SBM Labs

Cyber Security Collaboration Project

Malware. Basic Static Analysis. Part 2.
17 Oct 2015

We have started basic static malware analysis in the previous article. Let's continue.

1. Analysis of imported/exported functions.

There are a lot of useful libraries used by developers. These libraries can be linked by applications in different ways.

Static linking.
In this case library code is just copied to application code. So the file size is increased and its analysis is complicated.

Runtime linking.
This kind of linking is often used by malware. Executable code is usually packed or obfuscated.

Dynamic linking.
In this case application search the libraries during startup. Let's review this kind of linking in details. We will use Dependency Walker tool.

You can find list of linked DLLs and imported (PI) / exported (E) by them functions on the screenshot below. Description of these libraries and functions is present in MSDN. For example, KERNEL32.DLL library is used to work with memory, files and hardware. CreateDirectoryW function is used to create catalog.

Also we can find functions that are exported by malware.

2. Analysis of file headers and sections.

We will use PEview tool for analysis.

In IMAGE_FILE_HEADER you can find timestamp of file compilation. But you should understand that developer can fake it.


In IMAGE_SECTION_HEADER * you can find information about virtual and physical size of the sections. For example, section .text contains executable code. If physical size of this section is less than its virtual size so it's indicator of packer usage . In our case virtual and raw data sizes are almost the same. It's ok.

Section .rdata contains infomation about imported/exported functions. We saw them earlier in Dependency Walker tool.

Section .rsrc contains application resources (icons, images, menu and so on). You can use Resource Hacker tool for its analysis. Let's look at resources of file notepad.exe.

There are a lot of useful tools for static file analysis. For example, PEBrowse Professional and PE Explorer. Try it too.

Malware. Basic Static Analysis. Part 1.
Automated Malware Analysis in Sandbox