Darwin

Prerequisites & Requirements

• Windows Installer Logic: Basic understanding of how .msi packages execute and manage installations.
• PE/DLL Structure: Familiarity with the Portable Executable format, specifically how DLL exports function.
• Safe Analysis Practices: Proficiency in using isolated Virtual Machines (VMs) for executing untrusted samples.

What will you learn?

• MSI Forensics: Utilizing specialized tools to inspect internal MSI tables and "CustomAction" execution triggers.
• Behavioral Monitoring: Using Process Monitor (ProcMon) to track file system modifications and identify "dropped" malicious artifacts.
• Artifact Extraction: Bypassing failed manual extraction attempts by capturing binaries directly from the runtime environment.
• Export Analysis: Identifying malicious capabilities by inspecting a DLL's exported function names.

Tools

• Static Triage: Msidump (for MSI stream and binary extraction).
• Dynamic Analysis: Process Monitor (Sysinternals) for real-time event tracking.