Malware dynamic analysis techniques

Dynamic analysis of the file while running, it is said that the process of analysis. In other words, to monitor the behavior of the program or use the debugging tools to check the status of the run can be called. Analysis of dynamic analysis when it’s a good idea to proceed with a dedicated machine. The reason is that if the program is operating, while the actual malicious code to infect users machine because it is. And that if a virus or malicious code that infects the network is in progress, the analysis then can be rather.

Therefore, the network and the environment, the system can stop isolated infected machines will encourage to proceed(it’s one of the machines for virtualization to analyze this machine can do).

And analysis the nitty gritty, real-world ahead program analysis when it comes to the PE Headeralone is insufficient. Reverse engineering technology should understand in advance and can facilitate practical program analysis.

This is the program you want to analyze, Ntsec.exeas, NT security settings made for a simple C ++ program. Therefore, it is appropriate to be used for the initial analysis.

This program has fourdifferent security settings, which provide as follows.

TCP SYN Protect

Root Share Disable

Login Banner Enable

Last Login User Disable

This program runs the structure we have learned of the PE Headeranalysis is in progress, try to use the station..

Ahead of other PE Header values also be checked but, so it is too early to take up a lot of ground, so, leaving individual shares, this is just the program for analysis Ntsec.exeis an APIfor checking, PEiD , PEBrowseafter confirmation that the file opened, the IAT Let me check it out.

So, now let’s check out the IAT. The following APIis the IATcan see that is registered in the.

Structure for IAT

(+0x0000) 0x00027396 (356, RegDeleteValueA)

(+0x0004) 0x00027366 (347, RegCloseKey)

(+0x0008) 0x00027374 (390, RegSetValueExA)

(+0x000C) 0x00027386 (370, RegOpenKeyExA)


(+0x003C) 0x00027348 (282, GetLastError)

(+0x0040) 0x000276F0 (636, SetStdHandle)

(+0x0044) 0x000276DE (618, SetFilePointer)

(+0x0048) 0x000273D2 (202, GetCommandLineA)

… Omission


(+0x014C) 0x000273B6 (114, ShellExecuteA)

[Content] PEBrowse Ntsecis identified when used in the API [Yim Sung-Chun-1]

I think a lot of APIthat can be used.

Dual- Kernel32.dllis a lot of functions that are required by default in the execution of your program, it is a very big operation this all will be analyzed. One way to achieve this is to analyze APIto decide, this is the first confirmation the Advapi32.dll, Shell32.dllwill be.

In this case, is expected to set a break point on the points below.


(+0x0000) 0x00027396 (356, RegDeleteValueA)

(+0x0004) 0x00027366 (347, RegCloseKey)

(+0x0008) 0x00027374 (390, RegSetValueExA)

(+0x000C) 0x00027386 (370, RegOpenKeyExA)


(+0x014C) 0x000273B6 (114, ShellExecuteA)

APIon MSDNwhen you check them in the APIis a great help in understanding. Below is information about the MSDN for details.

(+0x0000) 0x00027396 (356, RegDeleteValueA)
Removes a named value from the specified registry key. Note that value names are not case sensitive.

LONG WINAPI RegDeleteValue(

__in HKEY hKey,

__in_opt LPCTSTR lpValueName


(+0x0008) 0x00027374 (390, RegSetValueExA)

Sets the data and type of a specified value under a registry key.


__in HKEY hKey,

__in_opt LPCTSTR lpValueName,

__reserved DWORD Reserved,

__in DWORD dwType,

__in_opt const BYTE *lpData,

__in DWORD cbData


(+0x014C) 0x000273B6 (114, ShellExecuteA)

Performs an operation on a specified file.

HINSTANCE ShellExecute(

__in_opt HWND hwnd,

__in_opt LPCTSTR lpOperation,

__in LPCTSTR lpFile,

__in_opt LPCTSTR lpParameters,

__in_opt LPCTSTR lpDirectory,

__in INT nShowCmd


RegDeleteValueA RegSetValueExA ShellExecuteA API functions

Of course, the name alone is enough to make this tangible purpose.

The value of the Registry RegDeleteValueAwill erase, RegSetValueExAis the Registryto set the value of the API is. And as with the CLI ShellExecuteAcan execute a particular file APIis.

Therefore, changing the registry value, Ntsec.exe, is the ability to run specific commands, you can guess. So although you can complete the analysis as speculation, certainly there is a need to determine whether any write value. And thus make debugging information, such as the lighthouse, will serve as.

Now let’s try to analyze the file in earnest, IDA, Ollydbg , etc. and dynamic analysis through Procmonto check the status while running through a progress analysis.

The first thing to check is immediately proceed with the string. The program make sure you have any strings or behavior. Can understand the main processing distinctions.

Press the right mouse button on the window Assembly, Search for All referenced text strings  is used in the program through a Let’s make a string.

[Figure] Ntsecis enabled you can see all the strings

String-setand through -unsetthe phrase in addition to vetting all the strings that are used by the programcan be ordered and behavior methods, can guess in advance. [Yim Sung-Chun-3] Since the Ollydbgat program Step over (F8), you proceed by pressing the key[Yim Sung-Chun-4] , 00402424 CALL ntsec.00401028when run, the program set in advance help CLI Appears on the screen – set-unsetthe function of the behavior of the contents of the program code are located in the 00402424can verify that. Now restart the program(Ctrl + F2key)and 00402424 CALL ntsec.00401028at break point(F2key)after you have set up to run the program(F9key), you can set breakpoints in the program will stop us. So here, Step into (F7key)and let go through procedures in accordance with the.

[Figure] the program’s features, you can see where this behavior

Step into (F7key)as the main treatment program after running the JMP syntax, you can meet with the initial command syntax analysis will be presented.

00401CA0 55 PUSH EBP

00401CA3 83EC 44 SUB ESP,44

00401CA6 53 PUSH EBX

00401CA7 56 PUSH ESI

00401CA8 57 PUSH EDI


00401CAC B9 11000000 MOV ECX,11



// 3 If you do not at least the program is moved to the exit point through JMP syntax becomes.Enter the received existing EBP + 8 compares equal to the value.

00401CB8 837D 08 03 CMP DWORD PTR SS:[EBP+8],3

// 3 If you have more than one should go to 00401CD5.

00401CBC 7D 17 JGE SHORT ntsec.00401CD5

00401CBE 68 6C2A4200 PUSH ntsec.00422A6C ; ASCII “Windysoft NT Default Security Setup Tool\n Usage : ntsec.exe <-set|-unset> <1 2 3 4>\nThis program can be set to below list\n 1. Syn Attack Protect\n 2. Hidden Share Delete\n 3. Last Login User Protect\n 4. Display Business Use Notice\n”

// ASCII code on DOS prompt in the command prompt window output command.

00401CC3 E8 F8050000 CALL ntsec.004022C0

00401CC8 83C4 04 ADD ESP,4

00401CCB B8 01000000 MOV EAX,1

00401CD0 E9 BF010000 JMP ntsec.00401E94  Program ends

//-Setthe stack storage..

00401CD5 68 642A4200 PUSH ntsec.00422A64 ; ASCII “-set”



00401CE0 51 PUSH ECX

// If you check out as a Step intothe code,-setin this becomes a comparison statement is executed whether the.

00401CE1 E8 4A050000 CALL ntsec.00402230

00401CE6 83C4 08 ADD ESP,8

00401CE9 85C0 TEST EAX,EAX

00401CEB 0F85 C4000000 JNZ ntsec.00401DB5  -unset Go through the door run.

… Omission

[Content] running initial analysis

Analyze each code in the same manner as above, try to take a lot of time, but it is a fairly.

Therefore, this programs behavior using the command -set that you understand that the argument as a value add, Ollydbg present “-set 1 2 3 4″to run the program and give the main function, make sure there are a lot of here ahead of the API of RegSetValueExA, ShellExecuteAon break point(F2key), Strengths, Ollydbgprogram let me drive.

[Figure] Ollydbg to set breakpoint on RegSetvalueExA, ShellExecuteA

After setting up, as shown in the figure above, when you run the program, takes a break point in the content as shown below, you can see the contents of a run.

// SynAttackProtect Registry settings, you can see that.
004010BB . 6A 04 PUSH 4 ; /BufSize = 4

004010BD . 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4] ; |

004010C0 . 51 PUSH ECX ; | Buffer

004010C1 . 6A 04 PUSH 4 ; | ValueType = REG_DWORD

004010C3 . 6A 00 PUSH 0 ; | Reserved = 0

004010C5 . 68 1C214200 PUSH 42211C ; | ValueName = “SynAttackProtect”

004010CA . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; |

004010CD . 52 PUSH EDX ; |hKey

004010CE . FF15 D4714200 CALL DWORD PTR DS:[4271D4] ; \RegSetValueExA

// AutoShareServer The registry is set to 0, you can see that.

0040120F . 6A 04 PUSH 4 ; /BufSize = 4

00401211. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4] ; |

00401214. 51 PUSH ECX ; | Buffer

00401215. 6A 04 PUSH 4 ; | ValueType = REG_DWORD

00401217. 6A 00 PUSH 0 ; | Reserved = 0

00401219. 68 C4224200 PUSH 4222C4 ; | ValueName = “AutoShareServer”

0040121E . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; |

00401221. 52 PUSH EDX ; |hKey

00401222. FF15 D4714200 CALL DWORD PTR DS:[4271D4] ; \RegSetValueExA

// AutoShareWrk The registry is set to 0, you can see that.

00401234. 6A 04 PUSH 4 ; /BufSize = 4

00401236. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |

00401239. 50 PUSH EAX ; | Buffer

0040123A . 6A 04 PUSH 4 ; | ValueType = REG_DWORD

0040123C . 6A 00 PUSH 0 ; | Reserved = 0

0040123E . 68 B4224200 PUSH 4222B4 ; | ValueName = “AutoShareWrk”

00401243. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; |

00401246. 51 PUSH ECX ; |hKey

00401247. FF15 D4714200 CALL DWORD PTR DS:[4271D4] ; \RegSetValueExA

// From here, as part of the run, Parameters, FileNameand make sure that any Operationit is possible to run the command. .

00401263. 6A 05 PUSH 5 ; /IsShown = 5

00401265. 6A 00 PUSH 0 ; | DefDir = NULL

00401267. 68 98224200 PUSH 422298 ; | Parameters = “share Admin$ /delete”

0040126C . 68 94224200 PUSH 422294 ; | FileName = “net”

00401271. 68 8C224200 PUSH 42228C ; | Operation = “open”

00401276. 6A 00 PUSH 0 ; |hWnd = NULL

00401278. FF15 18734200 CALL DWORD PTR DS:[427318] ; \ShellExecuteA

… Omission

[Content] RegSetvalueExA, ShellExecuteA’s progress

Now the actual execution is checked to see if the codes, the program which is using the run command on the registry, write what was identified as the content. As mentioned earlier, without the contents and behavior of the Ntsecmuch different, easy to understand for the content above, think I’ll add will not describe, that have been.

Here, each APIif you want to, the correct analysis of the stars ahead of the check through a check MSDN API function listed in the members, see side-by-side comparisons of each value shown above, you will be a great help to understand.

This means that the entire file is analyzed, it really requires a lot of time. Therefore, it is necessary to analyze the main APIand placed out in advance, you will quickly process of analyzing key can analyze the contents of the.

Then you’ll encounter when the APIlet me learn.

MSDN APIfor each of the rated parameters would also display, but it seems like a waste ground, APIwas only shown. But the API’s to figure out the meaning of the parameters in the analysis of critical tasks, so the station, each APIthrough MSDNabout the habit of nourishing the wish(

DialogBox API

Displays a dialog box, or use the APIthat is used for importing the information into the following APIis used a lot of.

Dialog box, select the require user to proceed with mutual communication because this name seems to be built.

[Picture] dialog boxes are usually requires the user’s selection

DialogBoxParamA // Produces a dialog box.
GetDlgItem // Get the address of the dialog box, access.

GetDlgItemInt // In the dialog box, enter the variable.

GetDlgItemTextA // In the dialog box, type a character.

GetWindowsTextA // Gets the title of the dialog box.

Window API

All of the Windows operating system should the baby sash. To do this, create or change the APIis as follows.

Dialog boxes and the difference is given in accordance with the objects inside the main screen(means)the parent window.

[Figure] is all the objects window sash

CreateWindowEx // Windows will generate.
ShowWindow // Windows should display. That means the situation has already been generated

UpdateWindow // You should renew the contents of the window.

MessageBox API

In the window that displays the same message notifications APIare used to. Typically, an error or notification belong to this.

[Figure] notifications are used to print a message

MessageBeep // Should a particular notification uses sound output.
MessageBoxA // Outputs a message box.

MessageBoxExA // A message box will output. Expandable

SendMessageA // Should send messages to the other window.

SendDlgItemMessageA // Transmits a message to the dialog box.

SetDlgItemTextA // Dialog box, set of characters.

SetWindowTextA // Windows character sets.

Registry API

To access the Windows registry and delete it, or, you can do, such as create APIare. Under the APIto access the registry through the request can determine.

RegCreateKeyA // Registry key appears, to delete the created
RegDeleteKeyA // Registry key appears, to delete the

RegQueryValueExA // Check the value of the registry key

RegCloseKeyA // Registry key appears, to delete the close, create, or delete the registry key, value if OK, the close, ending the current should have a corresponding registry handles.

RegOpenKeyA // Registry key appears, to delete the open, create, or delete the registry key, value if you want to make sure first that position should open registry handles.

File API

To read or modify the file, generate the ongoing APIare. Under the APIreading the file or you can see them on request.

ReadFile // File read
WriteFile // File write

CreateFileA // File generation

Data API

Read other data files and other work is in progress, the APIare. Under the APIdata comparison tasks through data processing you can see the contents of the request.

lstrcmpA // 2different strings you have entered 1-byte compare.
MulitByteToWideChar // Unicode, ANSIwill converted to a string.

WideCharToMultiByte // ANSI The string should be converted to Unicode.

wsprintfA // Outputs a string.

Time(Date) API

Set or verify the time and date the task is in progress, the APIare. By the time the process or action, to determine the time you can see the contents of the action.

GetFileTime // File time information.
GetLocalTime // The current system brings local time.

GetSystemTime // Bring the current system time . UTC standards

GetSystemTimeAsFileTime // Bring a date and time.

SetTimer // Specifies the timer.

SystemTimeToFileTime // You should set the date and time.

Other than the above APIif they know in advance about, when primary file analysis to analyze the foot break-point in the quarter’s, can reduce a lot of time.

So now IDAanother let me check for codes, IDAreinforces and enhances the quality of the analysis is not necessarily progress is required since the Ollydbg is not.

Here is the introduction for this to proceed and the actual analysis by the IDA and, Ollydbganalyzes only enough that we wrote to you all. Then IDA Ntsec.exethrough the opening, we are not part of the analysis let us check it out.

[Figure] IDAidentified RegDeleteValueAflowchart

Does look good in pictures, RegDeleteValueA, about IDA’s content is identified, the big advantage of the IDA, as shown in the figure, the overall flow of the content of the program is that it is possible to determine the like. Through this program, you will be able to easily understand the processing flow.

Now, finally, ProcMon, etc. to monitor system changes through the recording, by actual changes in the environment can do an analysis for the.

[Figure] Process monitormonitors the Registry value

Ntsec.exe , as shown in the figure on the program to access and change the Registry , by monitoring the contents, the actual debugging can verify that it is functioning as a content, can not be changed will be able to see what.

If you want to know more details of additional network behavior, Wireshark(Wire-shark)to add a network packet capture by running, such as a good way to do.

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.