Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory
June 13, 2011 3:03 am Advanced Threats, code, forensics, malware, Malware Analysis, Network Forensics, network forensics, PE EXE files, Reverse Engineering, trojanPart Two in a multi-part series on holistic, multi-disciplinary analysis and reversing.
The last post, “Mutex Analysis: The Canary in the Coal Mine,” started off showing to use mutexes to discover malware that is difficult to locate using more traditional methods and tools. We used a live compromised system for the example and the post came to a relatively abrupt end when it seemed that we stumbled onto a new/unknown type of malware – or at least one that does not seem to have any public exposure or analysis. This post is “part 2″ of our analysis.
Update 6/21/2011:
This post has been moved to the “Forensics and Reversing” section of the website. I apologize for the inconvenience. Read the full article here.
June 13th, 2011 at 5:19 pm
[...] with permission from the NetWitness Blog. Share and [...]
June 15th, 2011 at 12:05 pm
Nice write up, fluid, informative, and to the point. I especially like how you explain the logic and point out to the reader the areas of concern.
June 21st, 2011 at 9:20 pm
again awesome write up…. can i come work with you… i swear if i didnt have bills to pay i come work for free =)
August 19th, 2011 at 9:49 pm
Great 2 part series. Very interesting using Mutexes to find rootkits. I would love to see part 3 and reverse engineer a new Malware variant.