regmon and filemon are the two important tools used in malware analysis.
any malware, when it first infects the Windoze box, it infects the registry. the reason behind this is to make sure that the malware runs every time windoze boots up and to disable other security settings of windoze / av’s.
regmon tool basically monitors any access to the registry. there are about 14 – 16 routines in the windoze kernel (also called virtual machine manager) which deals with all i/o operations on registry. the technique is like the dos TSR and IVT hooking one, where regmon hooks into these chain and anything accessing these routines will pass through regmon as well.
during DOS days all viruses will try to hook themselves into interrupt vector table and put themselves in TSR mode. the same applies in windoze with some fancy names. regmon’s heart is the regvxd.vxd code. this inserts or hooks itself into those 16 routines. regvxd.vxd is a Virtual Device Driver.
so before loading the malware, take a snapshot of the registry using regmon. then load the malware into the sandbox or the VM system and run the regmon. regmon clearly shows what all the key / values got changed ..
more coming …
get regmon from here http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx
from the oneha|f Lab