<aside> 📌 Sommaire

</aside>

Advanced Static Analysis

OBJ → comprendre plus du malware

Advanced Analysis of a Process Injector

• A full round of fundamental analysis before decompiling
• In this case, we analyse the result of the executed malware
• Process injection consists of injecting a malicious payload into a valid program
  • Pay attention to args. Here it is moved to a register
  • Call to the OpenProcess, lets check the parameters
    • Among the parameters, the process id is passed through the argument

<aside> 💡 REVOIR LA VIDEO

</aside>

Hello, World! Under a Microscope Part I

Revisiting the Dropper: Assembly Instructions and the Windows API

x86 CPU Instructions, Memory Registers, & the Stack: A Closer Look

CPU instructions

• Arithmetic
  • SUB
    • Subtract numbers with numbers and even locations
• data movement
  • MOV
    • ASM is right to left. The instruction comes first, then the destination, then the source.
    • MOV edx, eax
    • eax → edx
  • stack interaction
    • PUSH
      • push down to the stack
    • POP
      • pop the lower variable of the stack
• control flow
  • JMP
    • Jump the execution to a specific location
    • Can be conditional, JMZ: jump if not zero
  • CALL
    • call functions and receive return value
    • save the original location in the epb (or the distance from the original location ?)
  • RET
    • return

Stack

• from higher addresses to lower, it grows from 0xffffffff to 0x00000000