In this article, I will write about PE analysis and how to extract more information from more tool to best practice, do static analysis for the packed sample well, also i write about resources analysis in packed sample.
We can donload the sample from here
- Detect it Easy (DiE)
- Resource hacker
PE File Analysis
In this section , I will use four tool to analysis PE file in a sample, I open the sample in DiE and click sections Button to see the next image
We see that there are three section
.rsrc , in
UPX0 we can see interesting information that has a Virtual size of
0X014000 bytes, also we can see that the raw size is
zero, and we Conclude that nothing in this section so the
Entropy value is
Virtual size and
raw size seem logical in
UPX1 but we can see that Entropy is
7.92 which is too high, so DiE detect classify this section as
The next stage I will use posted for our extraction information from a sample so let us fire a sample in pestudio and go to Indicators.
there are indicators that refer to
UPX information, also there are two-section, one of them is
Writable and another section is
Executable, the indicator is referred to as malicious code in a sample
I will move to Sections to Check them as are different than we saw in
DiE, this is a reason to use a different tool to check a sample so you must practice with many tools, each tool will provide information to understand static analysis of a sample
Virtual size and
Raw size are suspicious in this section and if we see at the end of the image, you can see that this section is marked as
UPX1 section, we can see that the
virtual size and
raw sizeare normal and the EntryPoint is pointing to
UPX1 which is an indicator to start the process of unpacking, also is marked as
now, I will go
Imported libraries to check the libraries in this sample.
we the seven libraries
user32.dll that are being imported
Kernel32.dll-> exposes to applications most of the Win32 base APIs, such as memory management, input/output (I/O) operations, process and thread creation, and synchronization functions.
advapi32.dll-> provides security calls and functions for manipulating the Windows Registry.
comctl32.dll-> implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views. It calls functions from both USER32.DLL and GDI32.DLL to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.
shell32.dll-> describes how to determine which version of the Shell DLLs your application is running on and how to target your application for a specific version.
user32.dll-> implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface.
oleaut32.dll-> it’s a library used in Microsoft for OLE technologies
let us do the final step from
VitrualProcted that are not strings but are function imported by the sample, 8 functions in this sample and now we have to go information about a sample
I fire the sample in
Resource Hacker and then check icons of the sample
but i can not extract more information from this sample but if you see the following tab in anthor sample
Version Infotab to see all information about
Version, such as the
name of company,
file Version original,
product version details. this is place that most strings come from it, all information about the sample is suspicious to our client.
Manifesttab to see that sample will run with the security context
acess tokenof the user/process parent that invoked or
executedthe program and also means that sample does not require a high privilege user to run the program