Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:
Kernel32.CreateProcessA
Kernel32.CreateFileA
Kernel32.VirtualAlloc
Kernel32.VirtualProtect
Kernel32.CreateThread
most of the time either shellcode does following:
1.creates a file
2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect
3.create a new thread
4. Creates a new process
having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.
once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.
i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.
There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:
http://sandsprite.com/shellcode_2_exe.php
Hope this helps.
FUZZING.IN
