It would not be wrong to say that every malware has its personality. Not that we want to start treating malwares like living things but the comparison is justified based on the different ways a malware behaves. To study a part of this dynamic behavior we will be using some tools
Autorun
This tool is used to check what is running at system. This helps in understanding if a malware has set itself to run at startup
Process Explorer
This tool can be used as an alternative to Task Manager as well as checking the processes, threads as well as DLLs curently loaded on the system
Process Monitor
This tool can be used to keep an eye on the events happening on the system. This tool monitors Registry, file level, network processes, thread changes happening on the system
ListDLL
Used to display DLLs loaded on the system
TCPView
Lists active TCP/UDP endpoints
WinObj
Shows windows object namespace
BinText
Can be used to extract text present ina a particular executable
RegShot
Allows us to take two snapshots of the system recording registry level changes between the two. These can then be compared with each other to understand the changes which were introduced once the malware ran
CaptureBat
Captures events happening on the system at the file, registry, processes and network level
HandleDiff
Detects changes to handle tables of processes
WireShark
Capture incoming as well as outgoing traffic from a particular machine
MalcodeAnalysisPack
Package which contains applications which have been proven useful for analysis purposes
Remnux
Lightweight Linux distro for assisting malware analysts in reverse engineering malicious software
This is not an exhaustive list, but these are some of the tools which would be used most frequently for the purpose of malware analysis. I will provide examples and detailed use for some of these tools shortly
Autorun
This tool is used to check what is running at system. This helps in understanding if a malware has set itself to run at startup
Process Explorer
This tool can be used as an alternative to Task Manager as well as checking the processes, threads as well as DLLs curently loaded on the system
Process Monitor
This tool can be used to keep an eye on the events happening on the system. This tool monitors Registry, file level, network processes, thread changes happening on the system
ListDLL
Used to display DLLs loaded on the system
TCPView
Lists active TCP/UDP endpoints
WinObj
Shows windows object namespace
BinText
Can be used to extract text present ina a particular executable
RegShot
Allows us to take two snapshots of the system recording registry level changes between the two. These can then be compared with each other to understand the changes which were introduced once the malware ran
CaptureBat
Captures events happening on the system at the file, registry, processes and network level
HandleDiff
Detects changes to handle tables of processes
WireShark
Capture incoming as well as outgoing traffic from a particular machine
MalcodeAnalysisPack
Package which contains applications which have been proven useful for analysis purposes
Remnux
Lightweight Linux distro for assisting malware analysts in reverse engineering malicious software
This is not an exhaustive list, but these are some of the tools which would be used most frequently for the purpose of malware analysis. I will provide examples and detailed use for some of these tools shortly
Great blog post... You listed useful malware analysis tools. I found this information very helpful. Thanks for sharing
ReplyDelete