You are browsing the archive for Tips & Tricks.

RCE: List of 64-bit tools

May 21, 2014 in Malware Analysis, Tips & Tricks

Update  (June, 4th, 2014): Added Hex-Rays Decompiler  x64

64-bits platform is becoming a standard and reverse engineering of the PE32+ files is now a daily bread to many malware analysts. Tools that are designed to make things easier are luckily out there and new ones keep popping up all over the place. Unfortunately, many of the tools are not mature enough yet and often crash or do some funny stuff, but this is developing really fast and hopefully the RCE arsenal will expand soon.

Here is a short list of the tools I came across and use most of them in my research and analysis of PE32+ files. If you know any other useful tools, I’d be grateful if you let me know. Thanks!

Docs

Bypassing signature checks/disabling PageGuard

PE Viewer/Editors supporting PE32+

Disassembler

Decompiler

Debugger (they are also disassemblers)

Ollydbg 64 is still not ready, but there are a couple of tools that can be useful even if not that user-friendly:

Process / Memory Viewer

Process dumpers

Hook Detector

API Monitor

 Hiding Processes

Thanks to Ange and Nanu Jogi for fixes and suggestions.

Doing things faster

November 25, 2013 in Tips & Tricks

Every once in a while I ask myself a question – what can I do to work faster?

I strongly believe that complacency a.k.a. resting on one’s laurels is the biggest enemy of the productivity; therefore, once in a while I go on a journey to hunt for the tips and tweaks that can improve my work environment. These come in a variety of forms – better hardware, newer software, alternative software, or… changing habits.

Here is a bunch of tips that you may find useful  – some are old, some are new, but these are tested and work in practice (note: these are all workstation- and Windows-centric). This is a direct continuation of my 2 older posts on how to speed up case processing and obviously, some repetitions are unavoidable :)

Here it goes…

  • See more
    • Use at least two computer screens; I can’t imagine working with a single screen anymore. Whether it is a programming, forensic analysis or reversing session – it’s always good to have more space for information
  • See less
    • If you do a lot of multitasking, use virtual desktops – there are lots of programs that help creating virtual desktops, but the one that IMHO nails it is VirtuaWin
    • If you use multiple computers, use RDP instead of separate screens
    • If you work at night, use f.lux
  • Multiple computers
    • If you must use multiple computers, you can use Synergy to share one keyboard and mouse
  • Speeding-up data transfers
    • Invest in fast CPU, more memory
    • Invest in SSD, USB 3.0
  • Killer-apps
    • Kill your Windows Explorer – this is the worst GUI interface to work with files; use Total Commander, or FAR
    • Use PureText to copy & paste text w/o formatting
    • Use Sizer to resize any window to an exact, predefined size – this is handy when you write reports and want to use normalized screenshots’ sizes
    • Migrate most of your tools to their portable versions; it’s very handy when you change the computer or travel (can always have the most up to date version of your software/settings w/o relying on cloud)
  • Virtualization
    • Build a fresh clone of your ‘working’ image once in a while – not only a good chance to update software, but also set up/fix settings that you find annoying (if you catch yourself doing the same thing over and over again after you revert to a snapshot -> fix the image!)
    • Move the most frequently used images to SSD drive
    • Turn the speaker off for all virtual machines – this is pretty annoying and the link I provide allows to disable it for all images
  • SSD optimization
    • Remove hibernation file – if you don’t use hibernation, just run powercfg -H OFF – this may give you a few good GiBs back
    • Remove pagefile.sys file – if you have enough memory, you don’t need pagefile
    • Use junctions – for some reason Microsoft drops tones of rarely used files on the %SystemDrive% e.g. inside %SystemRoot%\Installer or %SystemDrive%\ProgramData\ or their subfolders – these files can’t be simply deleted, but they ‘steal’ the precious SSD space; in order to gain that space back, you can use junctions to move all this rarely used stuff to a slower partition (use mklink)
    • Install less-often used software to other partitions
    • Do a clean up once in a while
  • Regionalization
    • Change date/time format to YYYY-MM-DD hh:mm:ss in both Regional Setting of your OS and forensic software e.g. Encase; it makes a HUGE difference when you look at timelines
  • Fonts
  • Reading
    • If you read PDFs, swap Acrobat with Sumatra
  • .NET decompiling
    • ilspy does it pretty well
  • Regedit
    • Add Favorites to most commonly used registry keys – you can use RegJump from Sysinternals to quickly navigate to the specific key
  • IDA, Hex-Rays Decompiler & OllyDbg
    • Build a habit of collecting plugins and scripts – sometimes even if not immediately useful, a source code of an existing script/plug-in can save you a lot of time of coding;  Hex-Rays Plug-In Contest is a good start to pick up a few plugins (note: some of them crash randomly – it’s not a production-ready code, so best is to have them disabled by default and enable when you need it; some of these plugins also slow down the decompiling)
  • Procmon/Regmon/Filemon
    • Build a list of filters and save it
    • Add highlighting for operations that modify stuff (e.g. write operation)
  • Process Explorer
    • Let’s face it – it has to be retired as it’s way behind Process Hacker
    • If you really need to use it – if you use a 64-bit system Process Explorer (which always starts as a 32-bit process) extracts the 64-bit version of Process Explorer and then runs it; you can extract this 64-bit version directly from the 32-bit .exe and rename it as procexp.exe; the alternative way is to run Process Explorer 32-bit, then copy the 64-bit version from the Temp folder – next time you run procexp.exe, you will run the 64-bit version directly – always one process less to run
  • Temp folder
    • Clean up temp. folder regularly; some forensic software drops large files into your temp and it just stays there
  • Chrome cache
    • If you use Chrome and download large files – the temp/cache files end up stored in the program’s directory forever; it’s a good habit to have a look at it once in a while and remove it (look for a ‘File System’ folder)