Software Diagnostics Library

Malware Analysis Patterns (Part 4)

The next pattern is closely linked to packed and/or obfuscated code. We call it Pre-Obfuscation Residue. Depending on a level of obfuscation and/or packing some initial code and data structures and patterns including fragments of strings may leak in post-obfuscation data giving a clue to intended software behavior:

0:000> s-sa 00000000`00fd4000 L6000 [...] 00000000`00fd943d "o__" 00000000`00fd9449 "91!We" 00000000`00fd945d "H5!" 00000000`00fd94d2 "zQ@" 00000000`00fd94dd "ommandS" 00000000`00fd94f4 “IsDeb” 00000000`00fd94fd “uggerP” 00000000`00fd9507 “Enc” 00000000`00fd950c “v)3Po4t” 00000000`00fd9515 “DeXU” 00000000`00fd9520 “xFe” 00000000`00fd952a “5Eb” 00000000`00fd9533 “SI=l8kev” 00000000`00fd953e “Z_1m” 00000000`00fd9547 “@IF” […]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Saturday, January 19th, 2013 at 1:03 am and is filed under Crash Dump Analysis, Malware Analysis, Malware Patterns. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

Malware Analysis Patterns (Part 4)

Leave a Reply