All Questions
Tagged with pe binary-analysis
16
questions
2
votes
0
answers
58
views
How to obtain import name from disassembled assembly
I'm trying to create my own tools for reverse engineering PE. I have some assembly codes that I fetched from a clone of objdump for a program. Sometimes I see call instructions such as :
callq *...
0
votes
0
answers
58
views
IDAPython NtCreateFile
Let's say I want to print the filenames on every call to NtCreateFile
(With %any% exe loaded in IDA )
The first problem is to get the ntdll!NtCreateFile address
Tried to do it like this ...
0
votes
1
answer
163
views
IDAPython, parse IDA DB as PE file [duplicate]
I have buffer loaded into IDA with IDAPython in a costume loader script, I want to now to be parsed as a PE, or in fact, it would be better if IDA will try to reparse it as a PE, is it possible ...
1
vote
2
answers
5k
views
How to find the file address of AddressOfEntryPoint
I have a binary file and in the optional header I have the address of the entry point 0x00011046 but when I put the file inside HEX editor this address doesn't exist, more than that 0x000097f0.
I ...
1
vote
0
answers
44
views
PE Format - How can I delete IMAGE_IAT_DIRECTORY and the app still runs fine?
I’m doing a small research regarding PE files and while I drilled every related question or the documentation itself I couldn’t explain this issue.
Why can I go to CFF explorer or some other PE ...
3
votes
1
answer
274
views
Importance of learning file structures for reverse engineering?
I'm new to reverse engineering and I have started to study the anatomy of specific file formats, specifically PE right now. I really enjoy learning the different parts of the files and the different ...
0
votes
1
answer
139
views
How to determine number and/or boundaries of linked object files in a PE generated by Visual Studio 6?
In this analysis of a Portable Executable linked using Microsoft Linker (6.0), down in the Imported Objects section, the website makes some very specific claims:
3 .OBJ Files (COFF) linked with LINK....
1
vote
1
answer
4k
views
How to convert Unexplored data in IDA Pro to code?
I am analyzing a malware, it has a lot of confusing methods, I wrote an idc script to remove confusion, use the MakeCode() function to convert some Unexplored data into code, but there are still some ...
2
votes
2
answers
1k
views
Wrong RVA values inside IMAGE_IMPORT_DESCRIPTOR
I load the entire PE into an std::vector<Byte> fileContent using std::fstream.
Then I obtain the executable's dos header:
IMAGE_DOS_HEADER* imageDosHeader = (IMAGE_DOS_HEADER*)fileContent.data(...
1
vote
1
answer
886
views
bypassing anti-VM inside protected samples
This is a good starting point.
As you know:
Sandboxes and virtual environments (hypervisors) are full of artifacts that betray their analysis environment. Malware can protect itself against these by ...
7
votes
2
answers
18k
views
Import table vs Import Address Table
What's the difference between the Import Table and the Import Address Table?
0
votes
1
answer
155
views
How can I tell if a virus was made by Russians? [closed]
I have been looking around quite a bit on the internet for something that could tell me more than basic section on a binary.
I have a PE file and usually I see just what compiled it (MSVS or GCC ... ...
6
votes
1
answer
546
views
Difference between Win7 and Win8 PE loader?
Is it known what the differences between the Window 7 and Windows 8 PE loader are?
I'm trying to hand-craft a simple executable PE image file. It runs well in Windows 7, but is rejected by Windows 8....
6
votes
1
answer
7k
views
Get section's names and headers for a file using C++
I'm implementing a software for performing some PE classification. Among the features values I'm gathering from each PE are, the amount of sections, the name of sections, image section headers.
I have ...
1
vote
2
answers
1k
views
Extract driver from PE [closed]
My exact question sounds like:
Are there any tools for automated resources extraction such as driver or executable to the ready-to-go .sys or .exe/.msi ?
I googled several ways, but they haven't ...