This is a supplemental technical section to the wiki article “Malware Analysis foundation level workflows”
Callgraph and X-ref
In IDA Pro you go to the Imports tab, double-click the Windows API function you think is used in an interesting context, and then you press “x” for X-ref. This is to cross-reference the call with the IDB.
Example: IDA Pro Imports
Now let’s go for
ReadFile because IO operations are usually interesting.
Example: BinNavi Callgraph
Essentially we want to do the same, but use a different workflow. The Callgraph in 'Navi is searchable. You you can search for
Doesn’t that function name look familiar? So what else is
Right, WinAPI crypto functions. Isn’t that useful? Let’s go to
sub_1002Af6 and search for decryption routines.
Found it. CryptDecrypt. So if I fire up a Debugger I set a breakpoint at
0x1002C93 and check the
With BinNavi it’s easy to search through disassembly graphs. This can help to get ideas about how to reverse engineer malicious executables.