What tools can assess a suspicious RTF file? How to deobfuscate a JavaScript attachment? Where to set breakpoints for unpacking a malicious executable? What utilities can intercept C2 traffic in the lab? How do the various reverse-engineering methods fit together?
So much to remember! I created 4 cheat sheets to make it easier to recall answers to these and many other malware analysis questions.
Some of these cheat sheets have been around for a while; I recently updated them to reflect the latest tools and techniques. The one listed first is brand new:
- Reverse-Engineering Malicious Code: Tips for examining malicious executables via static and dynamic code analysis with a debugger and a disassembler.
- REMnux Usage Tips for Malware Analysis on Linux: Tools and commands for analyzing malicious software on the REMnux distribution built for this purpose.
- Analyzing Malicious Documents: Tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and Adobe Acrobat (PDF) files.
- Malware Analysis and Reverse-Engineering: Shortcuts and tips for analyzing malicious software; overview of the general approach.
I placed a 1-page limit on each of these cheat sheets to force myself to be selective and succinct. As a result, their contents are quite condensed. You're welcome to print PDF versions of each file or modify Microsoft Word versions for your own needs.
Many of the tools and techniques captured in these cheat sheets are covered in the FOR610: Reverse-Engineering Malware course I've co-authored at SANS.
For additional references from SANS faculty members, see the Community: Cheat Sheets page on the SANS Digital Forensics and Incident Response site.
— Lenny Zeltser
Lenny Zeltser is a senior instructor at SANS Institute. He is active on Twitter.
