engineering

1.anti-disassembly

2.anti-debugging

3.packers and unpacking

Answer 1

Static Analysis:- The software/ piece of code is analyzed without executing.

Techniques/Methods	Tools
File Format Inspection: the file header, its extension, the blank spaces in the file is inspected.	debugger- traces the errors in the targeted system.
Fingerprinting- Document fingerprinting maps the sensitive data such as file or documents into unique shorter string. these strings protect the confidential information of the files.	code analyzers- reviews, test and analyzes the source code and generates reports.
String Extraction: strings embedded in the file can help to detect suspicious binary presence such as filename created by the malware could be saved in the string	disassembler- translates machine language into assembly language
AV scanning-Anti-Virus scans the system to detect malicious code.	decompiler- recompiles input file as high level source file
Disassembly- reads binary file and seperates its data types and code.	source-open-source platform wherein licensed software are released which could be used by developers.

Dynamic Analysis:

The functionality of the software and its behavior is analyzed by executing the software. The code contained in the software program is analyzed by tracing each instruction in the program, the control flow, the parameters, variables, function calls

Methods\Techniques	Tools
Information Flow tracking -tracks all the information flow in the machine by tracing all the implicit and explicit data transfer flow	Sandbox: separates the running programs and the platform/system to mitigate the vulnerability and failure
Function Call Monitoring- Hooking is the process to capture function calls. Any call to a function invokes Hook function which examines the input, output, intermediatory function calls.	Simulator: predicts output/behavior of the real world or an actual physical system.
URLS accessed- is the redirection to another web resource	emulators RegShot: open-source portable registry comparison tool
Files creation and files accessed	Process Explorer: freeware task manager and system monitor

Malware analysis in virtual machines:

a simulated environment which is the replica of real system is created upon which the malware is executed and the behaviour of malware is analyzed ;how it would have affected the real system is predicted without damaging the actual real system

Techiniques	Tools
1.Creating VM. 2.Selecting OS type 3.Allocating RAM memory 4.Creating a virtual hard disk 5.Allocating storage space to the hard disk. 6.Installing the virtual operating system to run VM. 7.Capturing VM snapshot	1.Windows virtual machine-debug malware without infecting host system. 2.FLARE VM:- open-source window based VM malware software

Analyzing malicious windows programs

Techiniques	Tools
Analyzing the following :- Windows API File system function Special files Windows Registry Root Keys Networking APIs DLLs (Dynamic Link Libraries)	1.Cuckoo Sandbox-is an open source framework that automates malicious file analysis for Windows, OS X 2.Detect-It-Easy-  determines file types. 3. MASTIFF Static analysis framework-. conducts a few examination utilizing run-time conduct and many highlights from a file 4. MultiScanner -Modular file scanning/analysis with machine-learning

Anti-disassembly techniques	Tools
API obfuscation Opcode/assembly code obfuscation Junk/spaghetti code Control flow graph flattening	Windows API CloseHandle/NtClose FindWindow NtGlobalFlag

Anti-debugging techniques

PEB.BeingDebuggedFlag DebugPort: CheckRemoteDebuggerPresent() Debugger interrupts Heap Flags and ForceFlags