Immunity Debugger
IDA
GUnPacker
ImpREC
LordPE
MAP
OllyDB
PE Explorer
PeID
Process Hacker
Process Explorer
Strings
Procmon
Regshot
TCPView
UPX
Wireshark
Hash tool variant
Dependency Walker
Common Windows DLLs
Program dynamic link libraries (DLLs) can provide information about the functionality of a program. Here is a list and description of the most common Windows DLLs:
Kernel32.dll
Core functionality of access and modification of system memory, files and the hardware.
Advapi32.dll
Windows Service Manager and Registry access.
User32.dll
User interface components such as user controlled components, i.e. buttons and scroll bars.
Gdi32.dll
Graphics functionality.
Ntdll.dll
Windows kernel interface.
WSock32.dll and Ws2__32.dll
Network connectivity and related network functionality.
Wininet.dll
Application layer functions in networking, such as HTTP and FTP.
Common malware registry keys
Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.
The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.
Some common registry keys used my malware can be found below:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
Reverse Malware Engineering Tools
- Process Monitor with ProcDOT
- Process Explorer and Process Hacker
- Wireshark
- Regshot
- OllyDbg
- IDA Pro
- Immunity
- Scylla
- OllyDumpEx
Reverse Malware Engineering Tools
- Process Monitor with ProcDOT
- Process Explorer and Process Hacker
- Wireshark
- Regshot
- OllyDbg
- IDA Pro
- Immunity
- Scylla
- OllyDumpEx