In: Computer Science
Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for basic analysis
1.basic static techniques
2.malware analysis in virtual machines
3. basic Dynamic analysis
Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for advanced static analysis
1.analyzing malicious windows programs.
Research methodologies and tools to set up a safe environment to analyze malware as well as methods to test exploits. Minimum 3 pages for anti-reverse-engineering
1.anti-disassembly
2.anti-debugging
3.packers and unpacking
Static Analysis:- The software/ piece of code is analyzed without executing.
Techniques/Methods |
Tools |
File Format Inspection: the file header, its extension, the blank spaces in the file is inspected. |
debugger- traces the errors in the targeted system. |
Fingerprinting- Document fingerprinting maps the sensitive data such as file or documents into unique shorter string. these strings protect the confidential information of the files. |
code analyzers- reviews, test and analyzes the source code and generates reports. |
String Extraction: strings embedded in the file can help to detect suspicious binary presence such as filename created by the malware could be saved in the string |
disassembler- translates machine language into assembly language |
AV scanning-Anti-Virus scans the system to detect malicious code. |
decompiler- recompiles input file as high level source file |
Disassembly- reads binary file and seperates its data types and code. |
source-open-source platform wherein licensed software are released which could be used by developers. |
Dynamic Analysis:
The functionality of the software and its behavior is analyzed by executing the software. The code contained in the software program is analyzed by tracing each instruction in the program, the control flow, the parameters, variables, function calls
Methods\Techniques |
Tools |
Information Flow tracking -tracks all the information flow in the machine by tracing all the implicit and explicit data transfer flow |
Sandbox: separates the running programs and the platform/system to mitigate the vulnerability and failure |
Function Call Monitoring- Hooking is the process to capture function calls. Any call to a function invokes Hook function which examines the input, output, intermediatory function calls. |
Simulator: predicts output/behavior of the real world or an actual physical system. |
URLS accessed- is the redirection to another web resource |
emulators RegShot: open-source portable registry comparison tool |
Files creation and files accessed |
Process Explorer: freeware task manager and system monitor |
Malware analysis in virtual machines:
a simulated environment which is the replica of real system is created upon which the malware is executed and the behaviour of malware is analyzed ;how it would have affected the real system is predicted without damaging the actual real system
Techiniques |
Tools |
1.Creating VM. 2.Selecting OS type 3.Allocating RAM memory 4.Creating a virtual hard disk 5.Allocating storage space to the hard disk. 6.Installing the virtual operating system to run VM. 7.Capturing VM snapshot |
1.Windows virtual machine-debug malware without infecting host system. 2.FLARE VM:- open-source window based VM malware software |
Analyzing malicious windows programs
Techiniques |
Tools |
Analyzing the following :- Windows API File system function Special files Windows Registry Root Keys Networking APIs DLLs (Dynamic Link Libraries) |
1.Cuckoo Sandbox-is an open source framework that automates malicious file analysis for Windows, OS X 2.Detect-It-Easy- determines file types. 3. MASTIFF Static analysis framework-. conducts a few examination utilizing run-time conduct and many highlights from a file 4. MultiScanner -Modular file scanning/analysis with machine-learning |
Anti-disassembly techniques |
Tools |
API obfuscation Opcode/assembly code obfuscation Junk/spaghetti code Control flow graph flattening |
Windows API CloseHandle/NtClose FindWindow NtGlobalFlag |
Anti-debugging techniques |
PEB.BeingDebuggedFlag DebugPort: CheckRemoteDebuggerPresent() Debugger interrupts Heap Flags and ForceFlags |