Posted on

Part 1-1: Basic Static Techniques

Table of Contents

  • Antivirus Scanning: A Useful First Step
  • Hashing: A Fingerprint for Malware
  • Finding Strings
  • Packed and Obfuscated Malware
    • Packing Files
    • Detecting Packers with PEiD
  • Portable Executable File Format
  • Linked Libraries and Functions
    • Static, Runtime, and Dynamic
    • Exploring Dynamically Linked Function siwth Dependency Walker
    • Imported Functions
    • Exported Functions
  • Static Analysis in Practice
    • PotenialKeylogger.exe
    • PackedProgram.exe
  • The PE File Headers and Sections
    • Examining PE Filew with PEview
    • Viewing the Resource Section with Resource Hacker
    • Using Oter PE File Tools
    • PE Header Summary
  • Software Linked In This Chapter
  • Appendix to look out for in Book
    • A: List of useful functions
    • B: List of useful programs

*************************************************************************************

  • Antivirus Scanning: A Useful First Step
    • Antivirus programs rely on signatures from previously known malware and behavioral and pattern-matching analysis (heuristics) to identify suspicious files

 

  • Hashing: A fingerprint for Malware
    • Run it through a hashing program and then each program programs a unique hash/fingerprint
    • This hash can then be used to identify an executable without running it.  If the hash is the same as the known malware ten it is suspicious

 

  • Finding Strings
    • Microsoft implementation of Unicode strings is different from Unicode standards for the rest of the notes any mention of Unicode strings refer to the Microsoft implementation
    • NULL terminated strings
      • ASCII uses 1 byte per character
      • Unicode uses 2 bytes per character
    • Screenshot from 2017-06-25 01-07-37These are hex values
    • Screenshot from 2017-06-25 01-09-35
    • String searches search for the NULL terminator and then print the stuff preceding it as a string
      • This does  not always produce legitimate strings
    • If a piece of malware uses strings it can shed light on what is imported or any error messages that might show up

 

  • Packed and Obfuscated Malware
    • Obfuscated programs: Execution is hidden
    • Packed programs: Subset of obfuscated programs where the program is compressed and cannot be analyzed
    • Packed/obfuscated programs often include at least functions LoadLibrary and GetProcAddress
      • These are used to load and gain access to more functions
    • Packing Files
      • Screenshot from 2017-06-25 01-17-29.png
      • The wrapper program is used to decompress and then run the unpacked file
    • Detecting Packers with PEiD
      • PEiD can be used to detect the type of packer or compiler used
      • Screenshot from 2017-06-25 01-22-47
        • The circled part shows the UPX as the packer
        • If you use PEiD plug ins a lot of the plugins will auto run the program make sure to set up a safe environment to do so

 

  • Portable Executable File Format
    • Portable Executable (PE) format is used by Windows executable,s object code and DLLs
    • PE files have a header that contain information about the code, type of application, required library functions and space requirements

 

  • Linked Libraries and Functions
    • Code libraries can be connected to the main executable by linking
    • Linking imports is done so library functions can be used
    • #Static, Runtime, and Dynamic Linking
      • #Static Linking: Common in UNIX and Linux programs.  Least commonly used in malware/Windows.
        • All linked code is copied into the executable making it a lot larger than needed if only a few functions are actually needed
      • #Runtime Linking: Commonly used in malware, especially when packed or obfuscated
        • Connect to libraries only when that function is needed, not at the start of the program dynamically linked programs do so at the start
        • The following Windows functions allow programmers to import linked functions not listed in a program’s file header
          • LoadLibrary, GetProcAddress most common
            • Allows access to any function in any library on the system, therefore static analysis of which functions are imported will fail
          • LdrGetProcAddress, LdrLoadDll
      • #Dynamically Linking: The most common
        • When dynamically linked, host OS searches for necessary libraries when program is loaded
        • When the program calls the linked library function that function executes WITHIN the library (?)
      • PE File header stores information about every library loaded and every function used shedding light on what this program may do
    • #Exploring Dynamically Linked Functions with Dependency Walker
      • Dependency Walker: http://www.dependencywalker.com/
      • Lists only dynamically linked functions in an executable
      • Screenshot from 2017-06-25 01-55-48
        • 1:  Name of executable analyzed
        • 2: Shows program and DLLs imported
        • 3: Lists imported functions from the selected DLL
        • 4: Lists all functions that can be imported from the selected DLL
          • Ordinal Column: instead of importing by function name they can be imported by ordinal thus the name of the function never appears in the original executable
        • 5, 6: Will show any additional DLLs to be imported if the program was run and any errors
      • Common DLLs ***
        • Kernel32.dll: Core functionality such as memory, file, and hardware manipulation
        • Advapi32.dll: Access to advanced core Windows components such as Service Manager and Registry
        • User32.dll: Contains user interface components
        • Gdi32.dll: Contains functions for displaying/manipulating graphics
        • Ntdll.dll: Interface to the Windows kernel.  Often indirectly imported from Kernel32.dll.  If it is explicitly imported unusual functionality such as manipulating processes will use this dll.
        • WSock32.dll and Ws2_32.dll: Networking DLLs often used to connect to the internet
        • Wininet.dll: Contains higher level networking functions that implement various protocols such as FTP, HTTP, and NTP
    • #Imported Functions
      • PE file header includes information about imports as well
      • Refer to the Windows API for more information (MSDN)
    • #Exported Functions
      • DLLs and EXEs can export functions to interact with other programs and code
      • DLLs can implement functions and export them for use by an executable that can import and use them
      • EXEs are not designed to export functions thus if one sees one deem it suspicious
      • In order to run a program as a service you must define a “ServiceMain” function
        • If this is seen then the malware is to be run as a service

 

  • Static Analysis in Practice
    • #PotentialKeylogger.exe: An Unpacked Executable
      • Screenshot from 2017-06-25 02-20-20.png
        • List of imported functions from various DLLs
        • Because there are so many imports shown in dependency walker it can be concluded that the executable is NOT packed
      • Kernel32.dll: Functions such as OpenProcess, GetCurrentProcess, GetProcessHeap imply that the program will manipulate processes, ReadFile, CreateFile imply file manipulation
      • User32.dll: Functions such as ShowWindow imply that the program has a GUI.  SetWindowsHookEx is often used by keyloggers to grab keystrokes. RegisterHotkey notifies another program when a key combination is pressed.
      • GDI32.dll: Graphics related dll
      • Advapi32.dll: Uses registry in some way.  The string “Software\Microsoft\Windows\CurrentVersion\Run” implies that the program is automatically started on boot
      • Shell32.dll: Implies that this program can launch other programs
    • #PackedProgram.exe: A Dead End
      • Screenshot from 2017-06-25 02-34-28.png
        • Functions imported by PackedProgram.exe viewed in dependency walker
      • The fact that there are so little programs imported implies the the program is packed and static analysis fails via function imports fails here

 

  • The PE File Headers and Sections
    • PE file headers has several sections namely the .text, .rdata, .data, and .rsrc sections
    • Often the programmer has little control over the names of these sections
    • In addition to this section names can vary over different compilers
      • To determine which section is which the PE header contains information on how a section is used
    • Sections of  a PE File for a Windows Executable
      • .text: Contains executable code
      • .rdata: Holds read-only data that is globally accessible within the program
      • .data: Stores global data accessed throughout the program
      • .idata: Sometimes present and stores the import function information; if this section is not present, the import function information is in the .rdata section
      • .edata: Sometimes stores export function information; if this section is not present, the export function information is in the .rdata section
      • .pdata: Only in 64 bit executables and stores exception-handling informaiton
      • .rsrc: Stores resources needed for the executable
      • .reloc: Contains information for relocation of library files
    • #Examining PE Files with PEview
      • Screenshot from 2017-06-25 03-03-53
        • 1: Displays the main part of the PE header
          • IMAGE_DOS_HEADER and MS-DOS Stub Program are historical and offer nothing
          • IMAGE_NT_HEADERS shows the NT headers shows NT headers and is always the same
        • 2: Contains information about the currently highlighted entry
          • IMAGE_FILE_HEADER is highlighted and the section 2 contains basic information about the file
        • 3: Time date stamp shows when this executable was compiled
          • This value can be changed and Delphi programs all use June 19, 1992
        • IMAGE_OPTIONAL_HEADER contains other information
        • Names are often not controlled by people
      • Screenshot from 2017-06-25 03-10-38
        • 1: Shows the size of the section after loading
        • 2: Shows the size of the section is on disk
      • Section sizes can be used to check whether the program is packed
        • If the virtual size >> raw size then it is implied that it is compressed
      • The .data section virtual and raw size often is vastly different this is common for Windows executable
        • Pay more attention to the .text section instead or misnamed or extra weird sections
    • #Viewing the Resource Sections with Resource Hooker
      • Resource Hacker: Can be used to browse the .rsrc section
      • This will allow one to see strings, icons and menus
      • Screenshot from 2017-06-25 03-19-10
        • 1: Shows all resources
          • Icon, lists images
          • Menu, shows all menus that appear in various windows
          • Dialog section contains the program’s dialog menus
          • String Table section stores strings
          • Version info contains version number and often company name and copyright statement
        • 2: Dialog selected is graphically shown here
        • Often the resource section contains drivers or embedded programs executed before they run the main executable
          • Resource Hacker allows you to extract these files for individual analysis
    • #Using Other PE Files Tools
    • #PE Header Summary
      • Screenshot from 2017-06-25 03-25-48.png

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s