regmon   Leave a comment

regmon and filemon are the two important tools used in malware analysis.

any malware, when it first infects the Windoze box, it infects the registry. the reason behind this is to make sure that the malware runs every time windoze boots up and to disable other security settings of windoze / av’s.

regmon tool basically monitors any access to the registry. there are about 14 – 16 routines in the windoze kernel (also called virtual machine manager) which deals with all i/o operations on registry. the technique is like the dos TSR and IVT hooking one, where regmon hooks into these chain and anything accessing these routines will pass through regmon as well.

during DOS days all viruses will try to hook themselves into interrupt vector table and put themselves in TSR mode. the same applies in windoze with some fancy names. regmon’s heart is the regvxd.vxd code. this inserts or hooks itself into those 16 routines. regvxd.vxd is a Virtual Device Driver.

so before loading the malware, take a snapshot of the registry using regmon. then load the malware into the sandbox or the VM system and run the regmon. regmon clearly shows what all the key / values got changed ..

more coming …

get regmon from here http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx

from the oneha|f Lab
(groups.google.com/group/onehalf)

Advertisements

Posted August 17, 2008 by oneh in tools

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: