The beginning of Chapter 1 "Basic Static Analysis" outlines the differences between static and dynamic analysis, and what use-cases they serve. Additionally, an introductory talk into the chalk-up of a Windows Portable Executable (PE) file, and the kind of data we can expect one to contain.
My aim with this series to provide the output / solutions of questions, rather then documenting as if it was a guide.
Perhaps its best to upload the python scripts I write to GitHub? I'll have a think of it... But for now, we're pretty much just using the documented code within the book.
Dissecting this PE file using python's pefile library.
pip install pefile
Using PEFile to Examine the PE
Q: Print Example Attributes using PEFile
import pefile pe = pefile.PE("ircbot.exe") for section in pe.sections: print (section.Name, hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData )
Q: Print PE Imports
for entry in pe.DIRECTORY_ENTRY_IMPORT: print entry.dll for function in entry.imports: print '\t',function.name
|#||DLL Name||Noticeable Imports (Truncated)|
|1||KERNEL32.DLL||WriteFile, CreateFileA, CreateProcessA|
The three imports in KERNEL32.dll begin to illustrate the purpose of the .DLL, in this case we can see it will write to a file and spawn a process, all from a very brief inspection.
Strings are of incredible value, as these are printable characters within the sample, they can be indexed to look for things such as protocols (HTTP, HTTPS) or any IP Addresses (Potential C&C Botnet Servers) ... assuming it isn't obfuscated anyway. But that's out of scope at the moment.
As there will be thousands, it'll be hard to find anything useful. Let's use grep! Thankfully, the book tells us what kind of info we're looking for.
grep "DOWNLOAD" ircbotstrings.txt
Basically, this indicates to us that the sample tries to call-home and resolve a domain to download a file, checking the integrity.
Instead, we are grepping for any signs that this sample runs as a Web Server. Indicators will be strings such as "GET" "HTTP", etc or servernames.
grep "server" ircbotstrings.txt
We can see the sample execute a Web Server with the name "myBot", and even provides verbose output specifying the HTTP successfully binds. This is one method of a malicious sample being the payload for multiple samples.