Greetings, fellow pen testers and red teamers! If you’ve been following this blog series on malware analysis and obfuscation techniques, you’re probably eager to dive into some advanced static analysis techniques. As professional hackers, we know how critical it is to stay ahead of the curve in this ever-evolving landscape of cyber threats. This article aims to equip you with the knowledge and tools necessary to perform advanced static analysis on various types of malware.

Note that this article assumes you have an intermediate understanding of security and hacking. So, without further ado, let’s dive into the world of advanced static analysis!

File Format Analysis

File format analysis is the first step in advanced static analysis. Malware authors often use file format manipulation techniques to evade detection, so understanding the file format is essential for effective analysis.

PE (Portable Executable) Files

PE files are common targets for malware authors, and understanding the PE format is crucial for analyzing Windows executables. We’ll examine two tools for analyzing PE files: PEview and CFF Explorer.

  • PEview: This lightweight tool enables you to inspect the structure of PE files. It displays the file header, section table, and import/export tables. Here’s a sample output from PEview:

    File Header
-------------
Machine: 8664 (x64)
Number of Sections: 3
TimeDateStamp: 5E6A99A7 -> Thu Mar 12 22:40:23 2020
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: F0
Characteristics: 22F0

  • CFF Explorer: This powerful tool offers advanced features such as viewing and editing PE file structures, resource analysis, and more. With CFF Explorer, you can inspect the Import Address Table (IAT), Export Address Table (EAT), and other PE structures.

ELF (Executable and Linkable Format) Files

ELF files are the standard binary format for Unix-like systems. To analyze ELF files, we recommend using the following tools:

  • readelf: A command-line utility that displays information about ELF files, such as section headers, program headers, and symbol tables. Here’s an example of using readelf to display ELF headers:

    $ readelf -h /bin/ls
ELF Header:
Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF64
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              DYN (Shared object file)
Machine:                           Advanced Micro Devices X86-64
Version:                           0x1
Entry point address:               0x6c30
Start of program headers:          64 (bytes into file)
Start of section headers:          269952 (bytes into file)
Flags:                             0x0
Size of this header:               64 (bytes)
Size of program headers:           56 (bytes)
Number of program headers:         13
Size of section headers:           64 (bytes)
Number of section headers: 30
String table index: 29

  • objdump: A versatile command-line tool for displaying information about object files, including disassembly and symbol table information. Use objdump with the -x option to display all ELF headers:

    $ objdump -x /bin/ls

/bin/ls: file format elf64-x86-64
/bin/ls
architecture: i386:x86-64, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x0000000000006c30

Program Header:
PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 23
filesz 0x00000000000002a0 memsz 0x00000000000002a0 flags r--
INTERP off 0x00000000000002e0 vaddr 0x00000000000002e0 paddr 0x00000000000002e0 align 20
filesz 0x000000000000001c memsz 0x000000000000001c flags r--

File Carving

File carving is the process of extracting embedded files from malware samples, typically by searching for specific file signatures or headers. Tools such as Binwalk and Foremost are valuable for this task.

  • Binwalk: A firmware analysis tool that scans binary files for embedded files and executable code. It can extract files from various file formats, such as ZIP, RAR, and JPEG. Here’s an example of using Binwalk to extract embedded files:

    $ binwalk -e malware_sample.bin

DECIMAL HEXADECIMAL DESCRIPTION

0 0x0 Microsoft executable, portable (PE)
22528 0x5800 Zip archive data, at least v2.0 to extract, compressed size: 5120, uncompressed size: 5120, name: hidden_payload.exe

  • Foremost: A file carving tool that extracts files from various file formats based on their headers, footers, and internal data structures. Foremost can be used to recover embedded files from malware samples:

    $ foremost malware_sample.bin
Processing: malware_sample.bin
|foundat=hidden_payload.exeUT
*|

Strings Analysis

Strings analysis is a valuable technique for discovering valuable information in malware samples, such as URLs, IP addresses, and encryption keys. Strings can be analyzed using native tools or specialized utilities like the ‘strings’ command in Unix systems:

$ strings malware_sample.exe | grep "http"
http://malicious.example.com/command-and-control

Control Flow Graph (CFG) Reconstruction

Control flow graphs (CFGs) are essential for understanding the execution flow of a program, and malware authors often use obfuscation techniques to make CFGs more challenging to analyze. Tools like IDA Pro, Ghidra, and Radare2 can help reconstruct CFGs for static analysis.

IDA Pro

IDA Pro is a popular disassembler and debugger that supports various file formats and architectures. It provides advanced features such as interactive control flow graph visualization and automated function identification. Using IDA Pro, you can easily navigate through complex code structures and identify critical code paths.

Ghidra

Ghidra is a powerful open-source reverse engineering tool developed by the National Security Agency (NSA). It features a robust suite of analysis tools, including a decompiler and a control flow graph visualizer. Ghidra can automatically analyze code and identify functions, variables, and data structures, making it easier to understand complex malware samples.

Radare2

Radare2 is a comprehensive open-source reverse engineering framework that supports various file formats and architectures. It includes a command-line interface, a visual mode, and an extensive set of plugins. With Radare2, you can perform advanced control flow graph analysis and even write custom scripts to automate tasks.

Disassembly and Reverse Engineering

Disassembling and reverse engineering malware samples can reveal their underlying functionality and identify the techniques used to evade detection. Some popular disassemblers and reverse engineering tools include:

OllyDbg

OllyDbg is a 32-bit Windows debugger and disassembler that specializes in analyzing binary code. It can handle packed and obfuscated code, making it particularly useful for malware analysis. OllyDbg’s user-friendly interface allows you to navigate through complex code structures and perform advanced debugging tasks.

x64dbg

x64dbg is a 64-bit debugger and disassembler for Windows that supports both x64 and x86 architectures. It features a plugin-based architecture, allowing for extensibility and customization. x64dbg is particularly useful for analyzing modern malware samples that target 64-bit systems.

Signature-Based Detection

Signature-based detection is a widely used method for identifying known malware samples. It involves scanning files for known malicious patterns or signatures. While signature-based detection is not always effective against new or heavily obfuscated malware, it remains a valuable tool in the arsenal of malware analysts.

YARA

YARA is a powerful pattern-matching tool designed for identifying and classifying malware based on textual or binary patterns. With YARA, you can create custom rules to detect specific malware families or characteristics. Here’s an example of a simple YARA rule to detect a specific string in a binary:

rule example_rule
{
    meta:
        description = "Detects a specific string in the binary"

    strings:
        $string1 = "malicious.example.com" nocase

    condition:
        $string1
}

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs) are artifacts or evidence that can be used to identify compromised systems or potential threats. IoCs can include IP addresses, domain names, file hashes, and registry keys. Identifying IoCs in malware samples can help security professionals detect, prevent, and respond to attacks more effectively.

Volatility

Volatility is an open-source memory forensics framework that allows you to extract IoCs from memory dumps. With Volatility, you can identify processes, network connections, and other artifacts that can be used as IoCs.

Wireshark

Wireshark is a popular network protocol analyzer that enables you to capture and analyze network traffic. By inspecting network traffic, you can identify malicious communication patterns and extract IoCs such as IP addresses and domain names.

Conclusion

Advanced static analysis techniques are vital for understanding the inner workings of modern malware and developing effective countermeasures. By mastering these techniques and tools, you can stay ahead of the ever-evolving threats posed by sophisticated malware. As professional hackers, it is our responsibility to constantly sharpen our skills and deepen our knowledge in this dynamic field.

Happy hunting, fellow pen testers and red teamers!