I would like to give information about the laboratory environment I use in malware analysis and the tools I use. In the previous times, I tried so much way to create my ideal lab but this is much better than previous times. Secondly, the tools I will mention in my article will be related to what I have tried or are currently using. That’s why you will not see any information how to use.
First of all, I am using Mac Book Pro with High Sierra version. I also decided to use two software, VMWare Fusion and VirtualBox.
VMWare Fusion – https://www.vmware.com/
VirtualBox – https://www.virtualbox.org/
You can say why you are using two different software. Because I do not have enough disk space in my computer. VMWare is working directly from main hard drive. But Virtualbox is working from external hard drive. I created two virtual machine, Windows7x86(on VMWare) and Windows7x64(on Virtualbox).
When I began to make analysis, I was using Ollydbg as a debugger. But at this time, I mostly using ImmunityDbg as a debugger. Especially Ollydbg and ImmunityDbg are based on x86. Of course time is changing and there is a better debuggers. I can say x64dbg is one of them. Nowadays, most of analysts using this debugger. It is also supporting x86 and x64 architecture I mean both of them. I would like to say I am still learning this new tool 🙂
There is a also one more debugger and we can not forget . If you doing some works or research based on Windows kernel, you must to choose this WinDBG as a debugger. I would like to say one think about Windbg. I guess it is not so much interest for me because of the UI 🙂 But when ı do some work about Kernel Exploitation, this is the my first choose.
OllyDbg – http://www.ollydbg.de/
ImmunityDbg – https://www.immunityinc.com/products/debugger/
x64/32Dbg – https://x64dbg.com/
WinDbg – https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
There is a few options for disassemblers tools. I was decided to use IDA Pro. But there is one negative side for me. If I remember right, it was supporting x86 architecture last year (2017). I do not know what happend and they stopped to support. Actually that was my main reason to create based on x64 virtual machine.
I also was tried Radare2 as a debugger. I really want to try specially with UI mode. I tried but my results were unsuccessful. But I did not give up :)) I am still continue to learn. It may be useful to learn because who knows maybe I will need this in the future. I am not sure but I will try to my best to prepare tutorial for this.
There is just one more tool I’ve reviewed. Actually I just installed an check it. Tool name is Hopper. It was surprised when I installed this tool. Because UI was really good. When they publish this tool, it was only support to Mac OSX. Last time I checked, I noticed that there were also Linux versions.
IDA Pro – https://www.hex-rays.com/products/ida/
Radare2 – http://beta.rada.re/en/latest/
Hopper – https://www.hopperapp.com/
I just tried two decompilers based on .Net and Visualbasic. But I had a problem with .Net tools. For example if I want to use DnSpy, I must to install Visual Studio. But there is no like this option 🙁 Whatever, I will fix this problem when I buy more hard disk space. I am also using de4dot as a Deobfuscator and unpacker.
DnSpy – https://github.com/0xd4d/dnSpy/releases
V8Decompiler – https://www.vb-decompiler.org/download.htm
de4dot – https://github.com/0xd4d/de4dot
.NET Reflector – https://www.red-gate.com/products/dotnet-development/reflector/
The tools I mentioned above are basically the tools I use. The tools I’m going to specify below will be based on what I’ve used or used previously, especially the x86-based virtual drive. Because there is a so many useful tools but supporting only x86.
1 – PE Bear – It is written by a Polish cyber security researcher. I can say that she is one of the people I like to follow their analysis. PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files. It is supporting x86 and x64.
2 – Process Explorer – It is a free task manager and system monitor tool. It is a useful tool for demonstrating how it moves and distributes, especially when we run malware. It is supporting x86 and x64.
3 – HxD – It is an HEX editor preferred by many people. It has an easy to use interface.
4 – XVI32 – Obviously my favorite is the HEX editor. But only x86 support.
5 – PE Studio – Particularly useful tool to get information about malicious file structure before running malicious software.
6 – PEiD – It detects the most commonly used wrappers, ciphers, and compilers for PE files. There is no development for this tool at this time. But you can find it from different sources.
This is the information about the tools I am currently using. As I mentioned at the beginning of the article, I just wrote what tools I used. That’s why you can obtain information by researching how they are used. But if you need some help to find source, I can help you.
See you soon :))