Reverse Engineering Cheat Sheet

Document Sample
Reverse Engineering Cheat Sheet Powered By Docstoc
					                                                                                                                             Bypassing Malware Defenses
  Reverse-Engineering Cheat Sheet                                       Show names window                         Shift+F4
By Lenny Zeltser § Learn to Turn Malware Inside-Out                     Display function’s flow chart                  F12   To try unpacking quickly, infect the system and
http :/ / w w w . ze l ts er . co m/ re v er s e -ma lw ar e                                                                 dump from memory via LordPE or OllyDump.
                                                                        Display graph of function calls           Ctrl+F12
General Approach                                                                                                             For more surgical unpacking, locate the Original
                                                                        Go to program’s entry point                 Ctrl+E
                                                                                                                             Entry Point (OEP) after the unpacker executes.
1. Set up a controlled, isolated laboratory in                          Go to specific address                           G
   which to examine the malware specimen.                                                                                    If cannot unpack cleanly, examine the packed
                                                                        Rename a variable or function                    N   specimen via dynamic code analysis while it runs.
2. Perform behavioral analysis to examine the
   specimen’s interactions with its environment.                        Show listing of names                       Ctrl+L   When unpacking in OllyDbg, try SFX (bytewise) and
3. Perform static code analysis to further                              Display listing of segments                 Ctrl+S   OllyDump’s “Find OEP by Section Hop”.
   understand the specimen’s inner-workings.                            Show cross-references         Select function name   Conceal OllyDbg via HideOD and OllyAdvanced.
                                                                        to selected function                      » Ctrl+X
4. Perform dynamic code analysis to understand                                                                               A JMP or CALL to EAX may indicate the OEP,
   the more difficult aspects of the code.                              Show stack of current function              Ctrl+K   possibly preceded by POPA or POPAD.
5. If necessary, unpack the specimen.                                   OllyDbg for Dynamic Code Analysis                    Look out for tricky jumps via SEH, RET, CALL, etc.
6. Repeat steps 2, 3, and 4 (order may vary) until                      Step into instruction                           F7   If the packer uses SEH, anticipate OEP by tracking
   analysis objectives are met.                                         Step over instruction                           F8   stack areas used to store the packers’ handlers.
7. Document findings and clean-up the                                   Execute till next breakpoint                    F9   Decode protected data by examining results of the
   laboratory for future analysis.                                                                                           decoding function via dynamic code analysis.
                                                                        Execute till next return                   Ctrl+F9
Behavioral Analysis                                                                                                          Correct PE header problems with XPELister,
                                                                        Show previous/next executed instruction      - / +
Be ready to revert to good state via dd, VMware                                                                              LordPE, ImpREC, PEiD, etc.
                                                                        Return to previous view                          *
                                                                                                                             To get closer to OEP, try breaking on unpacker’s
snapshots, CoreRestore, Ghost, SteadyState, etc.
                                                                        Show memory map                              Alt+M   calls to LoadLibraryA or GetProcAddress.
Monitor local (Process Monitor, Process Explorer)
and network (Wireshark, tcpdump) interactions.                          Follow expression in view                   Ctrl+G   Common x86 Registers and Uses
Detect major local changes (RegShot, Autoruns).                         Insert comment                                   ;   EAX   Addition, multiplication, function results
Redirect network traffic (hosts file, DNS, Honeyd).                     Follow jump or call in view                  Enter   ECX       Counter
Activate services (IRC, HTTP, SMTP, etc.) as needed                     Show listing of names                       Ctrl+N             Base for referencing function arguments
                                                                                                                             EBP
to evoke new behavior from the specimen.                                New binary search                           Ctrl+G             (EBP+value) and local variables (EBP-
                                                                                                                                       value)
IDA Pro for Static Code Analysis                                        Next binary search result                   Ctrl+L
Text search                                                  Alt+T      Show listing of software breakpoints        Alt+B    ESP       Points to the current “top” of the stack;
                                                                                                                                       changes via PUSH, POP, and others
Show strings window                                   Shift+F12         Assemble instruction in         Select instruction
                                                                        place of selected one                   » Spacebar   EIP       Points to the next instruction
Show operand as hex value                                          Q
                                                                        Edit data in memory or              Select data or   EFLAGS    Contains flags that store outcomes of
Insert comment                                                     :
                                                                                                                                       computations (e.g., Zero and Carry flags)
                                                                        instruction opcode            instruction » Ctrl+E
Follow jump or call in view                                  Enter
                                                                        Show SEH chain                    View » SEH chain
Return to previous view                                         Esc                                                          Malware analysis concepts behind these shortcuts
Go to next view                                     Ctrl+Enter          Show patches                                Ctrl+P   are covered in Lenny Zeltser’s SANS Institute
                                                                                                                             course SEC610: Reverse-Engineering Malware.
Creative Commons v3 “Attribution” License for this Cheat Sheet v.1.5.