Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 491/691 Malware Analysis

Published byBirgit Dahlberg Modified over 5 years ago

Similar presentations

Presentation on theme: "CMSC 491/691 Malware Analysis"— Presentation transcript:

1 CMSC 491/691 Malware Analysis
Basic Static Analysis

2 Topics Strings PE File Metadata Packing

3 Static Analysis Learning properties of a file without running it
For now, we’re just doing basic static analysis Analyzing file properties / metadata Will do advanced static analysis later Analyzing disassembled code

4 Strings Sequences of printable characters in a file
Running strings on a file is often first step of analysis Gives hints about functionality of program Example: strings -n 8 [file path] | more Gets all strings of length >= 8 from a file and pipes output to more

5 Strings Demo Lab01-01.exe

6 PE File Format File format for Windows executables
Includes EXE, DLL, SYS, and other file types Describes how the executable file is loaded into memory Contains lots of metadata that is useful to malware analysts!

7 The IMAGE_FILE_HEADER
Contains basic file information NumberOfSections TimeDateStamp Characteristics

8 The IMAGE_OPTIONAL_HEADER
Not actually optional Contains lots of important metadata: AddressOfEntryPoint Sizes of various parts of the file that get loaded into memory Minimum versions of operating system, linker, image, subsystem

9 The Section Table Each section corresponds to a contiguous area of memory in a process Section table contains an array of IMAGE_SECTION_HEADERs

10 IMAGE_SECTION_HEADERs
Each contains that section’s: Name VirtualAddress VirtualSize SizeOfRawData Characteristics

11 Common PE Sections Many other common section names
Unusual section names are a malicious indicator Section name Contents .text Executable code .data Initialized data .idata Import Address Table .rsrc Resource Directory Table .rdata Read-only initialized data

12 PE File Format Demo

13 Imports Import Address Table lists which functions a file imports from the Windows API Windows API functions defined in DLL files Imports give info about what actions a file can perform Commonly second step in basic static analysis, after strings

14 Resources Additional data/file contained within a PE file
In legitimate files, often icons, application manifest, etc. Malware often hides executable code in resources!

15 Resources and Imports Demo
Lab03-03.exe WinHex -> Edit -> Modify Data -> XOR 0x41

16 Packers Malware authors want to make it difficult for you to perform static analysis on their malware Use packers to hide: Executable code Strings Imports

17 How Packers Work Compress original program and add an unpacker stub
When the packed executable is run, the stub unpacks the compressed program into memory and runs it

18 Indicators that a File is Packed
File / Section entropy > 7 Few readable strings Unusual section names Imports resolved using runtime linking Sections with unusual raw / virtual sizes PEiD, DIE, VirusTotal are decent at detecting packers Notice lots of some false positives for some packers though

19 Entropy A byte has 28 possible values, so a truly random sequence of bytes has an entropy of 8 Executable code usually has an entropy around 4-6 Obfuscated / encrypted data usually has an entropy over 7, often near 8

20 Runtime Linking Malware authors don’t want you to be able to easily analyze a program’s imports Can hide a file’s imports until it is run by using runtime linking Resolves imports as the file runs Can import functions that are not listed in the IAT

21 How Runtime Linking Works
LoadLibrary – Gets a handle (like a pointer) to any DLL file on a system GetProcAddress – Gets address of any function in a DLL Together, allows a program to import a function from any DLL

22 Packing Indicators Demo
Lab01-02.exe Lab01-03.exe

Download ppt "CMSC 491/691 Malware Analysis"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
3. Loaders & Linkers1 Chapter III: Loaders and Linkers Chapter goal: r To realize how a source program be loaded into memory m Loading m Relocation m Linking.

3. Loaders & Linkers1 Chapter III: Loaders and Linkers Chapter goal: r To realize how a source program be loaded into memory m Loading m Relocation m Linking.
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
File Systems.

File Systems.
Bypassing antivirus detection with encryption

Bypassing antivirus detection with encryption
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Chapter 3.7 Memory and I/O Systems. 2 Memory Management Only applies to languages with explicit memory management (C or C++) Memory problems are one of.

Chapter 3.7 Memory and I/O Systems. 2 Memory Management Only applies to languages with explicit memory management (C or C++) Memory problems are one of.
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved. 0-13-148521-0 The Assembly Language Level.

Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Assembly Language Level.
1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”

1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.

OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Similar presentations

Ads by Google