Difference between pages "Malware analysis" and "Analyzing Program Execution"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(Windows)
 
Line 1: Line 1:
Analyzing [[malware]], or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.
+
{{expand}}
  
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
+
This article is intended to give a high-level overview of analyzing program execution on the various operating systems.
  
== See Also ==
+
== Linux ==
* [[Malware]]
+
* [[List of Malware Analysis Tools]]
+
  
== External Links ==
+
== Mac OS X ==
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
+
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
+
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
+
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
+
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
+
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
+
  
=== Careto ===
+
== Windows ==
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
+
  
=== China Chopper ===
+
== See Also ==
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
+
* [[Memory analysis]]
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
+
  
=== Hacking Team ===
+
=== Linux ===
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
+
* [[Linux Memory Analysis]]
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
+
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
+
  
=== Hikit ===
+
=== Mac OS X ===
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
+
* [[Mac OS X Memory Analysis]]
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
+
* Plists
 +
** [[Mac OS X#Launch Agents|Launch Agents]]
 +
** [[Mac OS X#Launch Daemons|Launch Daemons]]
  
=== PlugX ===
+
=== Windows ===
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
+
* [[Prefetch]]
 
+
* [[SuperFetch]]
=== Shell Crew ===
+
* Program crashes
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
+
** Minidumps
 
+
** Windows Error Reporting (WER)
=== Uroburos ===
+
* Windows Registry
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
+
** [[Windows_Registry#Run/RunOnce|Run/RunOnce]]
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
+
* [[Windows Application Compatibility]]
 
+
* [[Windows Memory Analysis]]
=== Winnti ===
+
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
+
  
 +
== External Links ==
 +
=== Windows ===
 +
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
 +
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
 +
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
  
[[Category:Malware]]
+
[[Category:Analysis]]

Revision as of 02:34, 8 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

This article is intended to give a high-level overview of analyzing program execution on the various operating systems.

Linux

Mac OS X

Windows

See Also

Linux

Mac OS X

Windows

External Links

Windows