Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Go to next view
Ctrl+Enter Ctrl+P Shift+F4
Show patches
The shortcuts and tips behind this cheat sheet are covered in Lenny Zeltsers SANS Institute course SEC610: Reverse Engineering Malware; for details see http://zeltser.com/reverse malware. Display graph of function calls Go to programs entry point Go to specific address Rename a variable or function Show listing of names Display listing of segments Show cross references to selected function Show stack of current function
General Approach
1.
2.
Perform behavioral analysis to examine the specimens interactions with its environment.
3.
Perform static code analysis to further understand the specimens inner workings.
4.
Perform dynamic code analysis to understand the more difficult aspects of the code.
5.
6. Execute till next breakpoint Execute till next return Show previous/next executed instruction Return to previous view Show memory map Follow expression in view Insert comment Follow jump or call in view Show listing of names New binary search Next binary search result Show listing of software breakpoints
Alt+T
Repeat steps 2, 3, and 4 (order may vary) until analysis objectives are met.
If the packer uses SEH, anticipate OEP by tracking stack areas used to store the packers handlers. Decode protected data by examining results of the decoding function via dynamic code analysis. Correct PE header problems with XPELister, LordPE, ImpREC, PEiD, etc. To get closer to OEP, try breaking on unpackers calls to LoadLibraryA or GetProcAddress.
7.
Behavioral Analysis
Be ready to revert to good state via dd, VMware snapshots, CoreRestore, Ghost, SteadyState, etc.
Monitor local (Process Monitor, Process Explorer) and network (Wireshark, tcpdump) interactions.
Addition, multiplication, function results Counter Base for referencing function arguments (EBP+value) and local variables (EBP value) Points to the current top of the stack; changes via PUSH, POP, and others Points to the next instruction Contains flags that store outcomes of computations (e.g., Zero and Carry flags)
Activate services (IRC, HTTP, SMTP, etc.) as needed to evoke new behavior from the specimen.
Text search
Q : Enter Esc
Shift+F12
Insert comment
Authored by Lenny Zeltser, who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him at http://twitter.com/lennyzeltser. See Lennys other cheat sheets at http://zeltser.com/cheat sheets. Creative Commons v3 Attribution License for this cheat sheet version 1.5.