The beginning of Chapter 1 "Basic Static Analysis" outlines the differences between static and dynamic analysis, and what use-cases they serve. Additionally, an introductory talk into the chalk-up of a Windows Portable Executable (PE) file, and the kind of data we can expect one to contain.

My aim with this series to provide the output / solutions of questions, rather then documenting as if it was a guide.

Perhaps its best to upload the python scripts I write to GitHub? I'll have a think of it... But for now, we're pretty much just using the documented code within the book.

IRCBot.exe:

Dissecting this PE file using python's pefile library.

Dependencies:

pip install pefile

Using PEFile to Examine the PE

Launching Python terminal, import pefile after installing, and parse the PE file

Q: Print Example Attributes using PEFile

import pefile

pe = pefile.PE("ircbot.exe")

for section in pe.sections:
 print (section.Name, hex(section.VirtualAddress),
 hex(section.Misc_VirtualSize), section.SizeOfRawData )

Q: Print PE Imports

for entry in pe.DIRECTORY_ENTRY_IMPORT:
 print entry.dll
 for function in entry.imports:
 print '\t',function.name

# DLL Name Noticeable Imports (Truncated)
1 KERNEL32.DLL WriteFile, CreateFileA, CreateProcessA
2 USER32.DLL MesssageBoxA

The three imports in KERNEL32.dll begin to illustrate the purpose of the .DLL, in this case we can see it will write to a file and spawn a process, all from a very brief inspection.

Inspecting Strings

Strings are of incredible value, as these are printable characters within the sample, they can be indexed to look for things such as protocols (HTTP, HTTPS) or any IP Addresses (Potential C&C Botnet Servers) ... assuming it isn't obfuscated anyway. But that's out of scope at the moment.

strings ircbot.exe > ircbotstrings.txt
Using "strings" tool to output the strings of ircbot.exe, then piping the output to "ircboxstrings.txt"
Opening the .txt file, we can see the strings of the PE

As there will be thousands, it'll be hard to find anything useful. Let's use grep! Thankfully, the book tells us what kind of info we're looking for.

grep "DOWNLOAD" ircbotstrings.txt

Basically, this indicates to us that the sample tries to call-home and resolve a domain to download a file, checking the integrity.

Further Inspection

Instead, we are grepping for any signs that this sample runs as a Web Server. Indicators will be strings such as "GET" "HTTP", etc or servernames.

grep "server" ircbotstrings.txt

We can see the sample execute a Web Server with the name "myBot", and even provides verbose output specifying the HTTP successfully binds. This is one method of a malicious sample being the payload for multiple samples.