Shulou(Shulou.com)06/01 Report--

If you want to do good work, you must first sharpen its tools. I hope this post can provide some basic information for friends who are interested in entering the anti-virus industry.

Let's start with the hardware:

If the conditions permit, if you have 2 lines provided by different network operators and 2 or more computers, you only need to be satisfied with the specific configuration.

Although it is possible to use a virtual machine, it is inevitable that some malicious code has a virtual machine detection mechanism, so try to use it if you can use a real machine.

Then there is the prerequisite software:

Windows XP (don't give up on the old, old has the benefits of old, light + easy)

IDA Pro (although there are other disassembly tools on the market, one is because IDA is powerful, and the other is necessary in the anti-virus industry. If a brother wants to use something else, don't be warned by BS during the interview. In addition, Hex-rays 's decompiler plug-in is indeed very powerful, but it is too expensive to have spare money to buy. On the other hand, it is not bad after forming the good habit of doing it yourself.

OllyDbg (ditto, industry must have. But to be honest, individuals seldom use it, not that it is bad, but that the comments of IDA are so important that they can never be debugged in static IDA, even if they really need to be debugged, they can be done directly with the debugger that comes with IDA, and it is really impossible to change Olly)

WinDbg (ditto, industry must-have, debug driver sharp weapon. Like the former, individuals seldom use it, which is not to say that it is not good, but most drivers use IDA static directly)

Wireshark (truncated data package must be sharp weapon. Like the former, individuals seldom use it, and it's not that it's bad, but I seldom let malicious code run completely when analyzing, either statically or directly from the debugger when necessary.

There are also several small software, which I like better, but not necessary.

010 Editor

DeDe

Ghost

Hiew

LordPE

WinHex

In addition, you also need some monitoring mini software, there are actually a lot of free or shared, but in order to reduce being fooled by malicious code, so I think I can write well, even if I can't write, try to choose an unknown one.

System change monitoring

API monitoring

Rootkit monitoring

Other standby software for testing:

All kinds of servers (HTTP, SMTP, FTP, IRC, etc.)

All kinds of common IM (QQ,MSN,YAHOO, etc.)

Microsoft Office (installation files for each version)

Adobe Acrobat Reader (installation files for each version)

Adobe Flash Player (installation files for each version)

Finally, mention the basic analysis process of malicious code samples (excluding signature extraction):

1. Restore system mirroring (avoid being misled by other information in an infected environment)

two。 Quick check to see if there are suspicious strings

3. Quickly check the code entry address for signs of infection

4. Run, monitor and record system changes to determine if it is malicious code

5. Use IDA static analysis if necessary

6. If necessary, write some auxiliary scripts or code to assist in the analysis

7. Debug with the debugger if necessary

8. If necessary, do a background check on the relevant domain name, server, email address, etc.

9. Documentation and related content

10. Back up all related files

Of course, for friends who are working in killing software, they usually need to extract signature (usually before static analysis), and they may also need to write repair tools, but those work details will vary from company to company. I won't discuss it here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.