Malware. Basic Static Analysis. Part 2.
17 Oct 2015
We have started basic static malware analysis in the previous article. Let's continue.
1. Analysis of imported/exported functions.
There are a lot of useful libraries used by developers. These libraries can be linked by applications in different ways.
In this case library code is just copied to application code. So the file size is increased and its analysis is complicated.
This kind of linking is often used by malware. Executable code is usually packed or obfuscated.
In this case application search the libraries during startup. Let's review this kind of linking in details. We will use Dependency Walker tool.
You can find list of linked DLLs and imported (PI) / exported (E) by them functions on the screenshot below. Description of these libraries and functions is present in MSDN. For example, KERNEL32.DLL library is used to work with memory, files and hardware. CreateDirectoryW function is used to create catalog.
Also we can find functions that are exported by malware.
2. Analysis of file headers and sections.
We will use PEview tool for analysis.
In IMAGE_FILE_HEADER you can find timestamp of file compilation. But you should understand that developer can fake it.
In IMAGE_OPTIONAL_HEADER you can find information about UI (IMAGE_SUBSYSTEM_WINDOWS_CUI, IMAGE_SUBSYSTEM_WINDOWS_GUI).
In IMAGE_SECTION_HEADER * you can find information about virtual and physical size of the sections. For example, section .text contains executable code. If physical size of this section is less than its virtual size so it's indicator of packer usage . In our case virtual and raw data sizes are almost the same. It's ok.
Section .rdata contains infomation about imported/exported functions. We saw them earlier in Dependency Walker tool.
Section .rsrc contains application resources (icons, images, menu and so on). You can use Resource Hacker tool for its analysis. Let's look at resources of file notepad.exe.