OK continuing from Part 1, today’s tutorial’s will involve the following:
We will look at the strings of the program using strings.exe.
We will check if the program is packed?
Examining the Program’s Strings
A string in an application is a set of characters such as “hello”, it is stored in either ASCII or Unicode format. The cases where a program may contain strings are as follows:
I f the program prints a message.
If it accesses a URL.
Or if it copies a file to a certain location.
ASCII and Unicode uses NULL characters to indicate the string is complete.
The reason looking at the strings is important is that the string of a program would give us important information about the program or the codes functionality.
Strings.exe scans the program for any sequence or characters that are 3 characters or more in length, which is why it can produce results that don’t make sense. Therefore when reading the results from the strings.exe always make note of strings the make sense as shown below:
Open Command Prompt
Move to the location where you stored strings.exe
Type string.exe [the path where you stored the lab files followed by the name of the file]
Then press enter
As you can see from the first screenshot above the strings don’t make any sense, so we ignore them. However as we go further down the results we start to get some rsults that makes sense, we get what looks like function names and file names as shown below:
As an exercise I will leave it to you to search google for these functions and what they do. At the end you should have some idea on the functionality of this code that you can make note of for the other parts of our tutorial. Once you have reached a conclusion you can move on and read the rest of the tutorial.
Hint: They are Microsoft functions.
Checking if the Malware is Packed
With the advancement of Security Controls and Detection/Prevention Technology, whether it is host based or network based; attackers are also getting smarter and use more advanced and complicated techniques to escape detection and gain access to networks and systems for what ever motives they might have, whether their motive is just to see if they can penetrate a network (White Hat) or to commit fraud (Black Hat).
Some of these methods used to either obfuscate the malware or compress a group of files the malware needs and pack it into a single file.
Obfuscation – is a method used to hide the execution of the malware.
Packing – is a method used to gather a subset of obfuscated programs and compress and pack them into a single file to make it very difficult to analyse.
Legit programs contain many strings, while programs that have been packed and obfuscated will contain few strings. Therefore if you examine a program with string.exe and it contains very few strings indicates that the program is packed and obfuscated and thus could be or the alarm would be that it is more likely to be malicious, meaning that it is more interesting for you as an analyst to analyse it. This is because a very small program such as a simple hello program would contain many strings.
Packed and obfuscated code would at least have the LoadLibrary and GetProcAddress functions that are used to load and gain access to more functions.
If this is the case (Malware is Packed and Obfuscated) you would need more then static analysis to be able to analyse it.
One useful tool to help us see if a code is packed is called PEiD.
1- Open PEiD
2- Point it to the file and look at the results
3- The following two examples illustrate.
Example 1 – Unpacked
Example 2 – Packed
We have looked at how strings can help us in analysing code that we suspect to be malicious and how the results can give us an idea of what the code is about, the type of functions it contains and how it might function if we were to run it. We have also examined the code to see if it has been packed and obfuscated in some form.
With the type of functions and strings we can support our assumptions of whether the code is malicious or not, however before we can move on to the next stage of a more detailed investigation we have some more work to do. We need to investigate the Portable Executable File Format (PE) and Linked libraries and functions, which will be covered in part 3.
Looking at this we have learned that attackers use several methods to hide their code from being detected, methods such as obfuscation and Packing. If in our investigation we came to find out that the code is packed and obfuscated, it further confirms our assumption and increases our interests in that file, however we can not investigate it with simple basic static analysis techniques; we would need to unpack the file to be able to investigate it, all of this will be covered in future tutorials.
Keep a look out for part 3, coming soon……