今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#malwareanalysis

找到 2 篇相关文章

开发者

Malware Unpacking & Anti-Analysis Bypass: A Deep Dive into Real-World Techniques

Malware authors don't make our job easy. Every time we think we've figured out their tricks, they layer on another obfuscation technique, another anti-debugging check, another sandbox evasion. Over the past few weeks, I've been deep in the trenches with some particularly stubborn samples — the kind that detect your debugger, hide their strings behind XOR encoding, and hollow out legitimate processes to hide their payload. This article walks through my hands-on exploration of these techniques. We'll look at how malware detects analysis tools, how it obfuscates its strings, how it unpacks itself in memory, and most importantly — how we can bypass these defenses to see what the malware is actually trying to do. The tools we'll use: x64dbg/x32dbg for dynamic analysis and patching IDA Pro for static disassembly REMnux (Linux toolkit) for string deobfuscation FLOSS, XORSearch, bbcrack for automated string decoding Scylla & OllyDumpEx for dumping unpacked payloads Process Hacker for memory forensics Problem Statement Modern malware is rarely "what you see is what you get." A single executable might be: Packed — the actual malicious code is compressed/encrypted and only revealed at runtime Anti-debug aware — it checks for debuggers and changes behavior or terminates Sandbox-aware — it detects virtualized environments and refuses to execute its payload String-obfuscated — URLs, registry keys, and IOCs are encoded to evade signature detection Process-injecting — it hollows out a legitimate process (like explorer.exe ) and runs its code there Our goal: peel back these layers and extract the real payload for analysis. Exercise 1: Bypassing Debugger Detection in getdown.exe What I Found The first sample, getdown.exe , refused to show any network activity when run inside a debugger. Outside the debugger, it connected to 1.234.27.146:80 . Classic anti-debugging behavior. The Detection Mechanism Using x64dbg, I searched for intermodular calls and immediately spotted IsDebuggerPrese

2026-06-27 原文 →
AI 资讯

Understanding Malware Analysis: Types, Methodology, and Lab Setup Fundamentals

I've been digging into malware analysis lately, and one thing became clear pretty fast: before you ever touch a debugger or run a suspicious binary, you need to understand the landscape — what malware actually is, how it's classified, and what a safe, repeatable analysis workflow looks like. This post is my attempt to organize that foundation. No flashy exploit walkthrough here — just the core concepts I think anyone starting out in malware analysis needs to internalize first, because skipping this step is how people either get sloppy or get burned (sometimes literally infecting their own host machine). Problem Statement If you search "malware analysis tutorial," you mostly get tool-specific guides — "how to use Ghidra," "how to use Process Monitor" — without context on why you'd choose static vs. dynamic analysis, or how to build a lab that won't accidentally compromise your real network. I wanted to write down the methodology layer first: the classification of malware, the four analysis approaches, and the non-negotiables of lab isolation. This is the stuff that makes the tool-specific tutorials actually make sense later. What Malware Analysis Actually Is Malware analysis is the study of a malicious program's behavior — the goal is to understand what it does, how it got in, and how to detect/eliminate it across an environment, not just on one infected machine. A few concrete objectives that stuck with me: Determine the nature of the malware — is it an infostealer, a keylogger, a spam bot, ransomware? Understand the compromise — how did it get in, and what's the blast radius? Infer attacker motive — banking credential theft usually points to financial motive; persistence + C2 beaconing might point to espionage. Extract network indicators — domains, IPs, User-Agent strings — for network-level detection. Extract host-based indicators — registry keys, dropped filenames, mutexes — for endpoint-level detection. This connects directly to something called the Pyramid of P

2026-06-26 原文 →