Bazat e Skedarëve PE

Mesatar 14 min Analiza e Malware-it

Hyrje

The Portable Executable (PE) format is the file format for Windows executables, DLLs and drivers, and is the starting point for any Windows malware analysis.

Teoria

A PE file opens with a small MS-DOS stub, followed by an NT header containing the file header (architecture, number of sections, timestamp) and the optional header (entry point, subsystem, sizes). The section table describes each section: .text for code, .data for initialized data, .rdata for read-only data, .rsrc for resources, and sometimes suspicious custom sections added by packers. Each section has its own permissions — malware that sets .text writable or adds an RWX section is a red flag. Tools like PE-bear, CFF Explorer and pestudio give a structured view of a PE file without running it. pestudio in particular ranks imports, strings, entropy, sections and resources by "suspiciousness" and produces a quick triage score. High entropy in a section usually means compression or encryption — a common sign of packing. The import table is especially revealing. A benign utility typically imports a handful of standard functions (MessageBoxW, GetFileAttributesW). A sample that imports CreateRemoteThread, WriteProcessMemory, VirtualAllocEx and NtUnmapViewOfSection is almost certainly doing process injection. A malware analyst builds pattern recognition for these combinations over time — after a few dozen samples, you can often classify a file just from its import list.

Mjetet

Mjete:

  • PE-bear, CFF Explorer, PEview.
  • pefile në Python.
  • Detect It Easy (DIE).

Praktika

Inspektim i headers PE me pefile:

import pefile
pe = pefile.PE('sample.exe')
print(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint))
for s in pe.sections:
    print(s.Name.decode().strip(), hex(s.VirtualAddress), s.SizeOfRawData)
for e in pe.DIRECTORY_ENTRY_IMPORT:
    print(e.dll.decode(), [i.name for i in e.imports])

Ushtrime

  1. Identifiko seksionet e pazakonshme (p.sh. pa name, me entropy > 7.0).
  2. Krahaso një binary të pastër me një të packed (UPX).

Burime

  • Microsoft — PE Format.
  • Practical Malware Analysis (Sikorski & Honig).

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re