Overview
The lecture covers detecting and analyzing system changes from applications and malware, memory and network observation tools, and dynamic analysis limits leading to reverse engineering.
Registry Access and Restrictions
- Disabling Registry Editor blocks user interface only, not Registry access by processes.
- Applications, including malware, can still read/write the Registry despite editor restrictions.
- User restrictions affect convenience, not the Registry subsystem’s functionality.
Detecting System Changes (File/Registry)
- Historical tool SpinRight recorded installation activity to a flat file for later reference.
- Originally for application cloning; less used now due to GPOs and modern deployment.
- Uninstall/Install tracking tools exist; example mentioned: Install and Trace (trial).
- Process Monitor (Procmon) offers live monitoring of file/registry/process activity.
- Acronis Try & Decide allows safe trial installs, then revert system state if undesired.
- Try & Decide does not detect changes; it enables recovery to a prior known-good state.
Memory Changes and Process Inspection
- In-memory data is typically unencrypted; can be examined via process memory dumps.
- Dump creation: mini dump or full dump from a running process for later analysis.
- Process Explorer (Sysinternals) gives live insight into processes and internals.
Process Explorer Capabilities
- View images, performance, threads, CPU usage, environment, and strings.
- Create process memory dumps for offline analysis.
- Useful if you have skills to interpret dumps; reading dumps is beyond this chapter.
Persistence Mechanisms
- Persistence analysis referenced around page 344; Sysinternals tools used to find autoruns.
- Goal: identify methods malware uses to survive reboots and maintain footholds.
Network Behavior Analysis
- Malware often exfiltrates to a network drop zone (e.g., credit card data theft).
- TCPView shows live connections, endpoints, and states but not contents; ephemeral flows can be missed.
- Wireshark records traffic to logs and shows packet contents to understand directives and data sent.
- Destination analysis can raise suspicion (e.g., outbound to suspicious FTP servers), but payload inspection is needed for intent.
Dynamic Analysis Limitations and Next Steps
- Dynamic analysis cannot reveal all functions or full capability set of malware.
- Reverse engineering is needed to inspect code and determine exact behaviors.
- Typical workflow: Static analysis → Dynamic analysis → Reverse engineering.
Tools Summary
| Tool/Concept | Primary Use | Strengths | Limitations |
|---|
| Registry Editor restriction | UI access control | Prevents user edits | Does not stop application/malware Registry access |
| SpinRight | Record install-time changes | Creates comprehensive flat-file record | Old approach; licensing and modern deployment reduce need |
| Install and Trace | Installation change tracking | Tracks changes for uninstall | Trial; specifics not covered |
| Process Monitor (Procmon) | Live system activity monitoring | Real-time file/registry/process visibility | Requires active observation; noisy without filters |
| Acronis Try & Decide | Safe testing and rollback | Revert to pre-install state | Does not enumerate changes |
| Process Explorer | Process inspection and dumps | Live details; dump creation; threads/CPU/strings | Interpreting dumps requires advanced skills |
| TCPView | Live network connection view | Quick endpoint visibility | No content; ephemeral flows may be missed |
| Wireshark | Packet capture and analysis | Logs and inspects packet contents | Requires setup and analysis expertise |
| Reverse engineering | Code-level behavior understanding | Reveals exact functions and capabilities | Advanced skill; beyond dynamic analysis |
Key Terms & Definitions
- Registry Editor restriction: Policy preventing user UI access to edit the Windows Registry.
- Persistence: Techniques used by software to survive reboots and remain active.
- Mini dump vs. full dump: Partial vs. complete process memory snapshots for analysis.
- Drop zone: Remote destination where malware sends collected data.
- Dynamic analysis: Observing software behavior during execution.
- Reverse engineering: Analyzing compiled code to determine internal logic and capabilities.
Action Items / Next Steps
- Use Procmon for live change observation during installs or suspicious runs.
- Leverage Process Explorer to inspect processes and create memory dumps if needed.
- Prefer Wireshark over TCPView when packet contents and logging are required.
- Investigate persistence with Sysinternals tools to identify autoruns.
- Move to reverse engineering when dynamic analysis cannot reveal full behavior.