AVIEN Malware Defense Guide for the Enterprise > Chapter 9: DIY Malware Analysis > Advanced Tools: An Overview of Windows Code Debuggers

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

AVIEN Malware Defense Guide for the Enterprise

Search

Table of Contents

Front Cover

AVIEN Malware Defense Guide for the Enterprise

Lead Author and Technical Editor

Chapter 1: Customer Power and AV Wannabes

Chapter 2: Stalkers on Your Desktop

Chapter 3: A Tangled Web

Chapter 4: Big Bad Botnets

Chapter 5: Cregraveme de la Cybercrime

Chapter 6: Defense-in-depth

Chapter 7: Perilous Outsorcery

Chapter 8: Education in Education

Chapter 9: DIY Malware Analysis

Introduction

Anti-Malware Tools of the Trade 101

The Basics: Identifying a Malicious File

Process and Network Service Detection Tools

Web-based Inspection and Virus Analysis Tools

Using Packet Analyzers to Gather Information

Examining Your Malware Sample with Executable Inspection Tools

Using Vulnerability Assessment and Port Scanning Tools

Advanced Tools: An Overview of Windows Code Debuggers

Advanced Analysis and Forensics

Advanced Malware Analysis

Forensic Analysis

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 10: Antimalware Evaluation and Testing

Chapter 11: AVIEN and AVIEWS: the Future

Appendix A: Resources

Appendix B: Glossary

Index

DIY Malware Analysis · Chapter 9 401 Advanced Tools: An Overview of Windows Code Debuggers Sooner or later you will want to know absolutely everything about an executable file. You may want to know, for instance: The exact memory address that it is calling The exact region of memory that it is writing to What region it's reading from Which registers it's making use of Debuggers will aid you in reverse-engineering a file for which you don't have the source code, by disassembling the file in question. (For more on the relationship between programming and debugging tools, see the later section on advanced forensic analysis.) This comes in handy when you're analyzing malware, as you almost never have access to the executable's original source code.The goal of this section is not to coach you in depth on how to use these debuggers, but simply to show you that they are out there and available for you to use. Debuggers are very powerful tools that take a long time to learn to use to their fullest extent. There are three popular debuggers for the Windows platforms that we'll be discussing: two of them are free and one is a commercial product.The first debugger in this section is Windows Debugger (WinDbg), available free of charge from Microsoft. It's part of the Debugging Tools for Windows (www.microsoft.com/whdc/devtools/debugging/ default.mspx). WinDbg, although basic in its functionality, will allow you to fully debug and analyze Windows applications and other user-mode items. Along with services, drivers, and other kernel mode items, it can be used to analyze crash dumps created by a Blue Screen of Death (BSoD).This is probably its most popular use.The first thing to keep in mind when using WinDbg is that you must download the proper symbol set for the operating system that you're working on. Symbol sets are available free from Microsoft at the link above.They are quite large; the average size is about 150Mb. Figure 9.29 shows WinDbg starting to analyze a WootBot Variant with the file name "instantmsgrs.exe." www.syngress.com

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Chapter 9: DIY Malware Analysis > Advanced Tools: An Overview of Windows Code D... - Pg. 401