It’s performed without executing the
• Disassemble the malware
• Control flow or Data flow analysis:
provide a great deal of information
on how malware functions
The Interactive Disassembler Professional
is a product of Hex-Rays.
It’s a recursive descent disassembler:
• Sequential Flow Instructions
• Conditional Branching Instructions
• Unconditional Branching Instructions
• Function Call Instructions
• Return Instructions
It’s performed by executing programs on a real or
• Black Box Analysis: "what you see is all you get"
• White Box Analysis: it’s different from Static
It’s a free and open-source packet analyzer.
Most network interfaces can be put in
“promiscuous mode”, in which they
supply to the host all network packets they
It’s a packet sniffing tool which aids in
reverse-engineering software running on
the Windows platform.
The sniffing is done on the API level
which allows a much more fine-grained
view of what’s going on.
It’s an advanced monitoring tool for Windows
that shows real-time file system, registry and
Process Monitor includes powerful monitoring
and filtering capabilities:
• File System
It’s a debugger that races registers,
recognizes procedures, API calls…
It has a friendly interface, and its
functionality can be extended by third
A good analysis of malware can be made
thanks to the combination of several tools
that implement techniques of static and
Thanks for your attention!