Awesome video! I love the idea of heading this direction to help beginners and those with reversing experience who would like to pivot into malware RE!
The start of the overlay is at the end of the last section. The section table tells you the start and size of the last section, so you can calculate where the last section ends. That is where the overlay starts. However, you cannot determine where the data in the overlay ends that was there before zeroes or other bloat was added to it. When dealing with bloated samples it can help to either cut off the zeroes or to pack the file with UPX. Both will likely shrink the size enough that the file can be uploaded to services like VT or automatic sandbox systems. Does this answer your question?
ปีที่แล้ว
@@MalwareAnalysisForHedgehogs yes, thanks for explaining!
Looove your videoo! you're able to explain concepts extremely well for a novice. thank you, keep up the great work :) I'm starting to learn malware RE because o f your videos! :) I like how you use illustration to enforce ideas, alot easier for some to see visual representation of things!
Sorry, I just read your comment, it seems it slipped through. The PE COFF documentation is the most important. It's not a tutorial, though. But it's how I learnt it: docs.microsoft.com/en-us/windows/win32/debug/pe-format If you write a simple PE parser, you will get the knack of it.
When people talk about storing information in EOF(crypter for example), is it End of the File? Specifically where/which part of the file is it? I noticed some malware crypters preserve end of file, what is this? Thanks
Yes, they mean "End of File" with EOF. EOF crypters store the encrypted executable in the stub's overlay. That's quite easy for them to program because they simply append the data to the stub, most often preceeded by some kind of marker to find the start of the data again.
Hi MW4HH, (sorry if you don't like my abbreviation :P) Do you think it is valuable to learn about PE files in great detail? For example the OpenSecurityTraining 'Life of Binaries' course has over 50 videos and goes very in depth in to the different fields within PE files. Is it possibly required learning before you can manually unpack malware?
Hi, :) You certainly need to learn the basics, but not every detail of it. You should understand what imports, relocations and resources are. You should also understand the basic structure and some important fields of the headers. You need to know how sections are defined and how they are mapped to memory. But you don't need to know as much as someone who wants to build a PE parser.
Good job 👍, I'm sure this will help beginners get more into malware analysis and even overall reverse engineering. Remember to make a video of IAT and EAT since it's quite hard to find resources of that(and the ones out there are a bit confusing).
Awesome video! I love the idea of heading this direction to help beginners and those with reversing experience who would like to pivot into malware RE!
Yeah bro .. That's way better than just talk .. You are going in the right direction.
some malwares write zeroes to end of the executable, so is there any end marker (or sth. else) to check that overlay or section ends?
The start of the overlay is at the end of the last section. The section table tells you the start and size of the last section, so you can calculate where the last section ends. That is where the overlay starts.
However, you cannot determine where the data in the overlay ends that was there before zeroes or other bloat was added to it.
When dealing with bloated samples it can help to either cut off the zeroes or to pack the file with UPX. Both will likely shrink the size enough that the file can be uploaded to services like VT or automatic sandbox systems.
Does this answer your question?
@@MalwareAnalysisForHedgehogs yes, thanks for explaining!
Awesome video! Tablet looks great.
simple simple simple str8 to the most basic point awesome
I love theory videos the most
That's really cool! I totally want one 😺😺 ... Also nice PE over view : )
Definitely agree, I want !! I learned a few things here too, nice one Karsten.
Kindly make another video os internals for malware
This guy should cheer up. I mean smile bro.
Awesome video, thanks for making it!
Looove your videoo! you're able to explain concepts extremely well for a novice. thank you, keep up the great work :) I'm starting to learn malware RE because o f your videos! :)
I like how you use illustration to enforce ideas, alot easier for some to see visual representation of things!
How MZ is at offset 0x3C? Can someone explain? I see MZ at offset 0 in hex editor..
e_lfanew is at offset 0x3c. Not MZ.
e_lfanew points to PE\0\0
Hi
do you recommend any book or online course about PE structure, thanks.
Sorry, I just read your comment, it seems it slipped through. The PE COFF documentation is the most important. It's not a tutorial, though. But it's how I learnt it: docs.microsoft.com/en-us/windows/win32/debug/pe-format
If you write a simple PE parser, you will get the knack of it.
When people talk about storing information in EOF(crypter for example), is it End of the File? Specifically where/which part of the file is it? I noticed some malware crypters preserve end of file, what is this?
Thanks
Yes, they mean "End of File" with EOF. EOF crypters store the encrypted executable in the stub's overlay. That's quite easy for them to program because they simply append the data to the stub, most often preceeded by some kind of marker to find the start of the data again.
Wait so anything that says EOF is malware files? I have seen this in my files.
If I want to view my exe file in hex and analyze it step by step following your video, what tool do I use for analysis?
Hi Alina. Any hex editor will suffice. E.g. hdx: mh-nexus.de/en/hxd/
Using a graphics tablet for illustration is a great idea.
Hi MW4HH, (sorry if you don't like my abbreviation :P) Do you think it is valuable to learn about PE files in great detail? For example the OpenSecurityTraining 'Life of Binaries' course has over 50 videos and goes very in depth in to the different fields within PE files. Is it possibly required learning before you can manually unpack malware?
Hi, :)
You certainly need to learn the basics, but not every detail of it. You should understand what imports, relocations and resources are. You should also understand the basic structure and some important fields of the headers. You need to know how sections are defined and how they are mapped to memory.
But you don't need to know as much as someone who wants to build a PE parser.
sir, can u explain Non-PE
Hi. What kind of non-PE format? There are so many.
Great explanations here!
Good job 👍, I'm sure this will help beginners get more into malware analysis and even overall reverse engineering.
Remember to make a video of IAT and EAT since it's quite hard to find resources of that(and the ones out there are a bit confusing).
Thanks. :)
IAT & EAT: Yes, that's a good point. It is something I really struggled understanding back then.
MalwareAnalysisForHedgehogs Yea... IAT was a true mess, EAT I actually never messed with altho I heard that it's way easier.
Nice video. Keep going .
its not magic number with dos header well these are initials of guy who written this stub , Mark Zbikowski :)
They are still called magic numbers. en.wikipedia.org/wiki/Magic_number_(programming)
that's the weirdest b I've seen in my life
Zero sections sounds like me
What's your mother language?
German
MalwareAnalysisForHedgehogs Vielen Dank für die Videos!
Bitteschön! :)