Cheat Sheet for Analyzing Malicious Software

This is a cheat sheet of shortcuts and tips for analyzing and reverse-engineering malware. It covers the general malware analysis process, as well as useful tips for OllyDbg, IDA Pro, and other tools. Feel free to customize it to your own needs. The SANS malware analysis course FOR610 explores these, and other useful techniques. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs. If you like this, take a look at my other IT cheat sheets.

General Approach

  1. Set up a controlled, isolated laboratory in which to examine the malware specimen.
  2. Perform behavioral analysis to examine the specimen’s interactions with its environment.
  3. Perform static code analysis to further understand the specimen’s inner-workings.
  4. Perform dynamic code analysis to understand the more difficult aspects of the code.
  5. If necessary, unpack the specimen.
  6. Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met.
  7. Document findings and clean-up the laboratory for future analysis.

Behavioral Analysis

IDA Pro for Static Code Analysis

Text searchAlt+T
Show strings windowShift+F12
Show operand as hex valueQ
Insert comment:
Follow jump or call in viewEnter
Return to previous viewEsc
Go to next viewCtrl+Enter
Show names windowShift+F4
Display function’s flow chartF12
Display graph of function callsCtrl+F12
Go to program’s entry pointCtrl+E
Go to specific addressG
Rename a variable or functionN
Show listing of namesCtrl+L
Display listing of segmentsCtrl+S
Show cross-references to selected functionSelect function name » Ctrl+X
Show stack of current functionCtrl+K

OllyDbg for Dynamic Code Analysis

Step into instructionF7
Step over instructionF8
Execute till next breakpointF9
Execute till next returnCtrl+F9
Show previous executed instruction
Show next executed instruction+
Return to previous view*
Show memory mapAlt+M
Follow expression in viewCtrl+G
Insert comment;
Follow jump or call in viewEnter
Show listing of namesCtrl+N
New binary searchCtrl+B
Next binary search resultCtrl+L
Show listing of software breakpointsAlt+B
Assemble instruction in place of selected oneSelect instruction » Spacebar
Edit data in memory or instruction opcodeSelect data or instruction » Ctrl+E
Show SEH chainView » SEH chain
Show patchesCtrl+P

Bypassing Malware Defenses

  • To try unpacking quickly, infect the system and dump from memory via LordPE or OllyDump.
  • For more surgical unpacking, locate the Original Entry Point (OEP) after the unpacker executes.
  • If cannot unpack cleanly, examine the packed specimen via dynamic code analysis while it runs.
  • When unpacking in OllyDbg, try SFX (bytewise) and OllyDump’s “Find OEP by Section Hop”.
  • Conceal OllyDbg via HideOD and OllyAdvanced.
  • A JMP or CALL to EAX may indicate the OEP, possibly preceded by POPA or POPAD.
  • Look out for tricky jumps via SEH, RET, CALL, etc.
  • If the packer uses SEH, anticipate OEP by tracking stack areas used to store the packers’ handlers.
  • Decode protected data by examining results of the decoding function via dynamic code analysis.
  • Correct PE header problems with XPELister, LordPE, ImpREC, PEiD, etc.
  • To get closer to OEP, try breaking on unpacker’s calls to LoadLibraryA or GetProcAddress.

Common x86 Registers and Uses

EAXAddition, multiplication, function results
ECXCounter
EBPBase for referencing function arguments (EBP+value) and local variables (EBP-value)
ESPPoints to the current “top” of the stack; changes via PUSH, POP, and others
EIPPoints to the next instruction
EFLAGSContains flags that store outcomes of computations (e.g., Zero and Carry flags)

Post-Scriptum

If you have suggestions for improving this cheat sheet, please let me know. Creative Commons v3 “Attribution” License for this Cheat Sheet v.1.6. Take a look at my other security cheat sheets.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more