Basic Techniques
Static Analysis
Antivirus Scanning
Running it through multiple antivirus which may have already identified the malware, although they are not perfect
They rely on identifiable pieces of suspicious code (file signatures) and behavior/pattern matching analysis (heuristics)
Virustotal is great help here as it runs the malware through multiple antivirus systems
Hashing : Fingerprinting a malware
Hashing is common method where you run the malware through hashing programs
They use algorithms such as MD5 or SHA-1 to produce unique hash (fingerprint)
Hash then can be used as label or sharing it to other analyst to identify the malware or see if it has been already identified
Finding Strings
Strings can be great method to find texts within the malware
ASCII and Unicode format are used to store strings
They store by characters in sequence and ending with a NULL terminator to indicate that string is complete
ASCII uses 1byte per character while Unicode uses 2bytes per character
Sometimes if strings program identifies a sequence of characters which end with null terminator, it might think of it as string while it could be just some CPU instruction or memory address
Packed and Obfuscated Malware
Obfuscated malware are the one whose execution are hidden
Packed malware is subset of obfuscated malware where the program is compressed making it harder to analyze
When packed program is ran, a small wrapper program, it de-compresses the packed program and then executes unpacked program
When packed program is analyzed statically, only wrapper program can be dissected
Packers can be detected using software such as PEiD
Packed program must be unpack so that we can analyze it
Portable Executable File Format
PE format is used by windows executables, object code and DLLs
It contains necessary information for the Windows OS loader to manage the wrapped executable code
PE files begin with a header that includes information about the code, type of the application, required library functions and space requirements
Linked Library and Functions
Imports are function that are used by program whilst they are stored in another program, such as code libraries that contain common functionality which are connected by linking
Code libraries can be linked statically, at runtime or dynamically
Static linking is not used often although it’s common in UNIX programs
When code is statically linked, all the code from the library are copied to our main executable making it grow in size which makes analyzing code harder
Runtime linking is commonly used in malwares especially when it’s obfuscated or packed
Some linked functions can be imported without being listed in program headers liked
LoadLibrary
,LdrGetProcAddress
,LdrLoadDll
andGetProcAddress
Dynamic linking is the most common method of linking, where OS searches for all necessary linked libraries when the program is loaded
Libraries used and called are very important for us to understand what the program does
Functions can also be imported by ordinals making it harder for us to anaylze
Below are some common DLLs
Ex
is a suffix used when the function is updated by MicrosoftA
andW
appearing at the end is extra information about suffix which doesn’t appear in actual documentation and is just there to tell us that function accepts ASCII string and word respectivelyLike imports, there are also exports, which are functions exported by programs so that other programs can import and utilize them, these are most common in DLLs
PE File Headers and Sections
.text
section contains instructions code that CPU will execute.rdata
section contains information about imports and exports, storing read only data.data
contains global data accessible from anywhere in the program.idata
stores data about import functions, usually not present.edata
stores data about export functions, usually not present.pdata
present only in 64bit applications storing exception-handling information.rsrc
contains other data such as icons, images, menus and strings.reloc
contains information about relocation of library files
Some Tips and Trivia
All Delphi programs use compile time of June 19, 1992
Virtual size (space allocated for section during loading) and raw data (how big section is on disk) should be equal (small differences are fine), if they aren’t that means it’s a packed program
Last updated