Malware Theory - Basic Structure of PE Files

Рет қаралды 44,998

6 жыл бұрын

I explain the basic structure of the Portable Executable file format using animated graphics. This video is meant for beginners in malware analysis.
My malware analysis course for beginners: www.udemy.com/course/windows-...
Buy me a coffee: ko-fi.com/struppigel
Follow me on Twitter: / struppigel

Пікірлер: 41

@StephenChapman 6 жыл бұрын

Awesome video! I love the idea of heading this direction to help beginners and those with reversing experience who would like to pivot into malware RE!

@pcsecuritychannel 6 жыл бұрын

Awesome video! Tablet looks great.

@mrnano1991 6 жыл бұрын

Yeah bro .. That's way better than just talk .. You are going in the right direction.

@Legendofmudkip 6 жыл бұрын

Awesome video, thanks for making it!

@alipants429 6 жыл бұрын

Looove your videoo! you're able to explain concepts extremely well for a novice. thank you, keep up the great work :) I'm starting to learn malware RE because o f your videos! :) I like how you use illustration to enforce ideas, alot easier for some to see visual representation of things!

@LearnThenTeach 5 жыл бұрын

Great explanations here!

@OALABS 6 жыл бұрын

That's really cool! I totally want one 😺😺 ... Also nice PE over view : )

@cybercdh 6 жыл бұрын

Definitely agree, I want !! I learned a few things here too, nice one Karsten.

@batuhanbatuhan6445 2 жыл бұрын

I love theory videos the most

@0x7FFFFFFFFFFF 6 жыл бұрын

Hi MW4HH, (sorry if you don't like my abbreviation :P) Do you think it is valuable to learn about PE files in great detail? For example the OpenSecurityTraining 'Life of Binaries' course has over 50 videos and goes very in depth in to the different fields within PE files. Is it possibly required learning before you can manually unpack malware?

@MalwareAnalysisForHedgehogs 6 жыл бұрын

Hi, :) You certainly need to learn the basics, but not every detail of it. You should understand what imports, relocations and resources are. You should also understand the basic structure and some important fields of the headers. You need to know how sections are defined and how they are mapped to memory. But you don't need to know as much as someone who wants to build a PE parser.

@gliderhnr1633 4 жыл бұрын

Nice video. Keep going .

@maqelepo Жыл бұрын

simple simple simple str8 to the most basic point awesome

@l3n693 6 жыл бұрын

Good job 👍, I'm sure this will help beginners get more into malware analysis and even overall reverse engineering. Remember to make a video of IAT and EAT since it's quite hard to find resources of that(and the ones out there are a bit confusing).

@MalwareAnalysisForHedgehogs 6 жыл бұрын

Thanks. :) IAT & EAT: Yes, that's a good point. It is something I really struggled understanding back then.

@l3n693 6 жыл бұрын

MalwareAnalysisForHedgehogs Yea... IAT was a true mess, EAT I actually never messed with altho I heard that it's way easier.

@alinastechyshyn6410 5 жыл бұрын

If I want to view my exe file in hex and analyze it step by step following your video, what tool do I use for analysis?

@MalwareAnalysisForHedgehogs 5 жыл бұрын

Hi Alina. Any hex editor will suffice. E.g. hdx: mh-nexus.de/en/hxd/

@Vogel42 6 жыл бұрын

Using a graphics tablet for illustration is a great idea.

@andyandrw 6 жыл бұрын

When people talk about storing information in EOF(crypter for example), is it End of the File? Specifically where/which part of the file is it? I noticed some malware crypters preserve end of file, what is this? Thanks

@MalwareAnalysisForHedgehogs 6 жыл бұрын

Yes, they mean "End of File" with EOF. EOF crypters store the encrypted executable in the stub's overlay. That's quite easy for them to program because they simply append the data to the stub, most often preceeded by some kind of marker to find the start of the data again.

@abandonedmuse 5 жыл бұрын

Wait so anything that says EOF is malware files? I have seen this in my files.

11 ай бұрын

some malwares write zeroes to end of the executable, so is there any end marker (or sth. else) to check that overlay or section ends?

@MalwareAnalysisForHedgehogs 11 ай бұрын

The start of the overlay is at the end of the last section. The section table tells you the start and size of the last section, so you can calculate where the last section ends. That is where the overlay starts. However, you cannot determine where the data in the overlay ends that was there before zeroes or other bloat was added to it. When dealing with bloated samples it can help to either cut off the zeroes or to pack the file with UPX. Both will likely shrink the size enough that the file can be uploaded to services like VT or automatic sandbox systems. Does this answer your question?

11 ай бұрын

@@MalwareAnalysisForHedgehogs yes, thanks for explaining!

@sleekbr7666 2 жыл бұрын

This guy should cheer up. I mean smile bro.

@hassnainjaved7399 Жыл бұрын

Kindly make another video os internals for malware

@tinym00n 4 жыл бұрын

Hi do you recommend any book or online course about PE structure, thanks.

@MalwareAnalysisForHedgehogs 4 жыл бұрын

Sorry, I just read your comment, it seems it slipped through. The PE COFF documentation is the most important. It's not a tutorial, though. But it's how I learnt it: docs.microsoft.com/en-us/windows/win32/debug/pe-format If you write a simple PE parser, you will get the knack of it.