Malware Analysis
Last updated
Last updated
Open file in bintext.
Make sure that advanced option is set.
Click on Go.
Tool to detect common packers, cryptors and compilers for PE executable files
Attackers often use packing and obfuscation or a packer to compress, encrypt, or modify a malware executable file to avoid detection.
Obfuscation also hides the execution of the programs.
When the user executes a packed program, it also runs a small wrapper program to decompress the packed file, and then runs the unpacked file.
It complicates the task of reverse engineers to determine the actual program logic and other metadata via static analysis.
The best approach is to try and identify if the file includes packed elements and locate the tool or method used to pack it.
PEid is a free tool that provides details about Windows executable files.
It can identify signatures associated with over 600 different packers and compilers.
This tool also displays the type of packer used in packing a program.
The Executable and Linkable Format (ELF) is a generic executable file format in Linux environment.
It contains three main components including ELF header, sections, and segments.
Each component plays an independent role in the loading and execution of ELF executable's.
The static analysis of an ELF file involves investigating an ELF executable file without running or installing it.
It also involves accessing the binary code and extracting valuable artifacts from the program.
Numerous tools can be used to perform static analysis on ELF files.
In this task, we will be using Detect It Easy (DIE) tool to analyze ELF file.
Detect It Easy (DIE) is an application used for determining the types of files.
Apart from the Windows, DIE is also available for Linux and Mac OS.
It has a completely open architecture of signatures and can easily add its own algorithms for detecting or modifying the existing signatures.
It detects a file's compiler, linker, packer, etc. using a signature-based detection method.
The Portable Executable (PE) format is the executable file format used on Windows OSes that stores the information a Windows system requires to manage the executable code.
The PE stores metadata about the program, which helps in finding additional details of the file.
For instance, the Windows binary is in PE format that consists of information such as time of creation and modification, import and export functions, compilation time, DLLs, and linked files, as well as strings, menus, and symbols.
PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from common such as EXE, DLL, and ActiveX Controls to less familiar types such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more (including executable files that run on MS Windows Mobile platform).
Any software program depends on the various inbuilt libraries of an OS that help in performing specified actions in a system.
Programs need to work with internal system files to function correctly.
Programs store their import and export functions in a kerne132.d11 file.
File dependencies contain information about the internal system files that the program needs to function properly; this includes the process of registration and location on the machine.
Find the libraries and file dependencies, as they contain information about the run-time requirements of an application.
Then, check to find and analyze these files to provide information about the malware in the file.
File dependencies include linked libraries, functions, and function calls.
Check the dynamically linked list in the malware executable file.
Finding out all library functions may allow guessing about what the malware program can do.
You should know the various DLLs used to load and run a program. Some of the standard DLLs are:
011yDbg is a debugger that emphasizes binary code analysis, which is useful when source code is unavailable.
It traces registers, recognizes procedures, API calls switches, tables, constants, and strings, and locates routines from object files and libraries.
There is a new debugging option, "Set permanent breakpoints on system calls."
When active, it requests 011yDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and NTDLL.NtQueryInformationProcess().
Ghidra is a software reverse engineering (SRE) framework that includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, MacOS, and Linux.
It's capabilities include disassembly, assembly, decompilation, debugging, emulation, graphing, and scripting.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Analysts can also develop their own Ghidra plug-in components and/or scripts using the exposed API.
In addition, there are numerous ways to extend Ghidra such as new processors, loaders/exporters, automated analyzers, and new visualizations.