{"id":4706,"date":"2025-03-19T14:34:09","date_gmt":"2025-03-19T13:34:09","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4706"},"modified":"2025-03-21T11:39:35","modified_gmt":"2025-03-21T10:39:35","slug":"binary-analysis","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4706","title":{"rendered":"Binary analysis of <span class=\"caps\">PE<\/span>&nbsp;files"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">See the<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1132\" data-type=\"post\" data-id=\"1132\"> Analy\u00adsis data \/ foren\u00adsic<\/a> arti\u00adcle for gen\u00ader\u00adal data analy\u00adsis. Also, rel\u00ade\u00advant articles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2793\">Reverse Engi\u00adneer\u00ading tools for the Lin\u00adux <span class=\"caps\">ELF<\/span> \u2014 akde\/infosec<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2808\">The Lin\u00adux Exe\u00adcutable and Link\u00ading For\u00admat (<span class=\"caps\">ELF<\/span>) \u2014 akde\/infosec<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Static analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Notes before\u00adhand:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cal\u00adcu\u00adlate some hash\u00ades from the file and throw it into a search engine, Virus\u00adTo\u00adtal and see what hap\u00adpens. Try also <a href=\"https:\/\/ssdeep-project.github.io\/ssdeep\/index.html\">ssdeep <\/a>fuzzing hash\u00ades.<\/li>\n\n\n\n<li>See on <a href=\"https:\/\/malapi.io\/\">MalAPI.io<\/a> for pos\u00adsi\u00adble neg\u00ada\u00adtive Win32 func\u00adtions which could appear in binaries.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Have a first look into the&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">xxd file.exe | less<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Have a look into the file segments<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">binwalk file.exe<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If bin\u00adwalk sees mul\u00adti\u00adple inter\u00adest\u00ading seg\u00adments, try to extract all seg\u00adments:<br><code>binwalk --dd '.*' file.exe<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Have a look in the strings<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strings file.exe<br>floss file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can try to visu\u00adal\u00adize the entropy to maybe detect seg\u00adments of encrypt\u00aded data (high entropy) or poten\u00adtialy human read\u00adable seg\u00adments (low entropy).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Have a look into the func\u00adtions and a de-assem\u00adbled code&nbsp;view:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rabin2 -zzz file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Analyse the seg\u00adments of a <span class=\"caps\">PE<\/span>&nbsp;file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pescan file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List more func\u00adtions of a <span class=\"caps\">PE<\/span> file and list used functions:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">readpe file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Extract all <span class=\"caps\">PE<\/span> file ressources:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">peres --all file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Use radare2 or oth\u00ader dis\u00adas\u00adsem\u00adbler to analyse further.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dynamic analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Procmon<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use <strong>Proc\u00admon <\/strong>(Sys\u00adin\u00adter\u00adnals Tools) to see which libraries and (net\u00adwork) sock\u00adets a exe\u00adcute\u00adables uses. Note: Set the fil\u00adter accord\u00ading\u00adly before!<\/p>\n\n\n\n<figure class=\"wp-block-image size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"105\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2025\/03\/a-300x105.png\" alt class=\"wp-image-4805\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2025\/03\/a-300x105.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2025\/03\/a.png 732w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">API<\/span> Monitor<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/jozefizso\/apimonitor\"><span class=\"caps\">API<\/span> Mon\u00adi\u00adtor<\/a> can also be used to ana\u00adlyze a <span class=\"caps\">PE<\/span> file. Open\/Attach to a process and ana\u00adlyze&nbsp;it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Immunity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Process Hacker 2<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/PKRoma\/ProcessHacker\">Process Hack\u00ader 2<\/a> is a task man\u00adag\u00ader with more infor\u00adma\u00adtion also about loaded libraries and&nbsp;more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Speakeasy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/mandiant\/speakeasy\">Speakeasy <\/a>is a win\u00addows ker\u00adnel emu\u00adla\u00adtor. Mal\u00adware can be excut\u00aded with\u00adin (this should not be the only line of defense, of course).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis frameworks<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Cuckoo Sandbox<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Out\u00addat\u00aded \ud83d\ude41<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">VMRay<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00admer\u00adcial<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SysAnalyzer<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/sandsprite.com\/iDef\/SysAnalyzer\/\">Sys\u00adAn\u00ada\u00adlyz\u00ader <\/a>is a analy\u00adsis framework.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Noriben<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/Rurik\/Noriben\">Noriben <\/a>is a Proc\u00admon-baesd mal\u00adware analy\u00adsis sandbox.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/ntcore.com\/explorer-suite\/\">Explor\u00ader Suite \u2013 NTCore<\/a><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See the Analy\u00adsis data \/ foren\u00adsic arti\u00adcle for gen\u00ader\u00adal data analy\u00adsis. Also, rel\u00ade\u00advant arti\u00adcles: Sta\u00adt\u00adic analy\u00adsis Notes before\u00adhand: Have a first look into the&nbsp;file: xxd file.exe | less Have a look into the file seg\u00adments bin\u00adwalk file.exe Have a look in the strings strings file.exefloss file.exe You can try to visu\u00adal\u00adize the entropy to&nbsp;maybe&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[523],"tags":[],"class_list":["post-4706","post","type-post","status-publish","format-standard","hentry","category-forensic"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4706"}],"version-history":[{"count":23,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4706\/revisions"}],"predecessor-version":[{"id":4810,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4706\/revisions\/4810"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}