Game Master's
What information can you extract from the API a malware is calling? I would like detail in this thread how to identify the actions of a malware through the API its importing. This would be a detailed cheat sheet to be used for your future malware analysis to help clue you on the actions of a malware early in your analysis. What is a windows API? If you don't know what an windows API then I implore you to read this very detailed and informative post by Mewspaper windows API. But to give a short definition for the purposes of this thread, A windows API is simply an attempt for a program to use kernel use through ready windows functions it can call. Windows API can be used for many things including GUI, file copying , internet communication and many crucial functions. Let's look at a Keylogger exampleCheckout these API functions:
In this tutorial I will go through how to identify common assembly and import analysis Anti Reverse Engineering tricks. Anti-Reverse EngineeringAnti-reverse Engineering generally stands for any trick performed by a programmer to stop a reverse engineer from being able to easily understand the assembly code of an EXE. The idea of Anti reverse engineering can take the form of targeting the VM, hindering dynamic analysis, identifying debuggers and monitoring. Types Of DebuggersRing0 debuggers: WinDBG Ring3 debuggers: x64dbg Abusing Software Execution HandlingFirstly let's discuss breakpoints and how a debugger performs a breakpoint, there are two types of breakpoints available in every debugger soft breakpoints and hard breakpoints. Soft breakpoint: this type of breakpoint is done by adding interrupt 3 (INT3) into the code of the program which will cause the program pause execution and to call SEH which will be handled by the debugger. Hard breakpoint: places a memory location inside the debug register and when the that memory location is reached or accessed the execution will pause. Regularly when INT3 is ran it will call the Software Execution Handler and call an exception which the debugger will handle when the program is being debugged, but what happens when INT3 is called in the regular code of a program and the program isn't being debugged? The program will call the SEH and throw an exception , but then exception can be edited to not pause the program and to have crucial parts of the code making the program only work if the exception is handled normally and not by the debugger. For example: Targeting virtual machinesSome programs will attempt to identify the VM which is running on it as a form of anti reverse engineering trick.
Changing size of image Simplest trick that any malicious software can perform to stop debuggers of attaching to it and dumpers of being able to dump is to change the sizeofimage in the header to be different from the actual size of the file. Comments are closed.
|
AuthorI reverse engineer stuff ArchivesCategories |