Malware Analysis – Analyzing The PE Header

Analyzing The PE Header

  • The PE header contains the information the OS requires to run the executable.
  • In static analysis, we are looking for information about the executable, that can give us a glimpse of it’s functionality and origin.

 

What information are we interested in?

  1. Compiler Stamp – When and where the malware was compiled.
  2. Subsystem – What subsystem is being used?
  3. Sections – Is the executable packed and are there any inconsistent permissions.
  4. Libraries & Imports – What libraries and imports are being used, and what information do they give us about the functionality of the malware.

Tools We Will Be Using

  • Pestudio – The most efficient tool for static analysis.
Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

Malware Analysis – Creating YARA Rules

YARA Rules YARA rules are used to identify samples based on specific strings or binary data.   Structure of a YARA rule   rule <rule_name> { meta: description = “Sample YARA rule”   strings: $a = “example” $b = “example2”   condition: ($a or $b) } Our completed YARA rule looks like this: rule creds_ru […]

Share this post

Malware Analysis – Malware Classification And Identification

Malware Classification & Identification Malware classification is the process of classifying malware samples based on shared characteristics with previously analyzed samples. An example of these characteristics are: strings and binary code.   What’s wrong with hash-based identification/classification? The content of the samples are changed by attackers to evade hash based identification/classification. Cryptographic hashing is only […]

Share this post