Practical Malware Analysis — CH 1
Notes taken when reading Practical Malware Analysis.
Basic Static Techniques:
Hashing: Common method used to uniquely identify malware. (md5deep)
Strings: Sequence of characters that can reveal information about malware/executable (strings). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character.
Obfuscated Malware: Execution has been hidden.
Packed Malware: Subset of obfuscated malware, malware is compressed and much more difficult to analyze.
Malware that is packed or obfuscated contains very few strings. You can use PEiD program to determine if a program has been packaged.
Static Linking: When a library is statically linked to an executable, all code from that library is copied into the executable, which makes the executable grow in size.
Runtime Linking: Executables that use runtime linking connect to libraries only when that function is needed, not at program start.
Dynamic Linking: When libraries are dynamically linked, the host OS searches for the necessary libraries when the program is loaded.
Programs & Tools:
- PEiD — Packaged Malware
- Dependency Walker — Explore dynamically linked functions
- PEview — Examine PE files
- Resource Hacker — View resource section of PE files (.rsrc)