Dynamic Analysis, Run-Time Debugging, and Yara
by Coleman Kane
This next module builds on the work done in Ghidra as well as VirtualBox to introduce both real-time analysis of running malicious code, as well as using findings to hunt for the malware on a running system.
Be advised that the below content is from the 2020 class, referencing timeframes for material covered which is different from how the 2021 schedule for the class was organized.
The lectures make reference to a malware artifact which I built that was distributed in 2020. As the link for
that is buried in lecture notes, I am providing another link for the revolutions_backdoor_windows.exe:
- revbd.zip [type: ZIP, password: cs6038]
Working with debuggers, manipulating execution of malware to analyze behavior and other run-time characteristics:
- Configuration Analysis, Run-Time Analysis, and Editing
- Immunity Debugger Intro, Capture & Reroute Malware Traffic
- Immunity Debugger View and Description
- Simple Program Flow Editing with Immunity
Turning findings into Yara signatures, and a hunting exercise:
- Malware Identification with Yara
- Cont’d Malware Identification with Yara
- Hunting On a System with Yara