Bypassing Malware Defenses
Reverse-Engineering Cheat Sheet Show names window Shift+F4
By Lenny Zeltser § Learn to Turn Malware Inside-Out Display function’s flow chart F12 To try unpacking quickly, infect the system and
http :/ / w w w . ze l ts er . co m/ re v er s e -ma lw ar e dump from memory via LordPE or OllyDump.
Display graph of function calls Ctrl+F12
General Approach For more surgical unpacking, locate the Original
Go to program’s entry point Ctrl+E
Entry Point (OEP) after the unpacker executes.
1. Set up a controlled, isolated laboratory in Go to specific address G
which to examine the malware specimen. If cannot unpack cleanly, examine the packed
Rename a variable or function N specimen via dynamic code analysis while it runs.
2. Perform behavioral analysis to examine the
specimen’s interactions with its environment. Show listing of names Ctrl+L When unpacking in OllyDbg, try SFX (bytewise) and
3. Perform static code analysis to further Display listing of segments Ctrl+S OllyDump’s “Find OEP by Section Hop”.
understand the specimen’s inner-workings. Show cross-references Select function name Conceal OllyDbg via HideOD and OllyAdvanced.
to selected function » Ctrl+X
4. Perform dynamic code analysis to understand A JMP or CALL to EAX may indicate the OEP,
the more difficult aspects of the code. Show stack of current function Ctrl+K possibly preceded by POPA or POPAD.
5. If necessary, unpack the specimen. OllyDbg for Dynamic Code Analysis Look out for tricky jumps via SEH, RET, CALL, etc.
6. Repeat steps 2, 3, and 4 (order may vary) until Step into instruction F7 If the packer uses SEH, anticipate OEP by tracking
analysis objectives are met. Step over instruction F8 stack areas used to store the packers’ handlers.
7. Document findings and clean-up the Execute till next breakpoint F9 Decode protected data by examining results of the
laboratory for future analysis. decoding function via dynamic code analysis.
Execute till next return Ctrl+F9
Behavioral Analysis Correct PE header problems with XPELister,
Show previous/next executed instruction - / +
Be ready to revert to good state via dd, VMware LordPE, ImpREC, PEiD, etc.
Return to previous view *
To get closer to OEP, try breaking on unpacker’s
snapshots, CoreRestore, Ghost, SteadyState, etc.
Show memory map Alt+M calls to LoadLibraryA or GetProcAddress.
Monitor local (Process Monitor, Process Explorer)
and network (Wireshark, tcpdump) interactions. Follow expression in view Ctrl+G Common x86 Registers and Uses
Detect major local changes (RegShot, Autoruns). Insert comment ; EAX Addition, multiplication, function results
Redirect network traffic (hosts file, DNS, Honeyd). Follow jump or call in view Enter ECX Counter
Activate services (IRC, HTTP, SMTP, etc.) as needed Show listing of names Ctrl+N Base for referencing function arguments
to evoke new behavior from the specimen. New binary search Ctrl+G (EBP+value) and local variables (EBP-
IDA Pro for Static Code Analysis Next binary search result Ctrl+L
Text search Alt+T Show listing of software breakpoints Alt+B ESP Points to the current “top” of the stack;
changes via PUSH, POP, and others
Show strings window Shift+F12 Assemble instruction in Select instruction
place of selected one » Spacebar EIP Points to the next instruction
Show operand as hex value Q
Edit data in memory or Select data or EFLAGS Contains flags that store outcomes of
Insert comment :
computations (e.g., Zero and Carry flags)
instruction opcode instruction » Ctrl+E
Follow jump or call in view Enter
Show SEH chain View » SEH chain
Return to previous view Esc Malware analysis concepts behind these shortcuts
Go to next view Ctrl+Enter Show patches Ctrl+P are covered in Lenny Zeltser’s SANS Institute
course SEC610: Reverse-Engineering Malware.
Creative Commons v3 “Attribution” License for this Cheat Sheet v.1.5.