Visual Malware Reversing - Offensive Computing

Recommendations

Info

Import Repair Process • Find the original entry point – Unpack code until this address is found – Use OEP method discussed later • Find references to imported DLLs – call [ADDRESS] – jmp [ADDRESS] Import Address Table (IAT)
Import Repair Process • Each imported DLL has an IAT corresponding to the APIs brought into the application • The first DLL is found by backtracking the IAT memory until a NULL is found. • The DWORD after the NULL is the beginning of that DLL’s API • How do we determine which DLL belongs to which memory address?
Page 1 and 2: Visual Malware Reversing How to Sto
Page 3 and 4: Goals • Identify structure of mal
Page 5 and 6: Complexities of Reverse Engineering
Page 7 and 8: What is VERA? • Visualizing Execu
Page 9 and 10: What the Colors Mean • Yellow - N
Page 11 and 12: Ether Improvements • Import recon
Page 13 and 14: Imported API Recovery • Removing
Page 15: Which is easier to read? No Imports
Page 19 and 20: Import Repair Process • New Metho
Page 21 and 22: Original Entry Point Detection •
Page 23 and 24: Problems with Ether • Heavy-weigh
Page 25 and 26: Veratrace Demonstration Demo 2
Page 27 and 28: Caveat Emptor • Intel PIN is very
Page 29 and 30: VERA Analysis Machine VERA - IDA Pl
Page 31 and 32: Future Work • Memory usage analys
Page 33: http://www.offensivecomputing.net/v

Visual Malware Reversing - Offensive Computing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?