See the Analysis data / forensic article for general data analysis. Also, relevant articles:
- Reverse Engineering tools for the Linux ELF — akde/infosec
- The Linux Executable and Linking Format (ELF) — akde/infosec
Static analysis
Notes beforehand:
- Calculate some hashes from the file and throw it into a search engine, VirusTotal and see what happens. Try also ssdeep fuzzing hashes.
- See on MalAPI.io for possible negative Win32 functions which could appear in binaries.
Have a first look into the file:
xxd file.exe | less
Have a look into the file segments
binwalk file.exe
- If binwalk sees multiple interesting segments, try to extract all segments:
binwalk --dd '.*' file.exe
Have a look in the strings
strings file.exe
floss file.exe
You can try to visualize the entropy to maybe detect segments of encrypted data (high entropy) or potentialy human readable segments (low entropy).
Have a look into the functions and a de-assembled code view:
rabin2 -zzz file.exe
Analyse the segments of a PE file
pescan file.exe
List more functions of a PE file and list used functions:
readpe file.exe
Extract all PE file ressources:
peres --all file.exe
Use radare2 or other disassembler to analyse further.
Dynamic analysis
Procmon
Use Procmon (Sysinternals Tools) to see which libraries and (network) sockets a executeables uses. Note: Set the filter accordingly before!
API Monitor
API Monitor can also be used to analyze a PE file. Open/Attach to a process and analyze it.
Immunity
Process Hacker 2
Process Hacker 2 is a task manager with more information also about loaded libraries and more.
Speakeasy
Speakeasy is a windows kernel emulator. Malware can be excuted within (this should not be the only line of defense, of course).
Analysis frameworks
Cuckoo Sandbox
Outdated 🙁
VMRay
Commercial
SysAnalyzer
SysAnalyzer is a analysis framework.
Noriben
Noriben is a Procmon-baesd malware analysis sandbox.
Leave a Reply
You must be logged in to post a comment.