Malware Analysis - basic code analysis with BinNavi

Tags: #<Tag:0x00007f38a338afd0> #<Tag:0x00007f38a338a2b0> #<Tag:0x00007f38a3389450> #<Tag:0x00007f38a3388488>


This is a supplemental technical section to the wiki article “Malware Analysis foundation level workflows

Callgraph and X-ref

In IDA Pro you go to the Imports tab, double-click the Windows API function you think is used in an interesting context, and then you press “x” for X-ref. This is to cross-reference the call with the IDB.

Example: IDA Pro Imports

Now let’s go for ReadFile because IO operations are usually interesting.

Example: BinNavi Callgraph

Essentially we want to do the same, but use a different workflow. The Callgraph in 'Navi is searchable. You you can search for ReadFile.

Doesn’t that function name look familiar? So what else is sub_1002Af6 calling?

Right, WinAPI crypto functions. Isn’t that useful? Let’s go to sub_1002Af6 and search for decryption routines.

Found it. CryptDecrypt. So if I fire up a Debugger I set a breakpoint at 0x1002C93 and check the hKey handle.


With BinNavi it’s easy to search through disassembly graphs. This can help to get ideas about how to reverse engineer malicious executables.