Dynamic analysis can be done to observe behavior or perform step by step reverse engineering. Often, it provides context around the sample and you can also use the information in the PDB for open sources intelligence (OSINT) or writing signatures.ĭynamic analysis is analyzing the sample by executing it. It stores the symbols and addresses used in the binary and is useful for debugging. The program database (PDB) may also be useful for static analysis of Windows malware. Sometimes strings can help you get URLs or IP addresses on which to conduct further research. PEStudio will even highlight malicious indicators for you.Īnalyzing the strings included in the malware sample can give you more information about what the sample may be doing or what it interacts with. For Windows samples, Microsoft has plenty of documentation on some of the functions you may come across when doing analysis.ĬFF Explorer and PEStudio are great for doing static analysis. Import/export table and function usage can give a decent idea of what capabilities the malware sample has or what it may do. Sometimes it’s easier to find data online and learn from existing analysis.
Hashes can be looked up to see if anyone else has seen the sample before. Some of the common things to examine in Windows malware are file hashes, the import/export table, function calls or strings present in the binary. This can include analyzing the properties of the malware sample or decompiling/disassembling code and analyzing that. Static analysis is analyzing the sample without executing the code. Once malware samples have been collected, there are various tools and techniques reverse engineers could use to analyze the samples.
0 kommentar(er)
