CMSC 491/691 Malware Analysis

Slides:



Advertisements
Similar presentations
Sample chapter from Reverse Engineering Course.
Advertisements

3. Loaders & Linkers1 Chapter III: Loaders and Linkers Chapter goal: r To realize how a source program be loaded into memory m Loading m Relocation m Linking.
Chapter 3 Loaders and Linkers
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
File Systems.
Bypassing antivirus detection with encryption
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Chapter 3.7 Memory and I/O Systems. 2 Memory Management Only applies to languages with explicit memory management (C or C++) Memory problems are one of.
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Assembly Language Level.
1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Lecture 11 Dynamic link libraries. Differences between static libraries and DLLs In static library code is added to the executable. In DLL, the code is.
4 Copyright © 2009, Oracle. All rights reserved. Defining Source Metadata.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
Chapter 2 Programs, Processes, and Threads Source: Robbins and Robbins, UNIX Systems Programming, Prentice Hall, 2003.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Algorithms  Problem: Write pseudocode for a program that keeps asking the user to input integers until the user enters zero, and then determines and outputs.
Writing a Run Time DLL The application loads the DLL using LoadLibrary() or LoadLibraryEx(). The standard search sequence is used by the operating system.
Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
CE Operating Systems Lecture 17 File systems – interface and implementation.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
By: Georg Wicherski Presenting: Rasika Bindoo. Introduction Data collection not a problem anymore because of honeypots. Honeypots suffer from a drawback.
Application Remediation
The Assembly Language Level Part C – Linking and Loading.
Copyright Security-Assessment.com 2006 Unpacking Malware, Trojans and Worms PE Packers Used in Malicious Software Presented by Paul Craig Ruxcon 2006.
Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.
CSc 453 Linking and Loading
CC410: System Programming Dr. Manal Helal – Fall 2014 – Lecture 10 – Loaders.
METADATA IN.NET Presented By Sukumar Manduva. INTRODUCTION  What is Metadata ? Metadata is a binary information which contains the complete description.
On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.
Binding & Dynamic Linking Presented by: Raunak Sulekh(1013) Pooja Kapoor(1008)
GOT overwrites and IAT hooks. What is this?  The GOT hijack was a key exploit technique for me, it was the first time I internalized that we are overwriting.
Dissecting Windows Mobile roms Willem Hengeveld
Malware Incident Response - Static Analysis
The build process + misc
Topic 7 Malware Analysis Basics
Malware Reverse Engineering Process
CHP - 9 File Structures.
Chapter 1. Basic Static Techniques
System Programming and administration
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Malware Reverse Engineering Process
In-situ Visualization using VisIt
Algorithms Problem: Write pseudocode for a program that keeps asking the user to input integers until the user enters zero, and then determines and outputs.
Filesystems.
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
The Assembly Language Level
Loaders and Linkers: Features
The Assembly Language Level
Homework Reading Programming Assignments Finish K&R Chapter 1
Understanding Hex “I hope you have the worst headache of your life, then you will begin to understand” ~unknown.
Loaders and Linkers.
Malware and the Windows API
CSC 497/583 Advanced Topics in Computer Security
CSC 497/583 Advanced Topics in Computer Security
Basic Dynamic Analysis VMs and Sandboxes
Following Malware Execution in IDA
"Q: How many MS programmers does it take to change a light bulb?
Chapter 5 File Systems -Compiled for MCA, PU
Presentation transcript:

CMSC 491/691 Malware Analysis Basic Static Analysis

Topics Strings PE File Metadata Packing

Static Analysis Learning properties of a file without running it For now, we’re just doing basic static analysis Analyzing file properties / metadata Will do advanced static analysis later Analyzing disassembled code

Strings Sequences of printable characters in a file Running strings on a file is often first step of analysis Gives hints about functionality of program Example: strings -n 8 [file path] | more Gets all strings of length >= 8 from a file and pipes output to more

Strings Demo Lab01-01.exe

PE File Format File format for Windows executables Includes EXE, DLL, SYS, and other file types Describes how the executable file is loaded into memory Contains lots of metadata that is useful to malware analysts!

The IMAGE_FILE_HEADER Contains basic file information NumberOfSections TimeDateStamp Characteristics

The IMAGE_OPTIONAL_HEADER Not actually optional Contains lots of important metadata: AddressOfEntryPoint Sizes of various parts of the file that get loaded into memory Minimum versions of operating system, linker, image, subsystem

The Section Table Each section corresponds to a contiguous area of memory in a process Section table contains an array of IMAGE_SECTION_HEADERs

IMAGE_SECTION_HEADERs Each contains that section’s: Name VirtualAddress VirtualSize SizeOfRawData Characteristics

Common PE Sections Many other common section names Unusual section names are a malicious indicator Section name Contents .text Executable code .data Initialized data .idata Import Address Table .rsrc Resource Directory Table .rdata Read-only initialized data

PE File Format Demo

Imports Import Address Table lists which functions a file imports from the Windows API Windows API functions defined in DLL files Imports give info about what actions a file can perform Commonly second step in basic static analysis, after strings

Resources Additional data/file contained within a PE file In legitimate files, often icons, application manifest, etc. Malware often hides executable code in resources!

Resources and Imports Demo Lab03-03.exe WinHex -> Edit -> Modify Data -> XOR 0x41

Packers Malware authors want to make it difficult for you to perform static analysis on their malware Use packers to hide: Executable code Strings Imports

How Packers Work Compress original program and add an unpacker stub When the packed executable is run, the stub unpacks the compressed program into memory and runs it

Indicators that a File is Packed File / Section entropy > 7 Few readable strings Unusual section names Imports resolved using runtime linking Sections with unusual raw / virtual sizes PEiD, DIE, VirusTotal are decent at detecting packers Notice lots of some false positives for some packers though

Entropy A byte has 28 possible values, so a truly random sequence of bytes has an entropy of 8 Executable code usually has an entropy around 4-6 Obfuscated / encrypted data usually has an entropy over 7, often near 8

Runtime Linking Malware authors don’t want you to be able to easily analyze a program’s imports Can hide a file’s imports until it is run by using runtime linking Resolves imports as the file runs Can import functions that are not listed in the IAT

How Runtime Linking Works LoadLibrary – Gets a handle (like a pointer) to any DLL file on a system GetProcAddress – Gets address of any function in a DLL Together, allows a program to import a function from any DLL

Packing Indicators Demo Lab01-02.exe Lab01-03.exe

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.