Professional Documents
Culture Documents
7) MalwareDynamicAnalysis02
7) MalwareDynamicAnalysis02
2
3
[References]
• Marco
Pontello,
TrID,
h4p://mark0.net/so=-‐trid-‐e.html
[Image
Sources]
• Right,
h4p://www.gadgetreview.com/wp-‐content/uploads/2012/05/Dog-‐Pirate-‐
Costume-‐650x472.jpg
4
[References]
• Ma4
Pietrek,
An
In-‐Depth
Look
into
the
Win32
Portable
Executable
File
Format,
h4p://msdn.microso=.com/en-‐us/magazine/cc301805.aspx
• Xeno
Kovah,
The
Life
of
Binaries,
h4p://opensecuritytraining.info/
LifeOfBinaries.html
5
[References]
• Daniel
Pistelli,
Explorer
Suite,
h4p://www.ntcore.com/exsuite.php
6
[References]
• UPX,
h4p://upx.sourceforge.net/
• ASPack,
h4p://www.aspack.com/aspack.html
• MPRESS,
h4p://www.matcode.com/
• Themida,
h4p://www.oreans.com/themida.php
7
[References]
• Xeno
Kovah,
The
Life
of
Binaries,
h4p://opensecuritytraining.info/
LifeOfBinaries.html
8
[References]
• Michael
Sikorski
et
al.,
Chapter
1.
Basic
Sta]c
Techniques,
Prac]cal
Malware
Analysis
• Microso=
Windows
library
files,
h4p://en.wikipedia.org/wiki/
Microso=_Windows_library_files
• Windows
USER,
h4p://en.wikipedia.org/wiki/Windows_USER
9
[References]
• Xeno
Kovah,
Rootkits:
What
they
are,
and
how
to
find
them,
h4p://
opensecuritytraining.info/Rootkits.html
10
[References]
• Mark
Russinovich
et
al.,
Chapter
4.
Management
Mechanisms,
Windows
Internals
4th
Edi]on
11
[References]
• Registry
Value
Types,
h4p://msdn.microso=.com/en-‐us/library/windows/desktop/
ms724884(v=vs.85).aspx
• Predefined
Keys,
h4p://msdn.microso=.com/en-‐us/library/windows/desktop/
ms724836(v=vs.85).aspx
• HKEY_CLASSES_ROOT
Key,
h4p://msdn.microso=.com/en-‐us/library/windows/
desktop/ms724475(v=vs.85).aspx
• Merged
View
of
HKEY_CLASSES_ROOT,
h4p://msdn.microso=.com/en-‐us/library/
windows/desktop/ms724498(v=vs.85).aspx
12
[References]
• Mark
Russinovich
et
al.,
Chapter
4.
Management
Mechanisms,
Windows
Internals
4th
Edi]on
• Registry
Hives,
h4p://msdn.microso=.com/en-‐us/library/windows/desktop/
ms724877(v=vs.85).aspx
• Heige
Klein,
h4p://www.sepago.de/d/helge/2008/05/04/free-‐tool-‐list-‐registry-‐
links-‐reglink
13
14
[References]
• Michael
Sikorski
et
al.,
Chapter
11.
Malware
Behavior,
Prac]cal
Malware
Analysis
• Nick
Harbour,
Malware
Persistence
without
the
Windows
Registry,
h4ps://
blog.mandiant.com/archives/1207
• Reverend
Bill
Blunden,
Chatper
6.
Patching
System
Rou]nes,
The
Rootkit
Arsenal
• Marco
Guiliani,
Mebromi:
the
first
BIOS
rootkit
in
the
wild,
h4p://
www.webroot.com/blog/2011/09/13/mebromi-‐the-‐first-‐bios-‐rootkit-‐in-‐the-‐wild/
• Nicolas
Falliere
et
al.,
W32.Stuxnet
Dossier,
h4p://www.symantec.com/content/
en/us/enterprise/media/security_response/whitepapers/
w32_stuxnet_dossier.pdf
15
[References]
• Mark
Russinovich
et
al.,
Autoruns,
h4p://technet.microso=.com/en-‐us/
sysinternals/bb963902.aspx
16
17
18
19
20
21
22
23
24
[References]
• Local
Security
Authority
Subsystem
Service,
h4p://en.wikipedia.org/wiki/
Local_Security_Authority_Subsystem_Service
25
26
[References]
• Regshot,
h4p://code.google.com/p/regshot/
27
28
[References]
• Silberscharz
Galvin,
Chapter
4.
Processes,
Opera]ng
System
Concepts
5th
Edi]on
29
[References]
• Xeno
Kovah,
The
Life
of
Binaries,
h4p://opensecuritytraining.info/
LifeOfBinaries.html
30
31
[References]
• Mark
Russinovich,
Sysinternals
Suite,
h4p://technet.microso=.com/en-‐us/
sysinternals/bb842062.aspx
32
33
[References]
• Mark
Russinovich
et
al.,
Chapter
4.
Management
Mechanisms,
Windows
Internals
4th
Edi]on
34
35
36
37
38
39
40
41
[References]
• Start,
h4p://technet.microso=.com/en-‐us/library/cc959920.aspx
42