Malware Analysis & Reverse Engineering Cheat Sheet

The analysis and reversing tips behind this reference are covered in the SANS Institute course
FOR610: Reverse-Engineering Malware.

Overview of the Malware Analysis Process x64dbg/x32dbg for Dynamic Code Analysis
1. Use automated analysis sandbox tools for an initial assessment of Run the code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F9
the suspicious file.
Step into/over instruction. . . . . . . . . . . . . . . . . . . F7/F8
2. Set up a controlled, isolated laboratory in which to examine the
Execute until selected instruction. . . . . . . . . . . . F4
malware specimen.
Execute until the next return. . . . . . . . . . . . . . . . Ctrl+F9
3. Examine static properties and meta-data of the specimen for
triage and early theories. Show previous/next executed instruction. . . . . -/+
4. Emulate code execution to identify malicious capabilities and Return to previous view. . . . . . . . . . . . . . . . . . . . . *
contemplate next steps.
Go to specific expression. . . . . . . . . . . . . . . . . . . . Ctrl+g
5. Perform behavioral analysis to examine the specimen’s
Insert comment/label. . . . . . . . . . . . . . . . . . . . . . ;/:
interactions with its environment.
Show current function as a graph. . . . . . . . . . . . g
6. Analyze relevant aspects of the code statically with a disassembler
and decompiler. Find specific pattern. . . . . . . . . . . . . . . . . . . . . . . . Ctrl+b
7. Perform dynamic code analysis to understand the more difficult Set software breakpoint on specific instruction . . Select instruction » F2
aspects of the code.
Set software breakpoint on API. . . . . . . . . . . . . . Go to Command prompt
8. If necessary, unpack the specimen. » SetBPX API Name
9. Repeat steps 4-8 above as necessary (the order may vary) until Highlight all occurrences of the keyword . . . . . h » Click on keyword
analysis objectives are met. in disassembler
10. Augment your analysis using other methods, such as memory Assemble instruction in place of selected one . . Select instruction
forensics and threat intel. » Spacebar
11. Document findings, save analysis artifacts and clean up the Edit data in memory or instruction opcode . . . Select data or
laboratory for future analysis. instruction » Ctrl+e
Extract API call references. . . . . . . . . . . . . . . . . . . Right-click in
Behavioral Analysis disassembler » Search
for » Current module »
Be ready to revert to good state via virtualization snapshots, Clonezilla, Intermodular calls
dd, FOG, PXE booting, etc.
Monitor local interactions (Process Explorer, Process Monitor, ProcDOT, Unpacking Malicious Code
Noriben).
Determine whether the specimen is packed by using Detect It Easy,
Detect major local changes (RegShot, Autoruns).
Exeinfo PE, Bytehist, peframe, etc.
Monitor network interactions (Wireshark, Fiddler).
To try unpacking the specimen quickly, infect the lab system and dump
Redirect network traffic (fakedns, accept-all-ips). from memory using Scylla.
Activate services (INetSim or actual services) requested by malware For more precision, find the Original Entry Point (OEP) in a debugger
and reinfect the system. and dump with OllyDumpEx.
Adjust the runtime environment for the specimen as it requests To find the OEP, anticipate the condition close to the end of the
additional local or network resources. unpacker and set the breakpoint.
Try setting a memory breakpoint on the stack in the unpacker’s
Ghidra for Static Code Analysis beginning to catch it during cleanup.
Go to specific destination. . . . . . . . . . . . . . . . . . . g To get closer to the OEP, set breakpoints on APIs such as LoadLibrary,
VirtualAlloc, etc.
Show references to instruction . . . . . . . . . . . . . . Ctrl+Shift+f
To intercept process injection set breakpoints on VirtualAllocEx,
Insert a comment. . . . . . . . . . . . . . . . . . . . . . . . . . ; WriteProcessMemory, etc.
Follow jump or call. . . . . . . . . . . . . . . . . . . . . . . . . Enter If cannot dump cleanly, examine the packed specimen via dynamic
Return to previous location . . . . . . . . . . . . . . . . . Alt+Left code analysis while it runs.
Go to next location. . . . . . . . . . . . . . . . . . . . . . . . . Alt+Right Rebuild imports and other aspects of the dumped file using Scylla,
Imports Fixer, and pe_unmapper.
Undo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ctrl+z
Define data type . . . . . . . . . . . . . . . . . . . . . . . . . . . t Bypassing Other Analysis Defenses
Add a bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . Ctrl+d
Decode obfuscated strings statically using FLOSS, xorsearch,
Text search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ctrl+Shift+e Balbuzard, etc.
Add or edit a label . . . . . . . . . . . . . . . . . . . . . . . . . l Decode data in a debugger by setting a breakpoint after the decoding
function and examining results.
Disassemble values . . . . . . . . . . . . . . . . . . . . . . . . d
Conceal x64dbg/x32dbg via the ScyllaHide plugin.
To disable anti-analysis functionality, locate and patch the defensive
code using a debugger.
Authored by Lenny Zeltser, who is the CISO at Axonius and Faculty Fellow Look out for tricky jumps via TLS, SEH, RET, CALL, etc. when stepping
at SANS Institute. You can find him at twitter.com/lennyzeltser and through the code in a debugger.
zeltser.com. Download this and other Lenny’s security cheat sheets from
If analyzing shellcode, use scdbg and runsc.
zeltser.com/cheat-sheets. Creative Commons v3 “Attribution” License for
this cheat sheet version 2.2. Disable ASLR via setdllcharacteristics, CFF Explorer.