Quote:
|
Originally Posted by TQN
I think we can use IDAPro to disassemly the hostile code and use some IDA x86 emulation plugins to simulate run it. Those plugins can find on Wasm site and have source code (Thank Volodya). I will try to play with them.
Regards
|
The best idea while analizing viruses is to actually statically analize them using a disassembler (IDA/PVDasm/BDASM...) and to integrate this static analisys with live analisys...
You can do this live analisys by using:
1 - remote debugging using sice capabilities (or using latest IDA Pro if you have it) on a dedicated machine - hxxp://www.datarescue.com/idabase/remotedebugging/index.htm
2 - bringing up a "virtual network" using VMware like done here - hxxp://www.zeltser.com/sans/gcih-practical/revmalw.html
With this solutions you also have the possibility to run the monitoring tools from sysinternals and gather more infos.
Hope this helps,
Polaris