Malware Analysis Basics - Static Analysis for Beginners

In this tutorial, you will delve into the fundamental aspects of malware analysis through static analysis techniques. Explore topics such as analyzing file properties, running strings and FLOSS tools, understanding the PE file format, and decoding specific sections within executable files. Gain insights into deciphering ASCII, UTF-16, and stack strings for unraveling the functionality and potential threats posed by malicious files. Get ready to embark on a journey of unraveling the mysteries hidden within malware binaries.

• Malware Analysis
• Static Analysis
• PE File Format
• Strings Analysis
• FLOSS

zymario Follow

Uploaded on Mar 07, 2025 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. CMSC 491/691 Malware Analysis Basic Static Analyis 1 1

2. Topics Strings PE File Metadata Packing 2

3. Static Analysis Learning properties of a file without running it For now, just doing basic static analysis Analyzing file properties / metadata Will do advanced static analysis later Analyzing disassembled code 3

4. Strings Sequences of printable characters in a file Running strings on a file is usually first step of analysis Gives hints about functionality of program Example: strings -n 8 [file path] | more Gets all strings of length >= 8 from a file and pipes output to more 4

5. FLOSS Like strings but more powerful Extracts: ASCII strings UTF-16 strings Stack strings Some encoded strings strings -n 8 --no-decoded-strings [file path] 5

6. Strings and FLOSS Demo Lab01-01.exe 6 6

7. PE File Format File format for Windows executables Includes EXE, DLL, SYS, and other file types Describes how the executable file is loaded into memory Contains lots of metadata that is useful to malware analysts! 7

8. The IMAGE_FILE_HEADER Contains basic file information NumberOfSections TimeDateStamp Characteristics 8

9. The IMAGE_OPTIONAL_HEADER Not actually optional Contains lots of important metadata: AddressOfEntryPoint Sizes of various parts of the file that get loaded into memory Minimum versions of operating system, linker, image, subsystem 9

10. The Section Table Each section corresponds to a continuous area of memory in a process Section table contains an array of IMAGE_SECTION_HEADERs 10

11. IMAGE_SECTION_HEADERs Each contains that section s: Name VirtualAddress VirtualSize SizeOfRawData Characteristics 11

12. Common PE Sections Section name .text .data .idata .rsrc .rdata Contents Executable code Initialized data Import Address Table Resource Directory Table Read-only initialized data Many other common section names Unusual section names are a malicious indicator 12

13. PE File Format Demo 13 13

14. Imports Import Address Table lists which functions a file imports from the Windows API Windows API functions defined in DLL files Imports give info about what actions a file can perform Commonly second step in basic static analysis, after strings 14

15. Resources Additional data/file contained within a PE file In legitimate files, often icons, application manifest, etc Malware often hides things in resources! 15

16. Resources and Imports Demo Lab03-03.exe 16 16

17. Packers Malware authors want to make it difficult for you to perform static analysis on their malware Use packers to hide: Executable code Strings Imports 17

18. How Packers Work Compress original program and add an unpacker stub When the packed executable is run, the stub unpacks the compressed program into memory and runs it 18

19. Indicators that a File is Packed File / Section entropy > 7 Few readable strings Unusual section names Imports resolved using runtime linking Sections with unusual raw / virtual sizes PEiD, DIE, VirusTotal are decent at detecting packers Notice lots of some false positives for some packers though 19

20. Entropy A byte has 28possible values, so a truly random sequence of bytes has an entropy of 8 Executable code usually has an entropy around 4-6 Obfuscated / encrypted data usually has an entropy over 7, often near 8 20

21. Runtime Linking Malware authors don t want you to be able to easily analyze a program s imports Can hide a file s imports until it is run by using runtime linking Resolves imports as the file runs Can import functions that are not listed in the IAT 21

22. How Runtime Linking Works LoadLibrary Gets a handle (like a pointer) to any DLL file on a system GetProcAddress Gets address of any function in a DLL Together, allows a program to import a function from any DLL 22

23. Packing Indicators Demo Lab01-02.exe Lab01-03.exe 23 23