Day after day, malware researchers, forensic analysts or administrators have to face security threats on information systems. The objective can be to analyse unauthorised intrusions, to protect users from viruses, or to prevent a system from being compromised. To achieve these objectives we have to analyse the inner works of malware using reverse engineering.
Author: Rubén Santamarta
Source: http://hakin9.org Hakin9 2/2006
What you will learn…
What you should know…
Malware creators (viruses, trojans, rootkits) try to prevent this analysis as much as possible, using anti-debug techniques, polymorphism, stealth or packers, among others, the latter as they reduce the size of the executable, and with more or less complexity an additional layer of protection. In this situation, time is crucial, there is no doubt that with a slow and exhaustive analysis sooner or later we will reach the objective of knowing every single detail about the threat. Unfortunately, there are occasions when we don’t have as much time as we would like, and we have to optimize every action for the analysis. Let’s imagine a worm exploiting some unknown vulnerability to propagate through the Internet. The time invested in analysing and understanding its inner works will make the difference between a real catastrophe for the users or a neutralized threat. We should, therefore, gather sufficient resources to be able to solve any possible problem. Hooking As we have seen, there are many tricks for making difficult the use of a debugger (both in Ring0 or Ring3), a basic tool for reverse engineering. Because of this, we should create a method that, under certain circumstances, allows us to interact and modify the behaviour of the executable we are investigating. One of the most common techniques for achieving this objective is hooking. We could briefly classify the different hooking techniques according to the place where they happen. Every kind is focused on different applications. We could have the following kinds:
The method we’ll use will be Inline Hooking. The reason is that through this technique, what we do is to patch directly the function that we want to intercept when it’s loaded into memory. This way, we don’t care about from where is being referenced, or how many times. We attack directly to the root. Every call to this function will be intercepted by our hook.
download id="127" format="1"] <div id="upgrade"> <div id="headersubscriptionform">Option for individual subscribers</div> </div>
Please keep in mind that comments are moderated and
rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.
You must be logged in to post a comment.