Do not run malware in host environment...
More control
However
Inception. . . OS within an OS
Host = base machine
Guests = virtual machines within host
Snapshot the VM regularly (Before running malware, possibly during to capture key moments in time)
Windows is common in Malware Analysis
Preload it with tools
Do not allow malware sample to phone home or connect to the internet...
Only allow malware to connect to controlled networks such as iNetsim
Host-only networking can be useful for an external server
Security mechanism to seperate running programs.
Execute untrusted code and observe what it does.
Will show
Matches signatures to actions
Shows API calls!
Finds Hollow Process Injection
if call["api"] == "CreateProcessInternalW":
self.process_handles.add(self.get_argument(call, "ProcessHandle"))
self.thread_handles.add(self.get_argument(call, "ThreadHandle"))
self.signs.append(call)
elif (call["api"] == "NtUnmapViewOfSection" or call["api"] == "NtAllocateVirtualMemory") and self.sequence == 0:
if self.get_argument(call, "ProcessHandle") in self.process_handles:
self.sequence = 1
self.signs.append(call)
elif call["api"] == "NtGetContextThread" and self.sequence == 0:
if self.get_argument(call, "ThreadHandle") in self.thread_handles:
self.sequence = 1
self.signs.append(call)
elif (call["api"] == "NtWriteVirtualMemory" or call["api"] == "WriteProcessMemory" or call["api"] == "ZwMapViewOfSection") and (self.sequence == 1 or self.sequence == 2):
if self.get_argument(call, "ProcessHandle") in self.process_handles:
self.sequence = self.sequence + 1
self.signs.append(call)
elif (call["api"] == "SetThreadContext" or call["api"] == "NtSetContextThread") and (self.sequence == 1 or self.sequence == 2):
if self.get_argument(call, "ThreadHandle") in self.thread_handles:
self.sequence = self.sequence + 1
self.signs.append(call)
elif call["api"] == "NtResumeThread" and (self.sequence == 2 or self.sequence == 3):
if self.get_argument(call, "ThreadHandle") in self.thread_handles:
self.signs.append(call)
self.add_match(process, 'api', self.signs)
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |