PE(protable executable)
4D5A is PE signature
refer
https://en.wikipedia.org/wiki/Portable_Executable#/media/File:Portable_Executable_32_bit_Structure_in_SVG.svg
PE file consists
header:
DOS header:64byte,starts with magic number 4D 5A 50 00,last 4 bytes is the location of PE header
DOS stub:
PE header: 24byte, starts with magic number 50 45 00 00
optional header:224 byte
information:96byte
data directory:128byte
sections:
code
imports
data
PE file analysis
static analysis: collecting information without launching the executable file
dynamic analysis collecting information by launching the executable file
Static analysis process:
1. scan by anti-virus
2. search for string , ex: tool like process explorer or pestudio
3. analyze PE header
4. analyze import tables: list who is included, exe usually include dll
5. analyze export tables: list who include me, dll usually is included by exe
Dynamic analysis process:
1.create test environment
2.colleting information using tool
3.process of testing the malware
ps:
virus writer always observe their virus whether found in VT(VirusTotal), because VT have many virus sample
ps:
VT have most file sample database. if anomaly file hash is not in VT, it is anomaly.
ps:
Analysis by ssdeep
計算fuzzy hashes/piecewise hashes,用來找相似的檔案, 可被用來找相似結構的惡意程式
ex:
ssdeep.exe -b bar.exe > fuzzy_hash.txt
ssdeep.exe -bm fuzzy_hash.txt foo.exe
refer
http://ssdeep.sourceforge.net/
……………………………………………………………………………………………………………………….
Common static analysis tool:
IDA Pro: disassembler and debugger tool(https://www.hex-rays.com)
PEstudio
preiscople.exe
resoucehacker
…omit…
tool:PEstudio
function include below
indicators: build-in rule for file behavior, if severity=1 is too much, that mean it is anomaly.
virustotal: integrity VT, only submit hash, dont submit file
file header: exe header
sections: compare normal and anomaly program design,
ex: 正常的value of name = text,data ,rsrc
ex: when upx compress this file, value of name become UPX0, UPX1, UPX2
ex: if virtual size(size in memory) > raw size(size on disk) mean the file should be changed by compression (in general situcation, both are same)
entry point: identify packing(加殼)
ps: how to know packing: find count of entry point in this file
Obfuscation: 混碼
imported libraried: which api is call
imported symbols: which symbol is call,
blacklisted is that virus often call,
anti-debug is a function that virus offten anti-virus, if it is too much, it is very anomacious
deprecated mean the fuction is ready end
strings: it is like process exploerer
blacklist : is like above
debug: look “file name”, it is source file ogrinally path of compile
version: file description, like detail of windows prepority
ps:
color mean risk level
ps:
若exe用底層api,此工具有很大的機會會將此顯示高風險
ex: ipconfig會使用底層api,所以會被認為是高風險
tool:preiscople
output in text
you can look imported DLL
ex:
presicople.exe
tool:resoucehacker
it is good to analysis GUI software
function include below:
text: some message in this file
cursor: mouse icon
dialog: operation interface
…………………………………………………………………………………………………………………….
Common dynamic analysis tool:
OllyDbg:a 32-bit assembler level analysing debugger(http://www.ollydbg.de/)
process monitor
snadbox tool: risk is that file is open to all world
Search for strings tool
…omit…
Search for strings tool
binText: read dump fileand output in text
strings.exe: sysinternals tool, read dump file and output in text
Sandbox tool
Online Sandbox
ex:
https://www.virustotal.com/zh-tw/
https://anubis.iseclab.org/
https://malwr.com/
Offline Sandbox
cuckoosandbox
Buster Sandbox Analyzer
..omit…
…
tool: process monitor
Observation all process
1. pause by disable capture
2. observe all process
Observation one process
1:configure filter: process name is “process”
2:run particular process
3: observe the particular process
ex:
1.configure filter: process name is “notepad.exe”
2.run notepad.exe
3.observe activity of notepad
Finding which process connect to specific IP
1:configure filter: path contains < ip > , include
2:observe the particular IP using which process
Obsevation recommendation:
1.look regsetvalue by find “regsetvalue”
(regsetvalue write something to regrity, why? because that is dagerous)
2.looke writefile by find “writefile”, then include writefile to only look writefile
3.look network to understand this exe connection ( only look tcp,udp)