Friday, February 29, 2008

Fifteen Minute Malaware Analysis

1. VMWARE Workstation or VMWARE Server (Sever=free)
2. Windows 2000 (Small$)
3. TextScan - Free (by AnalogX)
4. PtfinderFE - Free (PTFINDER by Andreas Schuster and Front-End by Richard McQuown)
5. LSPM (SourceForge)- Free (by Harlan Carvey)

1. Create a VMWARE Windows 2000 Machine. Keep the RAM 256 MB or less (Saves Processing Time).
2. Start VMWARE 2000 Machine. Pause the machine.
3. Place a copy of the .VMEM file into a folder called "Baseline".
4. Restart your machine and add your virus. I like to run the virus from the desktop.
5. Pause your machine and place your .VMEM file into a new folder called "Infected".
6. Restart your machine. Now recycle your machine power(Turn it off and back on).
Pause your machine again and place your last .VMEM file into a folder called "Stop_and_Start".
7. Now point PTFINDERFE at the three .VMEM Files in the "Baseline", Infected" and "Stop_and_Start" Folders.
8. Review the Output JPEG image. and find your virus Process PED. Get the PED(0x#########).
9. Run LSPM using PED from Step 8.
10. Run TextScan at the LSPM created Image file.
11. Review the TextScan Text and find your gold.

No comments: