In this part of article we will look at more questions on Dynamic analysis. After that we will cover Debugging and Static analysis.
3) What are the most common registry location malware add themself for persistence?
Most common registry key which you need to remember is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run //Only for current user
Other locations that you don't need to remember but are important for future reference:
Most of the time analyst use Autoruns tool from Sysinternals for looking at all such locations/keys.
4) What API calls pattern malware show for DLL injection?
It is one of the most asked question in dynamic analysis.
h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,,size,,,) WriteProcessMem(h,addr,buf,size,...) CreateRemoteThread(h,,,start,param,...)
5) What other process injection/hooking methods are available?
- Code injection
- Dll injection
- Dll search order hijacking
- APC injection
- IAT/EAT Hooking
- Inline hooking
Interviewer may ask further questions on any of these techniques, so you must be prepared for that. You can read further about process injection in given links:
6) What is process hollowing?
Process hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as a container for hostile code.
I would recommend you to watch first 20:00 minutes of this Blackhat talk to understand it completely.
Static analysis and Debugging
Debugging and static analysis are core part of malware analysis. Most questions in this topic are related to how you use IDA or ollydbg or any other of your favourite debugger.
1) Do you use IDA or ollydbg? Which one of them is your favourite and Why?
Variant: What do you like in ollydbg(or IDA) that is not present in IDA(or ollydbg)?
The answer depend on your personal choice and experience but I am putting my view on them.
I use IDA Pro for mostly static analysis purpose and Ollydbg for debugging purposes.IDA has graph view which make static analysis very easy and ollydbg has large plugin support that makes debugging easy.
Other then that I have spent large reversing time on ollydbg hence my hands are more settle on olly rather then IDA.
2) How many types of breakpoint are available in debugger?
This is a frequently asked question. There are four types of breakpoints available:
- Software breakpoint (use int 3 instruction)
- Hardware breakpoint (use debug registers)
- Memory breakpoint (use guard pages)
- Conditional Breakpoint (Debugger specific)
3) How many hardware breakpoint are available in debuggers?
There are 4 hardware breakpoints available in debugger. The reason why there are only 4 of them is because hardware breakpoint use debug register to store the memory address where breakpoint is set. There are only 8 debug register in Intel x86 -> DR0-DR7 from which only four are used for breakpoint.
DR0-3 = breakpoint registers
DR4-5 = reserved (unused)
DR6 = Debug Status Register
DR7 = Debug Control Register
4) How software breakpoint work?
INT 3 instruction is what debuggers are using when they are setting a “software breakpoint”.
In depth: When a debugger uses a software breakpoint, what it does is overwrite the first byte of the instruction at the specified address. It keeps its own list of which bytes it overwrote and where. Then when breakpoint exception is received, it looks up the location, replaces the original byte and lets the instruction execute normally. Then typically it overwrites the first byte again (subject to configuration) so that the breakpoint will be hit if the address is executed again.
4)In what condition you need to use hardware breakpoint instead of software?
Variant: Why we use hardware breakpoints on dll's instead of software breakpoint?
Software breakpoint have limitation to be only set breakpoint on code section of the program since it put
int 3 instruction. For other memory locations you cannot use software breakpoint.
Other then that if you try to put software breakpoint on any loaded dll's code, then every time you reload the program the breakpoint get removed because the
int3 instruction get replace with the original instruction again.
You can read more about H/W and S/W breakpoint here.
5) What are different anti-debugging/anti-analysis methods available are used by malwares?
There are lots of anti-analysis methods present. I am mentioning the important ones that are used most.
- PEB!IsDebugged flag is checked if contain 0 or 1. The instructions look like below:
mov eax, fs: mov eax, [eax+2] test eax, eax jnz exit_debugger_detected
kernel32!IsDebuggerPresent function is used.
QueryPerformanceCountercalls are used for time based checking.
RDTSCinstructions (Read Time Stamp Counter). They generally come in pairs, followed by a comparison.
rdtsc mov ebx, eax ... some measured code ... rdtsc sub eax, ebx cmp eax, ... some tick count ... jg detected_debugger
You can read many other anti-analysis here.
6) What packer does?
There are lots of packers tool present that works little different from each other. But most commonly code and data is compressed/encrypted/encoded at a block level by packers. Then they add new section(eg
.packed) where they put unpacking stub. They also modify header like changing Entry point to unpacking stub and few other fields.
7) How to unpack packed code?
Interviewers may ask you if you have previous experience in unpacking packed executable. A general way to deal with this is as follow:
Often packer's stub start with
pusha(push all general purpose register) and ends with
popa(pop all registers) follow by a jump. The jump is at far location(mostly to other section of pe).
After the jump you land to OEP. You can dump the unpacked code to new pe file using ollydump plugin.
So here ends all the questions for debugging and static analysis. In the last part(4th) of the series we will look at some advance and miscellaneous questions.