REMA LABORATORY 303105390
PRACTICAL-1
Lab Setup for Reverse Engineering and
Malware Analysis
2203031260142 1|Page
�REMA LABORATORY 303105390
PRACTICAL - 1
Title: Lab Setup for Reverse Engineering and Malware Analysis
Aim
To set up a secure and isolated environment for performing reverse engineering and
malware analysis using virtualization software and essential analysis tools.
Objective
To understand the importance of an isolated lab environment for malware analysis.
To configure virtualization software and set up a virtual machine.
To install and familiarize yourself with tools required for reverse engineering and malware
analysis.
To ensure safe handling of malware samples.
Prerequisites
Basic knowledge of virtualization and networking.
Familiarity with operating systems like Windows and Linux.
Awareness of security practices and ethical considerations in malware handling.
Required Software and Tools
Virtualization Software
Oracle VM VirtualBox: Open-source virtualization platform.
VMware Workstation: A robust tool for creating and managing virtual machines.
Operating System Options
Windows (preferred for certain malware analysis tools).
Linux (ideal for using memory forensics and static analysis tools).
Malware Analysis Tools
1. Static Analysis Tools for windpws operating system
IDA Pro: A professional disassembler for analyzing executable files, supporting
multiple architectures and offering an interactive interface.
· Ghidra: An open-source reverse engineering tool with powerful decompilation
capabilities for binaries, developed by the NSA.
· PEiD: Detects packers, compilers, and cryptors used in Portable Executable (PE)
files.
· PE Studio: Examines PE files for suspicious patterns, APIs, and metadata, helping
identify potential threats.
· Detect It Easy (DIE): Identifies packers, protectors, and obfuscators in binary files.
· CFF Explorer: Inspects and modifies the structure of PE files, providing detailed
insights into headers and sections.
· HxD: A fast hex editor for examining and editing binary files directly.
2203031260142 2|Page
�REMA LABORATORY 303105390
· WinHex: A robust hexadecimal editor for data recovery, forensic analysis, and low-
level debugging.
· Strings (Sysinternals): Extracts readable strings from executables to reveal hidden
information.
· Resource Hacker: Examines and modifies executable resources, such as icons,
dialogs, and strings.
· Radare2: A command-line reverse engineering framework for analyzing binary
files, with extensive scripting support.
· BinText: Searches for strings and metadata within executables, helping to uncover
embedded information.
· Exeinfo PE: Analyzes executables for packers, protectors, and PE file information.
· GHex: A lightweight hex editor useful for analyzing binary files and extracting
hidden data.
· YARA (Windows Version): Rule-based malware identification engine for
scanning files against known patterns.
· Dependency Walker: Analyzes module dependencies in executables to detect
suspicious or missing DLL files.
· Malware Analyzing Tool (MAT): Simplifies analysis by extracting metadata and
sections from PE files.
· x64dbg: A powerful debugger with some static analysis capabilities for Windows
binaries.
· FileAlyzer: A detailed file analysis tool for inspecting metadata and structures
within files.
2. Dynamic Analysis Tools for Windows operating system
Dynamic analysis involves running malware in a controlled environment to observe
its behavior, interactions, and effects. Below is a list of essential tools for malware
dynamic analysis on Windows:
OllyDbg: A popular debugger for analyzing binary code at runtime, with
plugins for extended functionality.
x64dbg: An open-source debugger supporting both x86 and x64 architectures,
ideal for real-time malware debugging.
Process Monitor (ProcMon): Monitors file system, registry, network, and
process activities in real time to track malware behavior.
Process Explorer: A Sysinternals tool that provides detailed information
about running processes, DLLs, and handles, making it easier to detect
malicious behavior.
API Monitor: Captures and logs API calls made by malware to study its
runtime behavior.
Wireshark: A network protocol analyzer for monitoring malware-generated
network traffic, such as command-and-control (C2) communications.
Fiddler: A web debugging proxy for capturing and analyzing HTTP/HTTPS
traffic generated by malware.
Regshot: Takes snapshots of the Windows registry before and after malware
execution to detect changes made by the malware.
2203031260142 3|Page
�REMA LABORATORY 303105390
TCPView: Displays real-time TCP and UDP connections to identify
suspicious network activity.
Autoruns: Monitors and lists all autostart locations to detect persistent
mechanisms created by malware.
Cuckoo Sandbox (Windows Edition): Automated malware analysis sandbox
that generates detailed behavior reports.
INetSim: Simulates network services (e.g., DNS, HTTP) in a lab environment
to observe malware interactions.
SysAnalyzer: Monitors system-level changes during malware execution and
provides a comparative report.
Windows Event Viewer: A built-in tool for inspecting system and application
logs to identify anomalies.
Malwr (or Hybrid-Analysis): Online dynamic analysis services that provide
real-time behavior insights.
Redline: A memory and host analysis tool focused on identifying malicious
artifacts.
Comodo KillSwitch: Tracks running processes, network connections, and
their reputations to identify potentially harmful activities.
FireEye FLARE VM: A Windows-based virtual machine environment
preloaded with analysis tools for dynamic analysis.
Netcat (Windows Version): A versatile utility for observing network
connections initiated by malware.
Sandboxie: A lightweight sandboxing solution for isolating malware and
observing its behavior without affecting the host system.
Best Practices for Dynamic Analysis:
Always perform dynamic analysis in a virtualized or isolated environment
(e.g., VMware or VirtualBox).
Disable shared folders, drag-and-drop, and clipboard sharing between the host
and guest machines to prevent infection of the host system.
Use snapshots to restore the virtual machine to a clean state after each
analysis session.
Employ network isolation or simulate internet access with tools like INetSim
to prevent malware from affecting external systems.
Static Analysis Tools For Kali Linux:
Kali Linux offers a wide range of tools for static analysis, enabling researchers to
analyze malicious files without executing them. Here’s a list of essential static
analysis tools you can use on Kali Linux:
Ghidra: Open-source reverse engineering software with robust disassembly and
decompilation capabilities.
Command: ghidraRun
Radare2: A powerful command-line reverse engineering framework for analyzing
binary files.
Command: r2 <file>
Cutter: A GUI front-end for Radare2 with added functionality and usability for
reverse engineering.
2203031260142 4|Page
�REMA LABORATORY 303105390
Command: cutter
Binwalk: A tool for analyzing and extracting firmware images and other binary files.
Command: binwalk <file>
Detect It Easy (DIE): Identifies packers, protectors, and compilers used in binary
files.
Command: die <file>
Strings: Extracts readable strings from binary files to identify hidden text or
metadata.
Command: strings <file>
YARA: A pattern-matching tool for malware identification and classification.
Command: yara <rule_file> <file>
PEFile: A Python library for parsing and analyzing PE (Portable Executable) files.
Command: python3 -m pefile <file>
Resource Hacker (Linux via Wine): A tool for inspecting and modifying resources
in executable files (requires Wine).
Hexdump: Displays binary data in hexadecimal format.
Command: hexdump -C <file>
HxD (via Wine): A lightweight hex editor for analyzing and modifying binary files.
readelf: Examines ELF (Executable and Linkable Format) binaries to extract
metadata.
Command: readelf -a <file>
objdump: A GNU tool to disassemble binaries and examine object files.
Command: objdump -d <file>
ExifTool: Extracts metadata from files, such as timestamps and embedded data.
Command: exiftool <file>
ClamAV: An open-source antivirus engine for scanning and identifying malicious
files.
Command: clamscan <file>
Hashdeep: Computes hashes of files and compares them against known values.
Command: hashdeep -r <file>
CFF Explorer (via Wine): Analyzes PE file structures on Linux systems.
Static Malware Analysis Toolkit (SMAT): A toolkit for analyzing files with
lightweight static analysis features.
apktool: Decompiles and analyzes Android APK files.
Command: apktool d <apk_file>
JD-GUI: A Java decompiler for inspecting Java .class files.
Command: jd-gui
Installation Notes
Most tools come pre-installed with Kali Linux or are available via apt:
sudo apt update && sudo apt install <tool_name>
Tools requiring Wine (e.g., Resource Hacker, HxD, or CFF Explorer):
sudo apt install wine
wine <tool_name>.exe
For tools not available in the repository, use Python's pip or download from official websites.
Dynamic Analysis Tools For Kali Linux:
Dynamic analysis involves executing malware in a controlled environment to monitor
its behavior and interactions. Kali Linux provides several tools to facilitate this type
of analysis:
GDB (GNU Debugger): A powerful tool for debugging programs and analyzing their
runtime behavior.
2203031260142 5|Page
�REMA LABORATORY 303105390
Command: gdb <binary>
Radare2: A command-line reverse engineering tool with runtime analysis
capabilities.
Command: r2 -d <binary>
Cutter: A GUI for Radare2 with support for debugging binaries during execution.
Command: cutter
strace: Monitors and logs system calls and signals made by a running process.
Command: strace -p <PID>
ltrace: Tracks library calls and dynamically linked libraries used by a program.
Command: ltrace <binary>
Volatility (Linux Version): A memory forensics tool for analyzing memory dumps to
identify malicious activities.
Command: volatility -f <memory_dump>
Sysdig: Captures and analyzes system calls and events to observe program behavior.
Command: sysdig
Wireshark: A network protocol analyzer to monitor network traffic generated by
malware.
Command: wireshark
tcpdump: A command-line packet analyzer for capturing network traffic.
Command: tcpdump -i <interface>
INetSim: Simulates network services (e.g., DNS, HTTP) to observe malware's
network behavior in a controlled environment.
Command: inetsim
Burp Suite (Community Edition): A web proxy for analyzing HTTP/S traffic from
malware interacting with web services.
Command: burpsuite
Firejail: A lightweight sandboxing tool to isolate and execute potentially malicious
files.
Command: firejail <binary>
Cuckoo Sandbox (Linux Version): An automated dynamic malware analysis
sandbox that provides detailed behavior reports.
ProcessHacker (via Wine): A GUI tool for monitoring processes and their activities
on Linux (requires Wine).
Redline: Focused on analyzing live system activities and memory snapshots to
investigate malicious behavior.
Regshot (via Wine): Compares Windows registry snapshots to observe changes
(useful when emulating Windows malware).
Sandboxie (via Wine): Executes malware in an isolated environment to study its
behavior.
Valgrind: A tool for dynamic analysis of memory usage and profiling programs.
Command: valgrind <binary>
Apktool: For analyzing Android applications during runtime (in combination with
emulators like Genymotion or Anbox).
Command: apktool d <apk>
Frida: A dynamic instrumentation toolkit for injecting custom scripts into running
applications to inspect or modify their behavior.
Command: frida -U -n <application>
Netcat: Captures and interacts with network connections initiated by malware.
Command: nc -l -p <port>
Best Practices for Using Dynamic Analysis Tools
2203031260142 6|Page
�REMA LABORATORY 303105390
Use Virtualization:
Set up Kali Linux in a virtual machine (e.g., VirtualBox or VMware) with snapshots for restoring the
environment.
Network Isolation:
Use tools like INetSim to simulate network environments and block external internet access.
Environment Simulation:
Use sandboxes like Cuckoo to automate analysis and generate behavior reports.
Logging:
Combine tools (e.g., strace + tcpdump + Wireshark) for a comprehensive view of file, process, and
network activities.
Procedure
Step 1: Virtual Machine Configuration
1. Install VirtualBox or VMware Workstation on your host system.
2. Create a new virtual machine:
o Choose Windows 10 or Linux (Ubuntu, Kali, or REMnux) as the guest OS.
o Allocate resources (e.g., RAM, CPU, and disk space).
o Enable network settings: Set the virtual machine to "NAT" or "Host-only" for
security.
Step 2: Setting Up the Guest OS
1. Install the chosen operating system in the virtual machine.
2. Update the OS and install essential software dependencies.
3. Create snapshots of the clean state for recovery purposes.
Step 3: Installing Malware Analysis Tools
1. Download and install tools like IDA Pro, OllyDbg, Wireshark, etc.
2. Configure each tool as per its documentation.
3. Organize tools for quick access and usability.
Step 4: Adding Sample Malware
1. Obtain sample malware from trusted sources (e.g., VirusTotal or MalwareBazaar).
2. Store samples in a dedicated, encrypted folder.
3. Ensure the samples are handled only within the virtual machine.
Step 5: Testing the Lab Setup
1. Test each tool by analyzing benign files first to familiarize yourself with its features.
2. Gradually move to analyzing real-world malware samples in a controlled manner.
Safety Measures
1. Ensure the virtual machine is isolated (disable shared folders and clipboard sharing).
2. Use a non-persistent VM setup to reset after each session.
3. Never execute malware on the host machine.
2203031260142 7|Page
�REMA LABORATORY 303105390
4. Use antivirus tools on the host system to monitor for accidental contamination.
Outcome
By the end of this practical session, you will have a fully configured lab environment
for malware analysis, equipped with essential tools and safety protocols to conduct
analysis safely and effectively.
2203031260142 8|Page
