We're told at an introductory level, the process of Disassembly - the translation of the binary code within a sample, into a higher-level, more readable language such as machine-instruction - Assembly, and the basic timeline from Authorship to Execution of Malware. As a summary:
- Sample is written in high-level language such as C++ or C
- Sample is compiled into Assembly.
- This Assembly is human-friendly representing binary instruction
This is of course in a ideal world, where no reverse-engineering prevention methods often employed to thwart the Analyzer off the scent. We're given an intro into CPU registers, and the functions that .DLL's function within Windows.
Sample Assembly Instructions:
|add (value), (register)||increments a value and stores the new (or first) result|
|sub (value), (register)||subtracts a value and then stores the new (or first result)|
|mov (registerA), (registerB)||move the value of registerA to registerB|
|mov (registerA), (memory address)||moves value within a memory address into a register|
Using PEFile & Capstone on IRCBot.exe:
pip install pefile pip install capstone
We'll use the provided dissasembley_example.py for us and pipe it. I had to rename the file the script looks for due to capitalization error:
And this is where the problems began...
Now I'm starting to understand why they heavily recommended the provided .OVA. So... I hesitantly put my ego aside, and imported the VM and tried this whole thing again.
If I can reliably-figure out the necessary packages and libraries, I will create a write-up to detail the necessary steps to follow this book from a fresh OS Install. Until then...
And yup...Definitely an environment problem. grumble grumble
The chapter then goes to summarize a few possible ways authors of malicious code can obfuscate their sample. And why that may be. For example, encrypting using keys held on external-servers when the sample is executed - of which static analysis will not decrypt, nor indicate.