Monday, November 18, 2013

ASLR Woes for Malware Analysts using Windows 7

For those of us that have made the move from XP to 7 for their malware analysis, you may have noticed that when trying to use IDA Pro and Olly or another debugger that the virtual addresses are not matching. This is because Windows 7 ships with Address space layout randomization (ASLR) enabled.

We can use Microsoft's Enhanced Mitigation Experience Toolkit to easily toggle ASLR on and off with a reboot. This way you don't have to make any manual registry settings and you can also control DEP, SEHOP and Certificate Trust if you need to.

You can download EMET 4.1 here:

To disable ASLR:

Simply select the drop down next so ASLR and choose disable. You will need to reboot after that.

Sunday, November 3, 2013

Snazzy Windows Context Menu for Malware Analysis

One thing I like to do is save time. I am sure a lot of other people do as well. Malware Analysis is no exception to the rule. With that being said, I have found having my go-to programs in a handy context menu saves a bit of tedious clicking. Below is a screen shot of the menu I made that shows all my tools.

It was a little tricky tweaking the registry to do this, but I feel like I have it down well enough to explain it. So here goes:

Step 0: Warning

Backup your registry, take a snapshot of your VM, or do what ever it is you do in case you break your box doing this. Tweaking the Registry is always dangerous. Also, some words need to be exact. Windows uses conventions over configurations to know what's what in the registry. So don't be lazy or it won't work.

Step 0.5:

Open up the windows registry editor: regedit.exe

Step 1:

To create the cascading Malware Analysis menu navigate to the following key:

Right click on shell and select:
New > Key

For this tutorial we will name it DemoMenu

Right click and select:
New > String Value

Name the new value MUIVerb (this must be exact) and set the value to whatever you want the cascade menu to say, this will be:
Cascade Menu

Warning: Do not edit or modify the one titled (Default)

Right click on DemoMenu and make another String Value. Name this one SubCommands (this must be exact). This is not where we name them, but it is how the menu calls them. Keep the names short and descriptive with no spaces. Use a semicolon to delimit the items. If you would like a divider line put a | (pipe) character in there. Here is a sample for the demo:

If you did it correctly -- yours should look like this:

Step 2:

Step 2 will need to be repeated for each item you put in SubCommands.

Browse to the following key:

This is where we will create the command for each item.

Right click on shell and select:
New > Key

Name the key the exact same as the first item in our SubCommands data. For this example it is DemoNotepad

Edit the data in the (Default) value. Put whatever you want this command to be called in your menu. For this tutorial we'll just call it Notepad

Right click on the key we made (DemoNotepad) and select:
New > Key

Name this key:
command (this needs to be exact)

Double click on the (Default) value in the command key.

Enter the path of the program we want. For the notepad example we use: "C:\windows\system32\notepad.exe" "%1"
(Mind the quotes and spaces)

We also added a %1 at the end of the command. This is essentially argument 1 but what this will do is reference the file path we are right clicking on so the program knows we want to open that file.

Pro-Tip: If the path to your program contains spaces such as C:\Program Files\blahblah make sure to put the path in double quotes "  ". Since we don't have any clue what we may right click on and if that path has spaces, we put %1 in quotes.

If you did it correctly -- yours should look like this:

Showing the data for DemoNotepad

Showing the data for command

Step 3:

Repeat Step 2 for each item in SubCommands.

I added another for DemoWordpad. Here is a screen shot below:

Step 4: Profit

Now you have an awesome context menu you can save time with:

To save myself time, I turned my context menu registry tweaks into a .reg script. Here is the link to it on github:

Please feel free to send me questions/comments/concerns or suggestions on here or on twitter @JC_SoCal