Practical Malware Analysis — CH 1

Notes taken when reading Practical Malware Analysis.

Basic Static Techniques:

Strings: Sequence of characters that can reveal information about malware/executable (strings). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character.

Obfuscated Malware: Execution has been hidden.

Packed Malware: Subset of obfuscated malware, malware is compressed and much more difficult to analyze.

Malware that is packed or obfuscated contains very few strings. You can use PEiD program to determine if a program has been packaged.

Static Linking: When a library is statically linked to an executable, all code from that library is copied into the executable, which makes the executable grow in size.

Runtime Linking: Executables that use runtime linking connect to libraries only when that function is needed, not at program start.

Dynamic Linking: When libraries are dynamically linked, the host OS searches for the necessary libraries when the program is loaded.

PE Files:

PE Header:

Programs & Tools:

  • strings
  • PEiD — Packaged Malware
  • Dependency Walker — Explore dynamically linked functions
  • PEview — Examine PE files
  • Resource Hacker — View resource section of PE files (.rsrc)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store