LetsDefend Academy

Online practicing and training platform for blue team members









Malware Analyst's Toolbox

Let's take a look at what tools are there that can make our job easier for analyzing malicious softwares.

In order to create a mind map, I divided the tools that we can use during malware analysis into 5 different categories.

There are many useful tools that we did not write and that can be used in malware analysis. This article consists of the tools we frequently encounter and use in malware analysis.

1) Disassemblers

In order for a program written in many languages (compiled languages such as C, C ++) to be run by machines, it must be converted to 0 / 1s that the machine can understand. This process is called compile.

When we want to analyze a malware, it is almost impossible to analyze this malware on 0 / 1s. Disassembler software converts the compiled software to assembly language into a format that can be read and analyzed.

Because of its ease of use, capabilities and support for many file formats, IDA Disassembler software of Hex Rays is widely used.

It is a must-have software in your toolbox.

2) Debuggers

Debuggers are software that allow us to monitor and modify the operation of a program step by step, and to monitor and control the registers and stack of the program at runtime.

Some of the most popular debuggers used are below.

  1. IDA Debugger
  2. Immunity Debugger
  3. OllyDbg
  4. Windbg
  5. x64dbg

We will often use debuggers in our malware analysis.

3) File Viewers, Editors and Identification Tools

P.E. File Editors display the information in the files in Portable Executable File Format in readable format.

Portable Executable File Format contains information that may be important to a malware analyst. For example, by looking at the "Machine" information in the Image File Header, you can find out whether the created malware targets 32-bit operating systems or 64-bit operating systems.

Below are some tools that you can use.

  1. CFF Explorer
  2. PEView
  3. PEiD
  4. BinText (I know it's not a File Editor but it can show you strings inside PE File)
  5. DocFileViewerEX

4) Network Analysis Tools

Malware performs network activities for various activities such as hijacking data, receiving commands from command control servers and spreading within the network.

In order to monitor and analyze the network activities of the malicious software, the malware analyst must have a tool in her/his toolbox that can analyze network activities.

Below are some network analysis tools you can use.

  1. Wireshark
  2. Fiddler

5) Others

Apart from the tools we have mentioned in our article, there are many tools that you can use in malware analysis and make your job easier.

You can view file, registry and process / thread events in the operating system with the procmon tool in Sysinternals.

With the autoruns tool in Sysinternals, you can see the processes that will start automatically in the operating system. Malware often registers itself to start automatically in order to ensure its permanence on the system.

Each of the Sysinternals tools will make our job very easy in malware analysis. For this reason, we strongly recommend adding Sysinternals to your toolbox. We can do many operations with the tools in Sysinternals.

With the Volatility tool, you can perform your forensics analysis on memory.

You can use tools such as Process Hacker, Process Explorer to see and monitor the processes running on the operating system.

Do not forget to take snapshots after installing these tools on the virtual operating system that we have created for malware analysis. After analysis, we will return to snapshot again and return to the time when all tools were installed.