Debugging and Analyzing a Trojan

Question

I'm interested in using something like OllyDbg to examine a program that potentially has Trojan-like characteristics.

Does anyone know any good tutorials on how to do this safely?

Basically the program is a "bot" for a video game, but I suspect that it has back doors and/or will upload information it gathers (such as passwords) to a remote server.

I'd like to find the URLs or IPs it attempts to connect to, prevent it from doing so, etc, so I guess this is a little more specific than the typical "cracking" of a program; I'm mostly interested in ferreting out network-based things it might be doing and either preventing them, or fool it into thinking it was successful.

Also, I'm curious about how to snoop on encrypted network traffic. How can I determine the encryption keys and algorithms a program uses to encrypt what it sends across the network? (I ask, because I am interested in creating a 3rd party client to emulate communication with a game server, and I can't do that without knowing how to discover the keys being used)

Answer 1

You can use a virtual machine (such as VirtualBox) to run the "malware" safely. You can use Process Explorer to see exactly what the process does (registry/disk access, etc).

The virtual machine will also allow you to create snapshots of the OS installed within, so you can easily return everything to a known state (i.e. before running the malware) at the click of a button.

As for snooping the network, I don't know how to do that. I suppose existing network sniffing tools can be used inside the virtual machine itself, but I've never done this so I don't know what to use -- someone else will have to fill in...