The daily mentality of reverse/virus analysis
For some relatively simple samples, the overall mentality is still very stable, but for more complex malicious programs like WanaCry, when the program analysis starts, there are only two or three layers of function/process calls, I am full of confidence and passion. , I feel that hope is ahead, as if I have seen the dawn of success; but after in-depth analysis, I will find that the program has become complicated. In addition to the multi-layer nesting of processing functions, the nesting of processes and threads is also very complicated. The relationship between processes and functions Cross-nesting is also complicated. As the analysis deepens, the entire mentality changes as follows:
- When I see a function call: Hahaha... The core function is definitely here, happy ( ̄︶ ̄*))
- After following up, I found that another function was applied: yo, one more layer was applied, and then followed ( ̄︶ ̄)↗
- After following up, I found that another process was created: It turned out to be waiting for me here ( ̄︶ ̄)↗
- Follow the process address and find multiple function calls: Don’t worry, victory is ahead φ(* ̄0 ̄)
- Follow the function again and find other function calls: See how many layers you can apply ㄟ ( ▔, ▔ ) ㄏ
- Follow the function again and find that the thread is created: I wipe it! I made another thread, you can’t beat me, then follow
( ̄^ ̄) - Following the first address of the thread, I found that the function is nested: Damn, the old sow wears a bra - one set after another, watch me strip you naked ( ̄へ ̄)
- Follow the function again and find that a thread has been created: Damn, I don’t want to play anymore (╯°□°)╯, I’ll try the last step again
- Following the thread address, I found that there are multiple functions nested: Grass! ! (σ`д′)σ My patience has its limit, I will try the last step again
- Following the function address, I found that another thread was created: No more fun, damn it! asdadbkdhuoweovwbenoovw0vbow —— (Smash the keyboard!!!)
—— w(゚Д゚)w —— w(゚Д゚)w —— w(゚Д゚)w —— - I got up and drank a cup of tea, then went to the toilet, adjusted my mentality, and then returned to the computer: Sigh... What can I do, I have to continue to do it, continue to follow... ┗( T﹏T )┛
