Malware Components: Windows

Windows File System

  • File Systems: Windows supports various file systems like FAT, NTFS, and ExFAT. Each file system has its own way of organizing and storing data on the disk.

  • File Information: Files in the Windows file system contain metadata such as file name, size, timestamps, and permissions. This information is crucial for malware analysis.

File Identification

  • Binary Files: All files are stored in binary format (1s and 0s). As a malware analyst, you need to be comfortable with viewing files in their hex form using a hex editor.

  • Hex Representation: Hex codes (0-9 and A-F) represent binary data. For example, the hex code "54" corresponds to the ASCII character "T".

Hashing

  • Purpose: Hashing algorithms create a unique identifier (hash value) for a file. This helps in verifying the integrity of the file and identifying malware samples.

  • Common Algorithms: MD5, SHA-1, and SHA-256 are popular hashing algorithms. They convert input data into a fixed-size hash value.

File Extensions and Magic Headers

  • File Extensions: While file extensions (e.g., .exe, .pdf) indicate file types, they can be misleading due to social engineering techniques used by malware authors.

  • Magic Headers: A more reliable way to identify files is by examining the magic header bytes. These bytes are located at the beginning of a file and indicate its type.

Practical Steps

  1. File Analysis: Use tools like FileAlyzer to examine file metadata and identify potential malware.

  2. Hex Editors: Open files in a hex editor to view their binary data and verify their type.

  3. Hash Verification: Use hashing algorithms to create a unique identifier for the file and verify its integrity.

PE Files and Memory

Portable Executable (PE) File Format

  • PE File: This is the format for executable files in Windows. It contains headers and sections that define the structure, code, data, and resources needed to run the file.

  • Headers: These store meta-information about the file. Key headers include:

    • DOS Header: Contains fields like the e_magic field, which identifies the file.

    • PE Header (Nt Header): Split into the File Header and Optional Header, containing information like the time date stamp and entry point address.

  • Sections: These store the actual code, data, and resources. Each section has its own header.

Tools for Analysis

  • CFF Explorer: A tool used to examine the PE file structure. Other tools include PEview, PE-bear, and Python scripts.

Memory in Windows

  • Physical vs. Virtual Memory:

    • Physical Memory: Actual hardware memory (RAM).

    • Virtual Memory: Simulated by the OS to extend the available memory.

  • Process Execution: When a program runs, it is loaded into memory as a process. This involves the CPU, RAM, and hard disk.

  • Memory Allocation: Windows allocates memory to processes in chunks called pages, which can be private, image, or mapped.

Analyzing Memory

  • Process Hacker: A tool to inspect running processes and their memory allocation. It shows:

    • Memory Regions: Divided into user space and kernel space.

    • Page States: Pages can be in committed, reserved, or free states.

    • Permissions: Pages have read, write, and execute permissions.

Relative Virtual Addressing (RVA)

  • RVA: Used to locate parts of the PE file in memory. It provides an offset from the base address where the file is loaded.

WinAPI and Registry

  • Windows API (WinAPI): These are a set of functions provided by Windows that programs can use to perform tasks like file operations, memory management, and more. Think of them as tools that programs use to interact with the operating system.

  • DLLs (Dynamic Link Libraries): These are files that contain code and data that can be used by multiple programs simultaneously. They help in saving memory and reducing disk space. DLLs can be loaded into a program's memory space either at the start (static) or while the program is running (dynamic).

  • Windows Registry: This is a database in Windows that stores configuration settings and options for the operating system and installed programs. It includes information like program locations, version numbers, and how to start the programs.

In the context of malware analysis:

  • Malware often uses the Windows API to perform malicious actions.

  • Malware can hijack legitimate API calls by replacing them with its own code.

  • Malware might use the Windows Registry to persist on a system, ensuring it runs every time the computer starts.

Malware Behaviors

Key Components of Malware:

  1. Payload:

    • This is the main part of the malware that performs the malicious actions intended by the attacker. It can include different types like ransomware, adware, or password stealers.

  2. Packers:

    • These are used to compress and obfuscate the payload to avoid detection by antivirus software. During analysis, unpacking is required to understand the payload's functionality.

  3. Communication (C2 - Command and Control):

    • Malware often communicates with the attacker's infrastructure to receive instructions or upload stolen data. This communication can use various protocols like HTTP, HTTPS, or DNS.

  4. Stealth:

    • Malware uses techniques to hide itself from users and security software. This can range from altering file properties to more complex methods like code injection and installing rootkits.

  5. Armoring:

    • These are techniques used by malware to prevent analysis and reverse engineering. This includes detecting if it's running in a virtual machine, using anti-debugging techniques, and more.

  6. Persistence:

    • Malware ensures it remains active on a system even after reboots. It can do this by adding itself to startup folders, creating scheduled tasks, or modifying the Windows Registry.

  7. Propagation:

    • Malware often tries to spread to other devices on a network. It can perform reconnaissance, steal credentials, and exploit vulnerabilities to infect more systems.

  8. Distribution:

    • The methods used to deliver malware to victims. This can include physical means like USB drives, infected websites, or email attachments with malicious links or files.

Understanding Malware Behaviors:

  • Installation and Execution:

    • Malware installs itself and then performs its malicious activities. This can involve multiple stages and components working together.

  • Targeting Multiple Platforms:

    • Modern malware targets various operating systems and devices, including Windows, Mac, Linux, Android, and even IoT devices.

  • Social Engineering:

    • Many malware infections rely on tricking users into executing the malicious payload, often through phishing emails or deceptive websites.

PreviousMalware Analysis ToolsNextShellcode Analysis

Last updated