Image for post
Image for post

Malware Analysis 101 - Basic Static Analysis

Aditya Anand
Sep 18, 2019 · 10 min read

This article is a continuation of my previous write-up “Malware Analysis 101”, do give it a read before going ahead with this one to have a better understanding of the things that I will be explaining here.

Malware Analysis is broadly divided into two groups Static Analysis & Dynamic Analysis. We can describe static analysis to be all those examinations of the malware where we don’t actually execute the malware but try to figure out what the malware is trying to do and the commands it is attempting to execute. Dynamic analysis, on the other hand, is all those examinations that you carry out when you actually execute the malware most preferably in a sandboxed environment and then try to figure out the functionality of the malware.

Even though we have two well-defined methodologies we still have a further subdivision of these groups. Those being the Basic & Advanced methodologies that we use while trying to figure out the real motive behind these malware. In this article, I am trying to explain the basic static analysis methodologies of malware analysis.

Let’s begin!

Static analysis consists of examining the executable file without viewing the actual instructions. It is used to confirm, at least get an idea whether the file being inspected is malicious or not. We do this by figuring out the functions and libraries that are being called by the executable. Even though it is not much effective, a basic static analysis does act as a stepping stone for the rest of your malware analysis and gives you the idea about things you should be looking into.

Before diving into the static analysis methodologies first let us explore more about malware so that we understand all the steps that we take while doing analysis on software we deem to be malicious.

Packed & Obfuscated Malware

Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. To identify if malware is packed or not we can carry a static check on it with Strings and if we find extremely few numbers of strings then there is a near 100% chance that the code is malicious.

  • Packed and obfuscated code will at least include the functions like LoadLibrary and GetProcAddress, which are used to load and gain access to additional functions and are a give away indicating that the program is a malware.
  • Packing Files

i) When the packed program is run, a small wrapper program also runs to decompress the packed file and then run the unpacked file

ii) Analyzing the packed program we can only make clear sense of the wrapper program and it can be then dissected, check the figure below.

Image for post
Image for post

The file on the left is the original executable with all strings, imports and other information visible. On the right hand is a packed executable. All of the packed file’s strings, imports and other information are compressed and are invisible to most static analysis tools.

Now let’s try to understand the portable executable file and their format so that we will have idea what to look for.

Portable Executable File Format

  • Nearly every file with executable code loaded by Windows is in the PE file format except for few of the legacy file formats which occur on rare occasions in malware.
  • PE files begin with a header that includes

i) Information about the code

ii) Type of application

iii) Required library functions

iv) Space requirements

  • The information received from the PE header can be of great value for the malware analyst

The Portable Executable File Headers and Sections

The following are the most common and interesting sections in a PE file:

Image for post
Image for post

- PE Header Summary

The PE header contains useful information for the malware analyst, and we will continue to examine it in subsequent chapters. Few of the key information that can be obtained from a PE header.

Image for post
Image for post

We know that the malware needs to use linked libraries & functions to work properly, so let’s discover that.

Linked Libraries

  • Code libraries can be linked statically, at runtime or dynamically

Knowing how the library code is linked it can be critical to our understanding of the malware as the information we find in the PE header can be made sense of depending on how these libraries interact and link with each other.

Static Linking

  • When statically linked, all code is copied into the executable which in turn increases the size of the file itself.
  • Though analyzing the code does become difficult as it becomes extremely hard to differentiate between the statically linked code & the executable’s own code.
  • If static linked is used, then the PE header files don’t indicate that the file contains linked code.

Runtime Linking

  • Executables that use this technique connect to libraries only when needed.
  • Windows function allow programs to call functions not listed in the program’s header file.
  • The two most commonly used functions are LoadLibrary and GetProcAddress
  • LdrGetProcAddress and LdrLoadDll are also used
  • LoadLibrary and GetProcAddress allow a program to access any function in any library on the system.
  • So whenever these functions are used we can’t tell exactly which functions are being linked to the suspect program.

Dynamic Linking

  • When libraries are dynamically linked, the host OS searches for the necessary libraries whenever the program is loaded
  • When the program calls the linked library function, that function executes within the library.
  • The PE file header stores the information about every library that will be loaded and every function that will be used by the program
  • Identifying the libraries being used are extremely important as it allows us to guess what the program is trying to do.
  • Common DLLs that are mostly required and can be used to make certain deductions.
Image for post
Image for post
Common DLLs

Functions

Import Functions

  • PE file header also includes information about specific functions used by an executable.
  • Name of these Windows functions can give you a proper idea of what the executable does.

Export Functions

  • DLL implements one or more functions and exports them for use by an executable that can then import and use them.
  • PE file contains information about which functions a file exports.
  • DLLs are specifically implemented to provide functionality used by EXEs
  • If you discover exports in an executable, they often will provide useful information
  • In many cases, software authors name their exported functions in a way that provides useful information.
  • Therefore, the names of exported functions are actually of limited use against sophisticated malware.
  • If malware uses exports, it will often either omit names entirely or use unclear or misleading names.

Now that we have covered the basics let’s start with the techniques used to do an effective basic static analysis.

1. Antivirus Scanning

  • These are not perfect by any means, they carry out the scan using already known suspicious code (file signatures), as well as behavior & pattern-matching analysis (heuristics).
  • Significant changes in code can be used to bypass file signature check. Hence new and unique malware can bypass such heuristics check.
  • Different antivirus tools use different signatures to figure out the malware, so it is recommended to test the malware file against various antivirus (virustotal.com).

2. Hashing

i) Use it as a label to identify it across the malware analysis community

ii) Share it with other analysts to help them identify the malware

iii) Search for that malware online and check if it has been already identified

3. Finding strings

  • Searching through these strings could be a way to get hints about the functionality of a program.
  • Strings ( bit.ly/ic4plL ) tool by Microsoft can be used to search an executable for strings, which are typically stored in either ASCII or Unicode format
  • Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by the termination character

Note: Both ASCII & Unicode formats stores characters in sequences that end with a NULLL terminator to indicate string completion

Image for post
Image for post
  • Strings ignore context and formatting while it searches an executable for ASCII & Unicode strings so that it can analyze any file type and detect strings across the entire file
  • Not all strings found by Strings are valid strings they can be string, memory address, CPU instructions or data used by the program, leaves to the user to filter them out.

4. Detecting packers with PEiD

  • The support and development on PEiD have been stopped in 2011 yet it is one of the best tools and in a few cases, it can also identify the packer used to pack the file.
Image for post
Image for post
PEid Software Output

Note : PEiD has identified the file as being packed with UPX version 0.89.6 - 1.02 / 1.05 - 2.90

  • We now know the method used to pack this, so we can now unpack this mostly they are extremely complex but lucky for us UPX packed malware can be easily unpacked, just download it from ( upx.sourceforge.net/ )
$ upx -d PackedProgram.exe
  • Many PEiD plugins run the malware executable without warning! Like other programs, especially those used for malware analysis, PEiD can be subject to vulnerabilities.

Note : PEiD version 0.92 contained a buffer overflow that allowed an attacker to execute arbitrary code. This would have allowed a clever malware writer to write a program to exploit the malware analyst’s machine. So prefer using only the latest version of PEiD.

Other PE File Tools

PEBrowse Professional is similar to PEview. It allows you to look at the bytes from each section and shows the parsed data. PEBrowse Professional does the better job of presenting information from the resource (.rsrc) section.

PE Explorer has a rich GUI that allows you to navigate through the various parts of the PE file. You can edit certain parts of the PE file, and its included resource editor is great for browsing and editing the file’s resources. The tool’s main drawback is that it is not free.

Image for post
Image for post

Edit: Most of the stuff mentioned in the article and the screenshots are taken from the book -Practical Malware Analysis. You should definitely consider buying the book, link here. I have summarised my notes here and a few points have been directly picked from the book as I considered them to very well explained and it didn’t make sense to rephrase or edit them.

If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!

Website : aditya12anand.com | Donate : paypal.me/aditya12anand

Telegram : https://t.me/aditya12anand

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store