Portable Executable - PE

The Portable Executable (PE) format is a file format for executables, object code, DLLs and other used in 32/64 bit versions of Windows OS.

A PE file contains the following sections:

1. .text - contains the executable code
2. .rdata - hold read-only data that is globally accessible within the program
3. .data - stores global data access throughout the program
4. .idata - sometimes present and stores the import function information
5. .edata - sometimes present and stores the export function information
6. .pdata - only in 64 bit executables and stores exceptional handling information
7. .rsrc - stores resources needed by the executables
8. .reloc - contains information for relocation of library files

Tools used to examine PE files:

1. PEview 

Source: Practical Malware Analysis, hackerzvoice

Import and Export Functions

Imports are functions that are used in 1 program that are stored in a different program, usually common functionality commonly used by other programs.


Imports and export functions are usually used so that people do not need to recreate their own codes over and over again when coding other programs.


The import functions can give you an idea of what the program can do, and most probably will be running.  Internal functions are intended to be called only from within the DLL where they are defined.


The exported functions are intended to be called by other modules, as well as from within the DLL where they are defined.


LoadLibrary, GetProcAddress, LdrGetProcAddress and LdrLoadDll are usually used to import linked functions, when these functions are used you cannot tell which functions are being linked to the program.  ServiceMain function makes a program to run as a service.


Some popular DLL that are commonly seen:

• Kernel32.dll - access memory, files and hardware
• Advapi32.dll - advance core windows component such as service manager and registry
• User32.dll - user interface components, such as buttons, scoll bar
• Gdi32.dll - display and graphics
• Ntdll.dll - hiding functionality
• shell32.dll - ability to launch other programs
• WSock32.dll - networking related
• Ws2_32.dll - networking related
• Wininet.dll - high level network protocol, FTP, HTTP, NTP

Following picture shows a list of functions, more information please check on MSDN Online.

Tools to be used to find out the dlls used and the import/export functions within:

1. Dependency Walker
2. IDA PRO

Source: Practical Malware Analysis, MSDN Microsoft 

Virgin Post

This is the first posting of the blog.

I have interest in malware analysis field and will be doing my own learning. I created this blog, it's to mark my own learning progress and to be able to share on the things I learn along the way through this blog.

Stay tuned.

Regards UQ
13 Mar 2016

Packers and packed programs

Packed programs are a subset of obfuscated programs which are compressed and cannot be analysed.

When a packed program runs, the small wrapper program that is used to decompress the file and run the file. When a packed program is analyzed statically, only the small wrapper program is dissected.

The original file is the file that contains all the strings and imports  which are compressed and invisible to most static analysis tools.

Tools that can be used to determine the type of packer/compiler to build an application:

1. PEid

Source: Practical Malware Analysis