Malware analysis

From ForensicsWiki
Jump to: navigation, search

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed. [1]

See Also

External Links

Analysis techniques and tools


Malware techniques

Process hollowing

Malware analysis

Black POS


China Chopper

Gh0st Rat

Dark Hotel

Equation group


Hacking Team




LeoUncia, OrcaRat


Riptide, Hightide, Threebyte, Watersprout


Shell Crew