Now that you have an idea of what this virus does and how it operates, learn how to start the Windows Performance Recorder and collect data. Collect data by placing the virus into a new directory that contains other noninfected normal Windows programs and files. Then start the data collection, execute the virus, and sit back as the virus corrupts and infects over a hundred files.
- [Narrator] Let's start by clicking on the WPRUI desktop shortcut we created earlier. Click Yes on any prompts that come up. This will bring up the WPRUI menu. Once up let's click on the more options dropdown menu. Let's uncheck this first level triage box and in fact let's expand the whole list and make sure every box is unchecked. So expand the resource analysis section and make sure every box is unchecked. And let's expand the scenario analysis and make sure every box is unchecked.
Scroll all the way up. Now let's have the Windows performance recorder record CPU usage for us, which will let us see the functions the visus is calling and how it infects other files. Next, disk and file I/O activity is selected. Since this will show us the virus file write activity. The full path to the files that it's writing to you and a massive jump in activity. We will use this massive jump in file activity as our starting point when it comes to analysis. With all of the options needed selected I'm now going to bring up a directory that has over 300 undamaged files and the virus that's at the end.
Now what I'm going to do for the collection is click start, but I'm going to keep track of the time elapsed on my phone stopwatch since I will be minimizing the WPRUI menu. With that said, I'm going to start collecting and after 10 seconds I'm going to double click on the virus. Okay, 10 seconds has passed, time to launch the virus. After the virus is done infecting the files I'm going to wait another 10 seconds before I stop the recording.
For the comment, I can put anything I want. For now, I'll put virus demo and hit save. After the trace file is done saving I can hit open folder where I am taken to the directory where the trace files and its associated symbols are located. I'm going to rename these files to something more meaningful like WPT Virus Analysis. This way you know what file this course belongs to. These files will be includes in the exercise files for those of you who have access.
Author
Thomas Pantels
Released
10/25/2017Skill Level Intermediate
Duration
Views
-
Introduction
-
Welcome48s
-
Exercise files33s
-
Overview31s
-
-
1. Virus Analysis
-
A self-replicating virus3m 47s
-
Virus source code4m 39s
-
WPA and symbol loading1m 33s
-
Virus file IO analysis5m 23s
-
Virus disk usage analysis1m 23s
-
Virus CPU usage analysis2m 1s
-
Virus removal and tips1m 23s
-
-
Conclusion
-
Next steps1m 1s
-
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Collecting data during infection