Dynamic Analysis of Malware Research Paper Example | Topics and Well Written Essays - 1000 words

Dynamic Analysis of Malware - Research Paper Example A function comprises of a code that executes a certain task like creating a file or calculating factorial value of a number. In the use of functions easy code re-usability, and easier maintenance can result. The property that makes functions interesting for program analysis is that they are usually used to abstract from execution particulars to a semantically richer representation. For example, so long as the outcome corresponds to the sorted input, the particular algorithm which a sort function implements might not be essential. When it comes to analyzing code, such abstractions help in gaining an overview of the behavior of the program when analyzing a code. By intercepting these calls, one can monitor what functions are called by a program. Hooking is the process of intercepting function calls. A hook function is invoked when the analyzed program is manipulated in addition to the anticipated function (Hunt, Thomas, & Cunningham, 1999). Application Programming Interface (API) This hook function is responsible for putting into action the necessary analysis functionality like analyzing its input parameters or recording its stats to a log file. Application Programming Interface (API) are groups of functions that form a logical set of functionality, like communicating over the network or file manipulation. In most cases, operating systems provide several APIs that can be used by applications to perform familiar tasks and can be found on diverse layers of abstraction. The term API on windows OS, refers to a set of APIs which give access to varying functional groupings like system services, networking, management and security (Leyden, 2001). System Calls System calls is usually categorized into two, and it is the software execution on computer systems which run commodity of the shelf OS. These two categories are user-mode and kernel-mode. User-mode is used in executing general applications like image manipulation programs or word processors. The only code that is executed in kernel-mode has direct entry to the system state. This partition prohibits the user-mode process from interacting with the system and its environment. For example, since it is impossible to create or directly open a file for a user-space process, the operating system (OS) provides a unique well defined API-the system call interface. A user-mode application is able to request the OS to perform a small set of tasks on its behalf, by using system calls. A user-mode application has to invoke the precise system-call showing the file’s path, name and access method in order to create a file. As soon as the system call is invoked, it is changed into kernel-mode. The OS carries out the task on behalf of the user-mode applications when there are enough access rights for the desired action upon verification (Nick, 2006). Anubis Anubis is a critical component/tool which is used for studying/analyzing Windows PE-executable’s behavior, main focus being on malware analysis. Anubis execution results in the making of report files that have enough information, thus enabling a user to have a clear idea about the use and actions of the analyzed binary. The report has detailed data regarding enhancements made to the Windows registry or file system. This analysis relays on running and watching the binary in an emulated environment. The