Malware Analysis – Dynamic Analysis: Computer Security Lectures 2014/15 S1
iSpeech.org
This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.
The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.
Topics covered in this lecture include:
Dynamic Analysis Safety: Working in a safe environment
Network Isolation Pros and Cons
Live memory analysis
Malware analysis approaches
gcore
strings /tmp/attack.core
Looking through the memory dump
System calls
System call monitoring
strace: runs a command and intercepts and records system calls and signals
Reminder: system calls are how programs interact with the kernel
You can use this technique to understand what a program is doing
System call monitoring
You can take this a step further and attach to an existing process to see what it is up to:
strace -f -p pid
If there is too much noise you can use options to only show file or network activity
Library call monitoring
ltrace is similar, except that it can report each time a dynamic library function is called
Process Monitor (procmon) on Windows can be used to monitor all file/registory access (like a GUI lsof for Windows)
Network monitoring (using a sniffer such as Wireshark or TCPDump) can be combined with procmon to give a fairly complete picture of activity
Debugging and interactive disassembly
Debuggers can display the machine instructions
GDB, Ollydbg, Windbg
A debugger can be attached to a running process, or a process can be started using it
You can step through the program, and print out information such as the values in memory
GDB
Automated dynamic behavioural recording/analysis
Run the malware within an isolated environment (VM/sandbox), and automatically save changes made to the system, and/or record all file/network activity
Cuckoo
Online service: https://malwr.com/
Zero Wine
Copy-on-write sandbox: Sandboxie
Conclusion
video, sharing, camera phone, video phone, free, upload
2015-01-05 15:12:44
source
Gloss