Skip to content

Dynamic Analysis

Dynamic analysis runs the code and watches what happens
Static analysis tells you what the binary could do -- dynamic analysis reveals what it actually does when executed in a controlled environment. This is where theory meets reality

Safe Execution Environment

Never run malware on your host machine
Always use isolated analysis environments:

# Virtual machine (recommended)
# Snapshot clean state before any analysis

# Docker container (for user-space analysis)
docker run --rm -it -v $(pwd):/malware ubuntu:latest

# Sandbox
cuckoo submit suspicious.exe

Debugging

# GDB (Linux ELF)
gdb ./suspicious
gdb -q ./suspicious                # Quiet mode
gdb -ex run ./suspicious           # Run immediately
x/10i $rip                         # Disassemble next 10 instructions
info registers                     # View all registers
break *0x401000                    # Break at address
watch *0x601000                    # Watch memory location

# GDB with pwndbg/peda/gef
# Modern GDB frontends with exploit-friendly features
gdb -q -ex "source /path/to/pwndbg/gdbinit.py" ./binary

# x64dbg (Windows)
# x64dbg.exe - Open binary, set breakpoints, step through
# Ultimate debugger with plugin ecosystem

# WinDbg (Windows kernel/user)
windbg -o suspicious.exe

System Call Tracing

# Linux strace
strace -f -o trace.log ./binary    # Follow forks, save to log
strace -e trace=open,read ./binary # Trace specific syscalls
strace -c ./binary                 # Count syscall statistics

# Linux ltrace (library calls)
ltrace ./binary

# Windows Process Monitor (procmon)
# procmon.exe - Filter by process name
# Captures: registry, filesystem, network, process/thread

# Windows API Monitor
# apimonitor.exe - Hook API calls with parameters

# Windows Sysinternals
# Handle, Process Explorer, TCPView

Network Monitoring

# tcpdump
tcpdump -i lo -w malware_net.pcap

# Wireshark (GUI)
wireshark -k -i lo

# FakeNet (simulate network)
python fakent.py

# INetSim (comprehensive fake services)
inetsim

Memory Analysis

# Memory dumps during execution
# Process dump (Windows)
procdump.exe -ma PID

# Volatility analysis
volatility -f mem.dump --profile=Win10x64 imageinfo
volatility -f mem.dump --profile=Win10x64 pslist
volatility -f mem.dump --profile=Win10x64 netscan
volatility -f mem.dump --profile=Win10x64 cmdline

Frida - Dynamic Instrumentation

# Frida hooks without stopping the process
frida -p PID -l script.js         # Attach to process
frida -f binary -l script.js      # Spawn binary with hooks

# Frida trace
frida-trace -p PID -i "recv"     # Trace recv function

Common Anti-Analysis and Bypasses

  • Anti-debug - ptrace calls, IsDebuggerPresent, NtQueryInformationProcess
  • VM detection - Check for hypervisor artifacts
  • Timing checks - Execution delays (sandbox detection)
  • Environment checks - Username, domain, installed software
  • Bypass: Patch checks in debugger, use ScyllaHide for Windows, use cat for ptrace