Welcome to Malware Analysis Forums.
These resources should be useful to you:

http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/

http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/#gref

http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

https://www.malwaretech.com/2013/09/ring3-ring0-rootkit-hook-detection-12.html

https://www.malwaretech.com/2015/01/using-kernel-rootkits-to-concea.html

https://www.malwaretech.com/2015/04/intercepting-all-system-calls-by.html

https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319/ref=sr_1_1?ie=UTF8&qid=1522140984&sr=8-1&keywords=rootkits (This book is older but still has a lot of useful fundamentals… Just note there are way more security features in the OS now)

That should get you started. :)

Hey all,

Just wanted to let you know that in the newer version of Oracle VirtualBox 5.2.8r121009, Oracle moved the position of the Delete snapshot button. As an analyst, I often restore snapshots and typically I do it by right clicking on the snapshot in my list of snapshots and clicking the first option which used to be “Restore Snapshot.” They’ve not put the Delete Snapshot option in that spot so if you are just flying through it fast or have muscle memory, you may accidentally delete your snapshot! Luckily I didn’t, but that is a very poor design choice!!

On a side note, check this talk out:

https://www.youtube.com/watch?v=fFaWE3jt7qU&t=496s

Enjoy. Happy hunting.

@rohit_secres said in How to Analysis Dll file.:

Hi all,
I need u people help , can u plz tell me how to analyse DLL’s file 'cuz as it’s not a directly executable file. How can we check DLL’s to analyse and to find it’s beahviour
Thanks.

For this, you can use several options.

DLL file, as you may know contains code functions, it just doesn’t have a “main” function which the OS loader can load directly. However, another program can load the DLL file and thus there is one supplied with Windows called rundll32.exe. If you run rundll32.exe at the commandline and pass to it the dll file followed by , followed by either a function name or an ordinal number, then rundll32.exe will execute the function specified.

You can also analyze DLL files with IDA Pro, x64Dbg, and OllyDbg. OllyDbg has its own DLL loader but if you want, you could always load rundll32.exe in another debugger and simply pass to it the argument to load the DLL that you want… Then, you can tell the debugger to “break on module load” and keep pressing Continue until the dll you want is loaded, then step through the code that way.

There are a few other caveats to note with DLL files: Earlier I said DLL files don’t have a “main” like exes. This isn’t really true. DLLs actually do have a main and it’s called DllMain. DllMain is run whenever the DLL is loaded into a program so it is important to note that a DLL file can execute code which is outside of the function being imported to another exe by placing it in DllMain or jumping to it from DllMain.

Another thing, you will note that when you use rundll32.exe, you don’t really have nice options to pass multiple arguments to a function. For example, the function CreateProcess() takes more than 1 argument and if you wanted to run it so that it actually works, you’d have to supply all of those args. You cannot do that with rundll32 unfortunately. The OllyDbg DLL loader has better support for more arguments than rundll32.exe does.

Awesome, welcome @id1010terror and @neonprimetime . Glad to have you both. I think you will enjoy experimenting and analyzing malware. It is fun and rewarding.

@lilb said in MALWARE ANALYSIS RESOURCES//NOOBS READ FIRST:

Hi, I was wondering how much someone should know about “general operating systems engineering”? Any topics in particular?

Yes. I recommend you read the books:

Operating Systems Design and Implementation
Windows Internals by Russinovich, Pavel Yosifovich, et al.
Programming the Windows Driver Model
Mac OS X Internals: A Systems Approach
What Makes it Page? by E. Martignetti

Additionally, check the site “OSDev.”

All of these should be easy to find by searching or Amazon.com

Pay special attention to the I/O systems and Memory Management systems of these books.

Sweet, welcome to the board!!!

Who’s going to DEFCON, BlackHat or BSidesLV?:drooling_face:

I’m going to be updating this post with information for people who are new to malware analysis and research.

Tool Lists

• Check out my giant list for a rundown of some common tools and their usages.
• Claus Cramon Houmann’s big list of malware analysis resources
• Github List by rshipp
• IDA Pro Scripts
• IDA Pro Plugins

YouTube Channels

• Colin Hardy
• OALabs
• MalwareAnalysisForHedgehogs
• L!NK
• Hasherezade
• Fabian Wosar
• Binary Adventure
• Bill Buchanan
• This is only one video on the Sysinternals suite, bit it’s worth it. Trust me.
  Fabian doesn’t put out as many videos as the other folks but when he does, they’re good.

Blogs

Pro tip: If you want to get good fast, read lots and lots of blogs

• Malwarebytes
• Cylance
• FireEye
• Securelist
• Endgame.
• Virus Bulletin
• PCP TechTalk
• Malware Analysis For Hedgehogs blog
• Malware Unicorn’s site
• Hasherezade’s blog
• MalwareTech
• Dr. Fu’s Malware Analysis blog (no longer updated but good info)
• Forcepoint
• G DATA
• RedNaga
• Lasha Khasaia
• ExecuteMalware

That should be plenty enough for you. Some of the personal blogs are actually folks who work for the companies as well. If I left any good blogs out, leave them below please.

I also have some good content for newbies on my blog which hasn’t been updated in a while: https://toddcullumresearch.com

Books // Publications

• Practical Malware Analysis
• Practical Reverse Engineering
• AVIEN Malware Defense Guide for the Enterprise
• The Art of Computer Virus Research and Defense
• The IDA Pro Book
• Malware Analyst’s Cookbook
• Hacking: The Art of Exploitation
• Windows Research Kernel
• Windoiws Internals Parts 1 and 2
• Microsoft PECOFF Format Specification (For Packers and PE header obstructions)
• Gray Hat Hacking: The Ethical Hacker’s Handbook Third Edition

Other Forums

The malware analysis forum community isn’t as big as it could be but that’s why we’re here. The two most notable malware reversing forums include http://kernelmode.info and https://tuts4you.com . Both are actually operating systems and reversing forums but they have subsections for malware analysis. Another good one is https://reddit.com/r/malware if Reddit is what you like. Other than this, most other malware-related forums seem to be geared toward malware removal rather than the profession of malware analysis and research. This is why malwareanalysisforums.com was born. Those sites have a lot more users because they’re old. If you head over, please mention we sent ya! This forum aims to address malware analysis exclusively.

Notable Contributors

These are folks who have spent significant amounts of time contributing malware research works. I highly suggest googling their work with the word “malware” near their name:

• Peter Ferrie - Anti Debugging Reference and PE file format research
• Karsten Hahn master thesis - PE File format research
• Ilfak Guilfanov and Igor Skochinsky - Hex-rays developers who created IDA Pro
• pancake - creator of radare2 which can rival IDA Pro
• Lenny Zeltser - Malware Analysis instructor, curator of Remnux
• Didier Stevens - Malware Analyst, tool author, intructor

I’m looking for more folks to add here. Of course, I could add those authors of aforementioned books, but I’m looking for others too. I’m sure I’ve forgotten some as I’m quite tired at the time I wrote this.

Sample Sites

If you need files to practice analyzing (***In a SECURE and ISOLATED machine that you don’t care about)***, you can sign up for an account at One of these websites:
http://malshare.com/
http://www.malware-traffic-analysis.net/
https://virusshare.com/
http://virusign.com/
https://malwr.com (TEMPORARILY DOWN)
https://github.com/ytisf/theZoo - good for an organized search for a specific malware
https://malpedia.caad.fkie.fraunhofer.de/login

READ ME

You must understand that being good at malware analysis requires a huge range of skills and knowledge and therefore, it is not adequate to only study just malware analysis. For this reason, you may see postings here and elsewhere which seem almost completely irrelevant and unrelated. However, literally every single software concept is somehow related to malware analysis because malware analysis is ultimately software analysis since the definition of malware is simply malicious software. For this reason, you will see recommendations to read about the PE file format, ELF format, general operating systems engineering (a huge one), WScript, JavaScript, SQL, PowerShell, Batch, etc…

The reason why is because a single malware could contain every single one of those mentioned above as a component. This means that in order to properly analyze the software, an analyst needs to know enough about all of those, plus the slew of other languages and software frameworks out there. Luckily, general problem-solving skills go a long way and therefore extensive knowledge isn’t as important as general ability to problem solve these types of problems. However, I wanted to mention this so you understand why I’m telling you to go read books on x86 assembly or SIMD or C programming, for example.

@0btemos what do you want?? I will provide some info. In fact, I think during the holiday here I’m gonna post up some cool links/stuffs. But tell us what you want specifically. I’ve got some more time to spend on this forum now :)

You know how it goes. Don’t be shy! :)

I’ve taken it upon myself to explore the world of bit manipulation and bitwise operations. This is primarily in the C language but most of the techniques apply to any language that supports gate operations like AND (conjunction), OR (disjunction), NOT (negation), and etc… I’ll be posting my bitwise adventures in this thread for fun.

Bitwise AND can be used to extract bits from a binary number like so:

1111 1010
&
0000 1111
------------------
0000 1010

Here we cleared out the top nibble (4 bits) and retained the low nibble. This could also have been accomplished with an XOR like so:

1111 1010
^
1111 0000
-----------------
0000 1010

Turns out, all of these bit-level operations or “hacks” can be accomplished multiple ways due to De Morgan’s laws.

@sneakerhax Added, thank you!

“How do I secure my app?”

Although the answer itself can involve a series of steps, I believe that finding the answer is overly complex, especially with the technologies available on the modern web. I got tired of getting a run-around as a developer when seeking info - “Implement proper input validation,” “Install updates,” “Sanitize or parameterize database queries,” and so on… Lots of general “advice” but as developers, we need to know exactly what needs to be done in order to implement effective security into our apps. Additionally, advice clashes - “how do I prevent XSS” - some folks say sanitize user input, others say sanitize server-side requests, others say set the proper XSS headers, etc…

We cannot make your app secure for you - that requires work on your part - but we can make learning how to properly secure your app much easier.

For this reason, this post strives to answer “exactly how do I secure my app?” One of the fundamental most important pieces of info that we need in order to provide you, the app developer, with concrete information, is “what technologies are you trying to secure?”

Thus, the data below will be organized in the following order:

1.) Technology

2.) Type of resource (Frameworks, Secure Coding Practices, etc…)

Note that this guide, unlike many others on the web, is focused on how a developer/programmer/engineer can secure his/her app. It is not geared toward hacking, pentesting, or auditing an app. We will have a separate list for those items.

What does it mean to have a “secure” app?

For the purposes of this post, a “secure app” is an app which implements all known best practice recommendations . For an app to be truly “secure”, it involves potentially hundreds of proper configuration requirements which should also be followed up by rigorous security testing built into the SDLC. However, every little bit counts. If you are not able to test, you can at least do your best in development. We want to make this process as easy as possible to perform.

How to use this reference

1. Press Ctrl+F or Cmd+F and type the technology you’d like to learn about.
2. Follow the links and learn

This page will be continuously updated as I have time, find more resources, and as resources become dead-links and/or outdated. The point is to have up-to-date or at least relatively recent advice since new threats pop up in security. If you would like to add a resource and it meets quality standards, feel free to post below.

Security Frameworks

These are higher-level guidelines/standards that you can use to ensure your software follows best security practices, or decide on which practices make sense to implement.

1. OWASP Secure Coding Practice (all technologies)
2. OWASP Web App Security Checklist/ASVS
3. IoT Security Compliance Framework

Django

1. Django’s official Security in Django
2. Django Girl’s Beginners tips

Nodejs

1. Node.js Secure Code Guidelines
2. 23+ Node.js Security Best Practices
3. Express.js Production Best Practices: Security

Angular.js

1. Security in Angular: Part 1
2. Security in Angular: Part 2
3. Security in Angular: Part 3
4. Securing Angular.js Applications
5. So you thought you were safe using Angular.JS
6. Tips to secure your Angular application

PHP

1. Ultimate PHP Security Best Practices
2. Ultimate PHP Security Checklist

HTML5

1. OWASP HTML5 Security Cheat Sheet

JavaScript

1. Firefox Extensions/Add-Ons security best practices
2. Building Secure JavaScript Applications
3. Defensive JavaScript
4. Security Concerns With JavaScript Development

Golang

1. Go Memory Security
2. Go Secure Coding Practices
3. Common Golang Security Mistakes

HTTP Security Headers

1. Securing your HTTP Headers
2. Content-Security-Policy Reference
3. SecurityHeaders.io - check your site

C

1. SEI CERT C Coding Standard
2. MISRA C: 2012 Guidelines
3. MISRA C:2012 Official document (For purchase)

C++

1. SEI CERT C++ Coding Standard
2. Secure Coding in C and C++

Managed/VM

.NET Code

1. OWASP .NET Cheat Sheet
2. Top .NET Secure Coding Practices for a Team
3. ASP.NET MVC Security Best Practices
4. ASP.NET WebForms Security Best Practices
5. ASP.NET Core Security Tips

Java

1. SEI CERT Oracle Coding Standard for Java
2. Oracle Secure Coding Guidelines for Java SE

Electron

1. Electron’s Official Documentation for Security
2. Electron Security Checklist
3. Securing Electron Apps with OpenID Connect & OAuth 2.0

Python

1. OpenStack Python Secure Development Guide
2. Python Secure Coding Guidelines
3. Python Security Best Practices Cheat Sheet

Ruby on Rails

1. Ruby on Rails Official Security Guide
2. Engineyard 17-item checklist
3. Preventing Security Issues in Ruby on rails
4. OWASP Cheat Sheet for RoR

Databases

MongoDB

1. MongoDB Official Security Checklist
2. MongoDB Security Tips
3. MongoDB Security Top 10
4. Definitive Guide to MongoDB Security

Microsoft SQL Server

1. Top 10 Security Considerations for your SQL Server Instances
2. SQL Server Security Best Practices
3. Microsoft’s Official SQL Server Security Guidance

Ubuntu Server Hardening

1. Harden Ubuntu 18.04 in 5 Easy Steps
2. Secure Ubuntu 16.04 LTS Part 1
3. How to Harden Ubuntu 18.04 Server
4. Best Practices for Hardening a new Ubuntu Server

NGINX Server Hardening

1. Top 25 NGINX Web Server Best Security Practices
2. NGINX Security Vuln/Hardening Best Practices

Wordpress

1. Wordpress Security Checklist

JSON Web Token (JWT)

1. JSON Web Token Cheat Sheet for Java
2. JSON Web Token Best Practices

Special thanks to: @sneakerhax for his contributions to the Node.js & Python resources.

The intention of this section entitled Ask A Security Engineer is for software engineers, architects, and other software professionals to ask specific questions to be answered by those working as or who have worked as security engineers.

Disclaimer: By using this forum category, you agree that any advice you choose to follow is at your own risk and note that AppSecForums, its staff and owner do not validate, vet, endorse, warranty, or guarantee the advice given in this forum in any way. Any advice given here is not advice given by AppSecForums but rather, by its independent members. You, the follower of the advice, are responsible for any and all damages that may occur as a result of following the advice.

Please feel free to suggest new forums. Know that we plan to start out slim on purpose, and as activity picks up, we will indeed add new forum categories as needed. In the meantime, don’t feel unwelcome of posting something in the General AppSec forum if you can’t find a good category.

List all of your favorite static code analysis tools here - both commercial and open source. Give a description of what you like about the tool.

@rohit_secres said in How to Analysis Dll file.:

Hi all,
I need u people help , can u plz tell me how to analyse DLL’s file 'cuz as it’s not a directly executable file. How can we check DLL’s to analyse and to find it’s beahviour
Thanks.

For this, you can use several options.

DLL file, as you may know contains code functions, it just doesn’t have a “main” function which the OS loader can load directly. However, another program can load the DLL file and thus there is one supplied with Windows called rundll32.exe. If you run rundll32.exe at the commandline and pass to it the dll file followed by , followed by either a function name or an ordinal number, then rundll32.exe will execute the function specified.

You can also analyze DLL files with IDA Pro, x64Dbg, and OllyDbg. OllyDbg has its own DLL loader but if you want, you could always load rundll32.exe in another debugger and simply pass to it the argument to load the DLL that you want… Then, you can tell the debugger to “break on module load” and keep pressing Continue until the dll you want is loaded, then step through the code that way.

There are a few other caveats to note with DLL files: Earlier I said DLL files don’t have a “main” like exes. This isn’t really true. DLLs actually do have a main and it’s called DllMain. DllMain is run whenever the DLL is loaded into a program so it is important to note that a DLL file can execute code which is outside of the function being imported to another exe by placing it in DllMain or jumping to it from DllMain.

Another thing, you will note that when you use rundll32.exe, you don’t really have nice options to pass multiple arguments to a function. For example, the function CreateProcess() takes more than 1 argument and if you wanted to run it so that it actually works, you’d have to supply all of those args. You cannot do that with rundll32 unfortunately. The OllyDbg DLL loader has better support for more arguments than rundll32.exe does.

@struppigel I was so happy when I saw you on here. Welcome!!!

@z3r0sum hey, welcome to Malware Analysis Forums. I hope you connect with other members here since there are not many reversers near you. Feel free to ask anything or share resources here!

Hey all,

Just wanted to let you know that in the newer version of Oracle VirtualBox 5.2.8r121009, Oracle moved the position of the Delete snapshot button. As an analyst, I often restore snapshots and typically I do it by right clicking on the snapshot in my list of snapshots and clicking the first option which used to be “Restore Snapshot.” They’ve not put the Delete Snapshot option in that spot so if you are just flying through it fast or have muscle memory, you may accidentally delete your snapshot! Luckily I didn’t, but that is a very poor design choice!!

On a side note, check this talk out:

https://www.youtube.com/watch?v=fFaWE3jt7qU&t=496s

Enjoy. Happy hunting.