Identification and Extraction of Hidden Components

Today, the most common use for reverse engineering is in targeting malware. Like any other software, malware has its installation process. The difference is that it does not ask for the user's permission to install. Malware does not even install in the Program files folder where other legitimate applications are installed. Rather, it tends to install its malware file in folders that are not commonly entered by the user, making it hidden from being noticed. However, some malware shows up noticed and generates copies of itself in almost all noticeable folders such as the desktop. Its purpose is to get its copies executed by users, be it by accidental double-click or by curiosity. This is what we usually call malware persistence.

Persistence is when malware consistently runs in the background. In this chapter, we will be pointing out general techniques used by malware to become persistent. We will also explain common locations where malware files are stored. Major behaviors of malware and some tools that are capable of identifying how the malware installs itself in the system will also be shown.  Understanding how malware is delivered will definitely help a reverse engineer explain how the attacker was able to compromise the system.

In this chapter we will learn about the following:

• The basics of the operating system environment
• Typical malware behavior:
  • Malware delivery
  • Malware persistence
  • Malware payload
• Tools used to identify hidden components