This document compares tools for malware analysis, including static analysis tools like IDA Pro that disassemble malware without execution, and dynamic analysis tools like Wireshark and Process Monitor that observe malware behavior when executed. It discusses how static tools like IDA Pro decompile malware to understand control and data flow, while dynamic tools like Wireshark sniff network packets and Process Monitor monitors file, registry, and process activity in real-time. The document recommends combining static and dynamic analysis tools to thoroughly analyze malware.
Breaking the Kubernetes Kill Chain: Host Path Mount
A comparison of tools for malware analysis
1. A COMPARISON OF TOOLS
FOR MALWARE ANALYSIS
Tiziana Spata
tizianaspata@yahoo.it
Università degli Studi di Catania
Dipartimento di Matematica e Informatica
4. Static Analysis
It’s performed without executing the
program:
• Disassemble the malware
• Control flow or Data flow analysis:
provide a great deal of information
on how malware functions
5. IDA Pro
The Interactive Disassembler Professional
is a product of Hex-Rays.
It’s a recursive descent disassembler:
• Sequential Flow Instructions
• Conditional Branching Instructions
• Unconditional Branching Instructions
• Function Call Instructions
• Return Instructions
6. Dinamic Analysis
It’s performed by executing programs on a real or
virtual environment.
• Black Box Analysis: "what you see is all you get"
• White Box Analysis: it’s different from Static
Analysis!
7. Wireshark
It’s a free and open-source packet analyzer.
Most network interfaces can be put in
“promiscuous mode”, in which they
supply to the host all network packets they
see.
8. oSpy
It’s a packet sniffing tool which aids in
reverse-engineering software running on
the Windows platform.
The sniffing is done on the API level
which allows a much more fine-grained
view of what’s going on.
9. Process Monitor
It’s an advanced monitoring tool for Windows
that shows real-time file system, registry and
process/thread activity.
Process Monitor includes powerful monitoring
and filtering capabilities:
• File System
• Registry
• Process
• Network
• Profiling
10. OllyDbg
It’s a debugger that races registers,
recognizes procedures, API calls…
It has a friendly interface, and its
functionality can be extended by third
party plugins.
11. Conclusions
A good analysis of malware can be made
thanks to the combination of several tools
that implement techniques of static and
dynamic analysis.
Thanks for your attention!