Malware Analysis - basic code analysis with BinNavi

windows
reverse_engineering
610_navi
malware-analysis
Tags: #<Tag:0x00007f0ca7ee3490> #<Tag:0x00007f0ca7ee3350> #<Tag:0x00007f0ca7ee3210> #<Tag:0x00007f0ca7ee30d0>

#1

This is a supplemental technical section to the wiki article “Malware Analysis foundation level workflows


Callgraph and X-ref

In IDA Pro you go to the Imports tab, double-click the Windows API function you think is used in an interesting context, and then you press “x” for X-ref. This is to cross-reference the call with the IDB.

Example: IDA Pro Imports

Now let’s go for ReadFile because IO operations are usually interesting.

Example: BinNavi Callgraph

Essentially we want to do the same, but use a different workflow. The Callgraph in 'Navi is searchable. You you can search for ReadFile.

Doesn’t that function name look familiar? So what else is sub_1002Af6 calling?

Right, WinAPI crypto functions. Isn’t that useful? Let’s go to sub_1002Af6 and search for decryption routines.

Found it. CryptDecrypt. So if I fire up a Debugger I set a breakpoint at 0x1002C93 and check the hKey handle.

Summary

With BinNavi it’s easy to search through disassembly graphs. This can help to get ideas about how to reverse engineer malicious executables.