101.school
CoursesAbout
Search...⌘K
Generate a course with AI...

    Introduction to Malware Analysis

    Receive aemail containing the next unit.
    • Introduction to Malware Analysis
      • 1.1Importance of Malware Analysis
      • 1.2Types of Malware
      • 1.3Basic Terminology
    • Preliminary Analysis Techniques
      • 2.1Fingerprinting
      • 2.2Static Properties Analysis
      • 2.3Code Identity Techniques
    • Environment for Malware Analysis
      • 3.1Safe Setup Guidelines
      • 3.2Virtual Machines and how to use them
      • 3.3Basic tools for analysis
    • Static Malware Analysis
      • 4.1PE File Basics
      • 4.2Viewing Files
      • 4.3Disassembling Programs
    • Dynamic Malware Analysis
      • 5.1Introduction
      • 5.2Dynamic Analysis Tools
      • 5.3Dynamic Analysis Techniques
    • Understanding Malware Behaviour
      • 6.1Memory Forensics
      • 6.2Registry Analysis
      • 6.3Network Analysis
    • Reverse Engineering
      • 7.1Introduction to Reverse Engineering
      • 7.2Methods of Reverse Engineering
      • 7.3Tools for Reverse Engineering
    • Advanced Static Analysis
      • 8.1Assembler Basics
      • 8.2Code Constructs
      • 8.3Data Encodings
    • Advanced Dynamic Analysis
      • 9.1Self-Defending Malware
      • 9.2Debugging and Debugger
      • 9.3Discovering Algorithms
    • Anti-Reverse Engineering
      • 10.1Packers, Crypters and Protectors
      • 10.2Rootkits
      • 10.3Anti-debugging Tricks
    • Malware and Network
      • 11.1Botnets
      • 11.2Traffic Analysis
      • 11.3Identification of Command and Control Servers
    • Malware Attribution
      • 12.1Threat Actors and Campaigns
      • 12.2Attribution Techniques
      • 12.3Case Study
    • Malware Mitigation and Prevention
      • 13.1Incident Response
      • 13.2Remediation
      • 13.3Future Trends in Malware

    Static Malware Analysis

    Understanding PE File Basics in Malware Analysis

    Microsoft's core set of application programming interfaces available in Windows operating systems

    Microsoft's core set of application programming interfaces available in Windows operating systems.

    The Portable Executable (PE) file format is a file format for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data.

    Understanding the PE file format is crucial in malware analysis as it provides valuable information about the potential malware, which can be used to determine its functionality and potential impact.

    Structure of PE Files

    A PE file consists of a number of headers and sections that tell the dynamic linker how to map the file into memory. The headers are at the beginning of the file, while the sections follow them. The headers provide a directory of the file's contents, specifying, among other things, the size and location of the sections.

    The sections contain the information necessary to create a process image, i.e., code, data, resources. Each section is defined by a section header that gives the name, size, and location of the section, among other things.

    Importance of PE Files in Malware Analysis

    Malware often comes in the form of PE files. By analyzing the PE file structure, an analyst can gain insights into what the file does and how it works. For instance, the Import Address Table (IAT), which is part of the PE file structure, can tell analysts which system calls the malware is using. This can provide clues as to what the malware might be doing.

    Common Characteristics of Malicious PE Files

    Malicious PE files often have certain characteristics that can be used to identify them. These include:

    • Anomalies in the header: Malware authors often manipulate the PE header to create files that are difficult to analyze or that evade detection. For instance, they might set the size of the image in the PE header to a very large value to cause a buffer overflow.

    • Suspicious section names: The section names in a PE file are arbitrary and can be chosen by the programmer. Malware authors often use unusual section names to hide malicious code.

    • Large amounts of data in unexpected sections: Malware authors often hide data in sections where data is not usually found, such as the text section.

    • Unusual import functions: Malware often imports functions that are not typically used by legitimate software, such as functions for keylogging or network communication.

    By understanding the basics of PE files, you can start to analyze potential malware more effectively, identifying suspicious characteristics and behaviors. This knowledge forms a crucial foundation for the rest of your malware analysis journey.

    Test me
    Practical exercise
    Further reading

    Buenos dias, any questions for me?

    Sign in to chat
    Next up: Viewing Files