This is a cheat sheet of shortcuts and tips for reverse-engineering malware. It covers the general malware analysis process, as well as useful tips for OllyDbg, IDA Pro, and other tools. Feel free to customize it to your own needs. My reverse-engineering malware course explores these, and other useful techniques.
Redirect network traffic (hosts file, DNS, Honeyd).
Activate services (IRC, HTTP, SMTP, etc.) as needed to evoke new behavior from the specimen.
|Show strings window||Shift+F12|
|Show operand as hex value||Q|
|Follow jump or call in view||Enter|
|Return to previous view||Esc|
|Go to next view||Ctrl+Enter|
|Show names window||Shift+F4|
|Display function's flow chart||F12|
|Display graph of function calls||Ctrl+F12|
|Go to program's entry point||Ctrl+E|
|Go to specific address||G|
|Rename a variable or function||N|
|Show listing of names||Ctrl+L|
|Display listing of segments||Ctrl+S|
|Show cross-references to selected function||Select function name » Ctrl+X|
|Show stack of current function||Ctrl+K|
|Step into instruction||F7|
|Step over instruction||F8|
|Execute till next breakpoint||F9|
|Execute till next return||Ctrl+F9|
|Show previous executed instruction||-|
|Show next executed instruction||+|
|Return to previous view||*|
|Show memory map||Alt+M|
|Follow expression in view||Ctrl+G|
|Follow jump or call in view||Enter|
|Show listing of names||Ctrl+N|
|New binary search||Ctrl+B|
|Next binary search result||Ctrl+L|
|Show listing of software breakpoints||Alt+B|
|Assemble instruction in place of selected one||Select instruction » Spacebar|
|Edit data in memory or instruction opcode||Select data or instruction » Ctrl+E|
|Show SEH chain||View » SEH chain|
To try unpacking quickly, infect the system and dump from memory via LordPE or OllyDump.
For more surgical unpacking, locate the Original Entry Point (OEP) after the unpacker executes.
If cannot unpack cleanly, examine the packed specimen via dynamic code analysis while it runs.
When unpacking in OllyDbg, try SFX (bytewise) and OllyDump's "Find OEP by Section Hop".
Conceal OllyDbg via HideOD and OllyAdvanced.
A JMP or CALL to EAX may indicate the OEP, possibly preceded by POPA or POPAD.
Look out for tricky jumps via SEH, RET, CALL, etc.
If the packer uses SEH, anticipate OEP by tracking stack areas used to store the packers' handlers.
Decode protected data by examining results of the decoding function via dynamic code analysis.
To get closer to OEP, try breaking on unpackerís calls to LoadLibraryA or GetProcAddress.
|EAX||Addition, multiplication, function results|
|EBP||Base for referencing function arguments (EBP+value) and local variables (EBP-value)|
|ESP||Points to the current "top" of the stack; changes via PUSH, POP, and others|
|EIP||Points to the next instruction|
|EFLAGS||Contains flags that store outcomes of computations (e.g., Zero and Carry flags)|
If you have suggestions for improving this cheat sheet, please let me know.
Creative Commons v3 "Attribution" License for this Cheat Sheet v.1.6.
Take a look at my other security cheat sheets.
Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2014 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.