{"id":619,"date":"2017-05-10T14:36:00","date_gmt":"2017-05-10T06:36:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=619"},"modified":"2023-11-04T14:48:30","modified_gmt":"2023-11-04T06:48:30","slug":"win-pe-analysis","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/619","title":{"rendered":"Win PE Analysis"},"content":{"rendered":"\n

PE(protable executable)<\/strong>
4D5A is PE signature
refer
https:\/\/en.wikipedia.org\/wiki\/Portable_Executable#\/media\/File:Portable_Executable_32_bit_Structure_in_SVG.svg<\/p>\n\n\n\n

PE file consists<\/strong>
header:
DOS header:64byte,starts with magic number 4D 5A 50 00,last 4 bytes is the location of PE header
DOS stub:
PE header: 24byte, starts with magic number 50 45 00 00
optional header:224 byte 
information:96byte
data directory:128byte
sections:
code
imports
data <\/p>\n\n\n\n

PE file analysis<\/strong>
static analysis: collecting information without launching the executable file
dynamic analysis collecting information by launching the executable file<\/p>\n\n\n\n


Static analysis process:<\/strong>
1. scan by anti-virus
2. search for string , ex: tool like process explorer or pestudio
3. analyze PE header
4. analyze import tables: list who is included, exe usually include dll
5. analyze export tables: list who include me, dll usually is included by exe<\/p>\n\n\n\n

Dynamic analysis process:<\/strong>
1.create test environment
2.colleting information using tool
3.process of testing the malware<\/p>\n\n\n\n

ps:
virus writer always observe their virus whether found in VT(VirusTotal), because VT have many virus sample
ps:
VT have most file sample database. if anomaly file hash is not in VT, it is anomaly.<\/p>\n\n\n\n


ps:
Analysis by ssdeep<\/strong>
\u8a08\u7b97fuzzy hashes\/piecewise hashes,\u7528\u4f86\u627e\u76f8\u4f3c\u7684\u6a94\u6848, \u53ef\u88ab\u7528\u4f86\u627e\u76f8\u4f3c\u7d50\u69cb\u7684\u60e1\u610f\u7a0b\u5f0f
ex:
ssdeep.exe -b bar.exe > fuzzy_hash.txt
ssdeep.exe -bm fuzzy_hash.txt foo.exe
refer
http:\/\/ssdeep.sourceforge.net\/<\/p>\n\n\n\n


……………………………………………………………………………………………………………………….<\/p>\n\n\n\n

Common static analysis tool:<\/strong>
IDA Pro: disassembler and debugger tool(https:\/\/www.hex-rays.com)
PEstudio
preiscople.exe
resoucehacker
…omit… <\/p>\n\n\n\n


tool:PEstudio<\/strong>
function include below
indicators<\/strong>: build-in rule for file behavior, if severity=1 is too much, that mean it is anomaly.
virustotal<\/strong>: integrity VT, only submit hash, dont submit file
file header<\/strong>: exe header
sections<\/strong>: compare normal and anomaly program design,
ex: \u6b63\u5e38\u7684value of name = text,data ,rsrc
ex: when upx compress this file, value of name become UPX0, UPX1, UPX2
ex: if virtual size(size in memory) > raw size(size on disk) mean the file should be changed by compression (in general situcation, both are same)
entry point: identify packing(\u52a0\u6bbc)
ps: how to know packing: find count of entry point in this file
Obfuscation: \u6df7\u78bc
imported libraried<\/strong>: which api is call
imported symbols<\/strong>: which symbol is call,
blacklisted is that virus often call,
anti-debug is a function that virus offten anti-virus, if it is too much, it is very anomacious
deprecated mean the fuction is ready end
strings<\/strong>: it is like process exploerer
blacklist : is like above
debug<\/strong>: look “file name”, it is source file ogrinally path of compile
version<\/strong>: file description, like detail of windows prepority
ps:
color mean risk level
ps:
\u82e5exe\u7528\u5e95\u5c64api\uff0c\u6b64\u5de5\u5177\u6709\u5f88\u5927\u7684\u6a5f\u6703\u6703\u5c07\u6b64\u986f\u793a\u9ad8\u98a8\u96aa
ex: ipconfig\u6703\u4f7f\u7528\u5e95\u5c64api,\u6240\u4ee5\u6703\u88ab\u8a8d\u70ba\u662f\u9ad8\u98a8\u96aa<\/p>\n\n\n\n


tool:preiscople <\/strong>
output in text
you can look imported DLL
ex:
presicople.exe<\/p>\n\n\n\n

tool:resoucehacker<\/strong>
it is good to analysis GUI software
function include below:
text: some message in this file
cursor: mouse icon
dialog: operation interface<\/p>\n\n\n\n

…………………………………………………………………………………………………………………….<\/p>\n\n\n\n

Common dynamic analysis tool:<\/strong>
OllyDbg:a 32-bit assembler level analysing debugger(http:\/\/www.ollydbg.de\/)
process monitor
snadbox tool: risk is that file is open to all world
Search for strings tool
…omit… <\/p>\n\n\n\n

Search for strings tool<\/strong>
binText: read dump fileand output in text
strings.exe: sysinternals tool, read dump file and output in text<\/p>\n\n\n\n

Sandbox tool<\/strong>
Online Sandbox
ex:
https:\/\/www.virustotal.com\/zh-tw\/
https:\/\/anubis.iseclab.org\/
https:\/\/malwr.com\/
Offline Sandbox
cuckoosandbox
Buster Sandbox Analyzer
..omit…<\/p>\n\n\n\n

… <\/p>\n\n\n\n

tool: process monitor<\/strong><\/p>\n\n\n\n

Observation all process<\/strong>
1. pause by disable capture
2. observe all process<\/p>\n\n\n\n

Observation one process<\/strong>
1:configure filter: process name is “process”
2:run particular process
3: observe the particular process
ex:
1.configure filter: process name is “notepad.exe”
2.run notepad.exe
3.observe activity of notepad<\/p>\n\n\n\n

Finding which process connect to specific IP<\/strong>
1:configure filter: path contains < ip > , include
2:observe the particular IP using which process<\/p>\n\n\n\n

Obsevation recommendation:
1.look regsetvalue by find “regsetvalue”
(regsetvalue write something to regrity, why? because that is dagerous)
2.looke writefile by find “writefile”, then include writefile to only look writefile
3.look network to understand this exe connection ( only look tcp,udp)<\/p>\n","protected":false},"excerpt":{"rendered":"

PE(protable executable)4D5A is …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[18],"tags":[],"class_list":["post-619","post","type-post","status-publish","format-standard","hentry","category-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=619"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/619\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}