REVERSE‐ENGINEERING MALWARE Go to next view Ctrl+Enter Show patches Ctrl+P
The shortcuts and tips behind this cheat sheet are Show names window Shift+F4
Bypassing Malware Defenses
covered in Lenny Zeltser’s SANS Institute course Display function’s flow chart F12
SEC610: Reverse‐Engineering Malware; for details To try unpacking quickly, infect the system and dump
Display graph of function calls Ctrl+F12 from memory via LordPE or OllyDump.
see http://zeltser.com/reverse‐malware.
Go to program’s entry point Ctrl+E For more surgical unpacking, locate the Original
General Approach Go to specific address G Entry Point (OEP) after the unpacker executes.
1. Set up a controlled, isolated laboratory in which
Rename a variable or function N If cannot unpack cleanly, examine the packed
to examine the malware specimen.
Show listing of names Ctrl+L specimen via dynamic code analysis while it runs.
2. Perform behavioral analysis to examine the
Display listing of segments Ctrl+S When unpacking in OllyDbg, try SFX (bytewise) and
specimen’s interactions with its environment.
OllyDump’s “Find OEP by Section Hop”.
3. Perform static code analysis to further Show cross‐references Select function name
to selected function » Ctrl+X Conceal OllyDbg via HideOD and OllyAdvanced.
understand the specimen’s inner‐workings.
Show stack of current function Ctrl+K A JMP or CALL to EAX may indicate the OEP, possibly
4. Perform dynamic code analysis to understand
preceded by POPA or POPAD.
the more difficult aspects of the code.
OllyDbg for Dynamic Code Analysis Look out for tricky jumps via SEH, RET, CALL, etc.
5. If necessary, unpack the specimen. F7
Step into instruction If the packer uses SEH, anticipate OEP by tracking
6. Repeat steps 2, 3, and 4 (order may vary) until
Step over instruction F8 stack areas used to store the packers’ handlers.
analysis objectives are met.
Execute till next breakpoint F9 Decode protected data by examining results of the
7. Document findings and clean‐up the laboratory
for future analysis. Execute till next return Ctrl+F9 decoding function via dynamic code analysis.
Show previous/next executed instruction ‐ / + Correct PE header problems with XPELister, LordPE,
Behavioral Analysis ImpREC, PEiD, etc.
Return to previous view *
Be ready to revert to good state via dd, VMware To get closer to OEP, try breaking on unpacker’s calls
snapshots, CoreRestore, Ghost, SteadyState, etc. Show memory map Alt+M
to LoadLibraryA or GetProcAddress.
Monitor local (Process Monitor, Process Explorer) Follow expression in view Ctrl+G
and network (Wireshark, tcpdump) interactions. Insert comment ;
Common x86 Registers and Uses
EAX Addition, multiplication, function results
Detect major local changes (RegShot, Autoruns). Follow jump or call in view Enter
ECX Counter
Redirect network traffic (hosts file, DNS, Honeyd). Show listing of names Ctrl+N
Activate services (IRC, HTTP, SMTP, etc.) as needed Base for referencing function arguments
New binary search Ctrl+B EBP
to evoke new behavior from the specimen.
(EBP+value) and local variables (EBP‐
Next binary search result Ctrl+L value)
IDA Pro for Static Code Analysis Show listing of software breakpoints Alt+B ESP Points to the current “top” of the stack;
Text search Alt+T
Assemble instruction in Select instruction » changes via PUSH, POP, and others
Show strings window Shift+F12 place of selected one Spacebar EIP Points to the next instruction
Show operand as hex value Q Edit data in memory or Select data or
EFLAGS Contains flags that store outcomes of
Insert comment : instruction opcode instruction » Ctrl+E computations (e.g., Zero and Carry flags)
Follow jump or call in view Enter Show SEH chain View » SEH chain
Return to previous view Esc
Authored by Lenny Zeltser, who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him at http://twitter.com/lennyzeltser.
See Lenny’s other cheat sheets at http://zeltser.com/cheat‐sheets. Creative Commons v3 “Attribution” License for this cheat sheet version 1.5.
