With the usage of this another feature on my Reverse Engineering Toolkit, will add up further details on the file being analyzed. The addition of file PE Imports, Section, loaded linked libraries and gathered file details will aid the investigator on his forensics.
On the last post, I have provided the walkthrough with the extracted strings on gathering artifacts that would serve us further with the investigation. I also introduced and provided some run tests on the first piece that would comprised this project.
On this blog I will add up another feature that would join the malware analysis kit, that is examining the dll loaded, PE imports and Sections. I will share on some brief thoughts on how is this done and will give another test run for this added feature.
Imports and Dynamic Linked Libraries
Included in the static analysis phase of malware executable is the list of functions known as 'imports'. Imports are functions that stored on different programs such as code libraries that are connected to main executable by the process called 'linking'. Developers make use of this imports so that they don't need to do-over a certain functionality in multiple file instructions. There are 3 types of linking; static linking, runtime linking and dynamic linking.
(1) Static linking - All code from the library is copied on the executable. A difficulty to analyze between statically linked code and the executable's own code, because nothing in the PE file header indicate s that the file contains linked code.
(2) Runtime linking - This type is common on malware specifically when it's packed or obfuscated. Connection to a library by a certain executable are only done when needed, unlike the next..
(3)Dynamic linking - Executables connect to the library during boot.
PE File Sections
PE executables are divided into 2 sections; (1) header and (2) sections. Header contains information such as memmory address/location and the size of the code. Sections comprised the main content of the file, that involves code, data, resources,and other executable files. Each section has its header and body.
Below are the most utilized sections on a PE file:
.rdata -> contains the import and export information. It can also store read only data used by the program.
.data -> It contains the program global data.
.text -> Contains the instructions executed by the CPU. This is the section for the program's code. Unpacked file's code can possibly be seen in this section.
.rsrc -> Contains the resources used by the program such as icons, images, menus, strings and the like.
.pdata -> Presents 64-bit executables and stores exception handling information
.reloc - Contains information for relocation of library files.
<RUN>
With all the technicals done and explained, its time to run the add-on.
At (1) a usual user prompt from user, asking for the directory of the file to be analysed. Once the input has been processed, output starts at (2) which displays the file PE sections. This portion has been indicated by Section Name, section's address, virtual and raw size. By looking at the section table we can find an indication if a certain file is suspicious if for example in the .text section raw data size has a value of 0, while virtual size is greater than 0. This means that a packer will unpack the executable code to the allocated .text section.
On (3) are the PE imports containing (a)dll in file and its PE functions(b). DLLs and functions loaded would indicate functionalities used on the executable. From the sample test run...
Kernel32.dll is utilized, this would mean that DLL contains core functionality, such as access and manipulation of memory file and hardware, and that would be true as this reflect the PE functions utilized.
msvcrt.dll - a module containing standard C library functions such as printf, memcpy, cos,etc. Knowing this concept we can gather informations and ideas the language structure of the application. In an attacker point of things, knowing these would be helpful to create an exploit against the file(e.g. attacker could perform some buffer overflow attack)
On(4) is the basic details regarding the executable. This would be helpful on investigation and the reputation check.
Using this simple tool plus my string extraction tool from the previous blog, we can perform static analysis on the suspected file and gain an amount of insights into its functions. Though we may have passed the static analysis phase, it is just the first step for alot of deep digging must be done.
<Krontek>halt
Comments