Malware Analysis Process:

1. Check Characteristics of the file (Md5, Type, packer, compiler type ( vc++, Borland, etc ))
2. Based on String analysis guess the behavior using filealyzer or bintext.
3. Do behavior analysis and compare the behavior that absorbed from string analysis (not always).
4. To eliminate time spend on the compiler code from the user code, follow the string analysis.
5. Choose the suspected strings from the comparison and calculate the memory offset of those strings.
6. Open the file in debugger follow the string using the memory offset and see the behavior ( asm code) of entire functions and
construct the functions dependence graph and iteratively augment the control flow, data flow.
7. For that track the assembly code, registers value and current operations, memory dump. Similarly follow to each suspected
strings.
8. To extract the code block choose the following from the malicious activity:
• Data is produced by a single instruction.
• Data is produced by a single loop.
• Data is produced by many instructions in adjacent memory locations.
• Data is produced by many instructions and placed in a location targeted by an existing control flow edge.

Requirements:
- Intel x 86 assemblies (I have attached 2)
- Windows API, MSDN nearby

Tools:

Hexeditor : To view and edit strings, hex values from executables, expression calculator, facilitates the comparison of two files.
OllyDbg: A debugger that enables the user to attach to a process and insert breakpoints, to view FS segments, to take dump (I have
attached 3 the dll required), to manual unpack the compressed/packed files.

FileAlyzer: To view the characteristics, PE header, sections, hex dump, strings, imports and exports, resources.
RegShot: Takes a snapshot of the registry and associated files but does not detect READ attempts.

BinText: Extracts strings from executables, revealing registry keys used, and various commands Stored in string format.
Process Explorer: Tells what processes are currently running (Realtime; highlights new processes in green).
FileMon: Monitors files for operations.
RegMon: monitors registry for operations.
TCPView: Displays all TCP and UDP open connections and the process that opened and is using the port.
Ethereal: Packet Scanner that captures packets and supports the viewing of contents/payload.
PEid: To view the compiler and type of packer and PE structure.
Universal Extractor: To extract a compressed file and unpack the packer.

Sections:

The .idata section contains information about functions (and data) that the module imports from other DLLs.

The .rsrc section contains all the resources for the module.

The .data section is where your initialized data goes.

The .text section is where all general-purpose code emitted by the compiler or assembler resides.

The .src section contains all the source code for the module.

The .bss section is where any uninitialized static and global variables are stored.

Flags of sections:

0x00000020 This section contains code.

0x00000040 This section contains initialized data. Almost all sections except executable and the .bss section have this flag set.

0x00000080 This section contains uninitialized data (for example, the .bss section).

0x00000200 This section contains comments or some other type of information.

0x10000000 This section is shareable. When used with a DLL, the data in this section will be shared among all processes using the
DLL.

0x20000000 This section is executable. This flag is usually set whenever the "contains code" flag (0x00000020) is set.

0x40000000 This section is readable. This flag is almost always set for sections in EXE files.

0x80000000 This section is writeable. If this flag isn't set in an EXE's section, the loader should mark the memory mapped pages as
read-only or execute-only. Typical sections with this attribute are .data and .bss. Interestingly, the .idata section also has this attribute
set.
Offset conversion:

Disk offset = Memory offset –Imagebase - virtual address of section + pointer to raw data (physical address base) of section.

Memory offset = Disk offset of you have - pointer to raw data (physical address base) of section + virtual address of section + Imagebase.

(The upper left shows the assembly code of the file, the upper right division shows register values and the
flag values in it. The lower left division shows the hexadecimal dump of the file and the lower right shows
the stack values. In between the code and dump we can see the current operations. After add plugins
(OllyDump.dll) we can take dump at some execution using the option “Dump debugged process by right
click, select that option and save)