Aye p33ps! Seeing as WannaCry took the world by storm recently, I thought that it’s probably a good time to introduce the world of malware analysis to this forum. In this post, I will write about how you guys can join in on the mayhem and play with some fire (and hopefully not get burnt in the process). Do note that this is my take on this and it may not actually be correct or optimal, it is something taken from my own experience. You can most probably find many other guides on malware analysis on the interwebz but I will put this here because it’s convenient (and some people are lazy to actually do the research themselves), and @oaktree and @pry0cc love it when new content is released here. The focus of this guide general directional pointer is specifically targeted towards the Windows platform.

Disclaimer: Again, I will say that this is purely my view on this and if you have a problem with that, click away now. If there are any errors in this thread, please notify me and I will fix it ASAP.

Prerequisites

For those who are keen to get into this area, it’s probably a good idea to have the following:

Must be able to read a lot of books or other texts Must have a thirst for knowledge Must be able to problem solve Self-motivation Persistence Courageousness Patience

Where to Start?

The journey of a thousand miles begins with one step.

You may have noticed that I did not list any technical skills under the prerequisite list and that’s because these can be learned. What’s more important in the general field of reverse engineering - and I cannot stress this enough - is developing or having the appropriate mindset and without this, no matter how technically competent you are, at some stage you will most likely never be able to approach a task at hand as effectively. Keep in mind that in this current age, there is nothing that cannot be reverse engineered [citation needed] and there is nothing that can restrain you from doing so - unless, of course, you were doing something illegal and are actually physically inhibited. Mind over matter. If you believe your mind is tamed and has transcended, you may continue.

Technical Skills and General Knowledge

Now that that’s out of the way, we can move onto building up our skillset. This section is mainly for those who are relatively new to this.

1. Reverse Engineering

Know thy self, know thy enemy. A thousand battles, a thousand victories.

When I say reverse engineering, I mean in a technical sense involving computing, not the general umbrella term that can apply to everything. For example, reverse engineering binaries will probably be the bulk of what malware analysts will do. A lot of decent malware are built using compiled languages which include C, C++, Pascal (Delphi). The result of these compiled languages are native binaries which contain machine code which is translatable to the assembly language. It is your goal to be able to read this assembly code and understand the functionalities of the binary.

2. Disassembly and Debugging

Balk the enemy’s power; force him to reveal himself.

Yeah, okay, this is a part of how2reverse. What you want to do is use disassembling to actually provide the assembly of the native binary so you can begin translating the code. This is a static method as opposed to debugging where you actually step through and look at what is being executed to see the interaction between the malware and the system. Knowing how to do both of this is absolutely essential because if you don’t, well, you probably can’t understand what’s under the hood and what’s exactly happening.

3. Forensics

If you know the enemy and know yourself you need not fear the results of a hundred battles.

Knowing what other mysterious content that malware comes packed with is crucial in understanding what it can achieve. Being able to identify file types and analyse network traffic can help gain a bigger picture or give hints towards specific functionality such as file dropping/downloading or contacting C2s (or checking kill switches).

4. The Environment

Next is the terrain. it can be distant or near. It can be difficult or easy. It can be open or narrow. It also determines your life or death.

As a malware analyst, it’s definitely helpful to know how the underlying system of the platform which is being attacked - yes, you heard me right, you should understand the Windows OS! Knowing the Windows API and how it interacts with the environment (processes, memory, disk, registry, network) makes life very easy and can definitely hint at what suspicious things malware are up to.

5. The PE Format

The supreme art of war is to subdue the enemy without fighting.

The Portable Executable (PE) format is the executable format for Windows much like ELF is for Linux. Though this is a combination of Forensics and The Environment , I believe it’s important enough to be in its own section. Knowing how the PE file works and what details it offers can boost your knowledge of what tricks a sample of malware might have up its sleeve and can, at times, win you half the battle just by taking a peek.

6. Malware Functionality

Thus, what is of supreme importance in war is to attack the enemy’s strategy.

Even better, knowing how malware works makes them easier to analyse! It makes them predictable (by predict, I mean make assumptions and then verify it) and your life much, much more forgiving. “What does this chunk of assembly instructions mean?” Doesn’t matter, found a string that looks like a registry key which ends with the subkeys CurrentVersion\\Run which means it’s most likely setting up persistence. Done. It might even be… * cough cough * …advisable to research the methods employed by malware and then… * nudge nudge * … ethically making your own… * cough * …em55am5lcg==… * wink wink *.

Tools

You know what? I just won’t put them here because to be honest, I can’t spoonfeed y’all everyday. Also, I’m lazy. Better start working on your Google-fu!

General Analysis Techniques

I hear, I know. I see, I remember. I do, I understand.

In most, if not all, phases of hacking - or un-hacking(?) in this case - we usually should start out with reconnaissance. Here are some things you might do when performing an analysis.

Strings Analysis

Dig out as many strings as you can because there is a wealth of information just lying there in plain sight. Error messages, suspicious strings like URLs, registry keys, etc., file names, function names, base64-encoded strings, file signatures, EVERYTHING!

Entropy

Have the executable analysed and check if there are sections or resources with any high entropy values. If there are, it’s probably compressed and/or encrypted!

Resources

Find something unusual in the PE file’s resources? Extract it and analyse it!

File Signatures

Found weird data? Just throw it into a hex editor! Find a signature!

DLL Imports / Exports

Check out what functions it uses! Maybe it’s trying to contact a server? or even logging your keystrokes? Maybe it’s a DLL and is providing functions for the main executable to use?

Packed Malware / Data

Let it execute under a debugger! Try to find its unpacking routine and where it ends, then breakpoint it there. Pull the damned thing straight out of memory! Show them who’s boss!

Disassembly

Pretty obvious one here, throw it in a disassembler and literally read what it does! From previous methods, back trace the instructions and figure out what it’s doing or how it’s doing something.

Dynamic Analysis

Grab a hot beverage, detonate it (in a securely isolated environment), sit back and watch what it does! Record registry or file changes, networking activity, everything.

Resources

As a reverse engineer, it’s ideal if you learn everything you lay your eyes on because you’ll never know if you’ll come across it some day.

0x00sec

Books / PDFs

Message me privately for direct links.

Hacking: The Art of Exploitation by Jon Erickson (HIGHLY RECOMMENDED FOR BEGINNERS)

Practical Malware Analysis - The Hands on Guide to Dissecting Malware, by Michael Sikorski and Andrew Honig

Reversing - Secrets Of Reverse Engineering by Eldad Eilam

Windows Internals by Mark Russinovich, David A. Solomon, Alex Ionescu

Reverse Engineering for Beginners by Dennis Yurichev (HIGHLY RECOMMENDED FOR BEGINNERS)

Malware Analysts Cookbook by Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard

Websites

Other

Steal Learn from others

Learn from others Download some HF skid malware and reverse that

Conclusion

glhf lal