All Questions
Tagged with pe static-analysis
9
questions
1
vote
2
answers
231
views
Lifting exported function instructions in PE files
I am trying to automate analysis of instructions within exported functions for a .DLL and need to be able to lift the first few instructions for the entry point of each exported function statically ...
2
votes
1
answer
614
views
How to restore IAT?
I have the start address and the end address of the IAT
now im trying to restore the table/folder of it.
the start address is: E7C000
thx for helping
0
votes
1
answer
94
views
what does BYTES_REVERSED_HI and BYTES_REVERSED_LO in an PE signify
How can these pe attributes be used to identify malware.
I was going though a paper link at page 10 he mentioned.
"BYTES_REVERSED_HI and BYTES_REVERSED_LO both make ideal candidates as a primary ...
1
vote
1
answer
4k
views
Resolving DLL function names using ordinals
I am trying to figure out how to get the imports of a PE using the PEfile python project (https://github.com/erocarrera/pefile)
One thing special about that library is the ordlookup folder.
It looks ...
4
votes
1
answer
325
views
Wierd names in import table
I'm trying to do a static analysis of a PE file to see what it does.
While doing so, I stumbled upon some really wierd function names in my objdump
DLL Name: msvcrt.dll
vma: Hint/Ord Member-Name ...
3
votes
1
answer
2k
views
Is the magic number important
While checking the PE header of DLLs and EXE(s) by PEviewer, I found something called "magic number".
After googling "magic number". I found that it is used to determine the file type. My question ...
2
votes
3
answers
6k
views
How to figure out which imported function(s) in a virus determine its behaviour?
I want to know how to find the functions which is interesting in malware tools.
For example, I have a sample of unknown virus (this sample is lab01-01.exe in the book practical malware analysis lab1-...
5
votes
2
answers
5k
views
Extracting files from google chrome offline installer
I'm trying to extract the files from the Google Chrome offline installer as a reverse engineering exercise
So I tried extracting the data inside the installer PE. I tried pestudio which showed me two ...
9
votes
1
answer
578
views
Loading Windows executable - unexpected data appended at beginning sections after loading in memory
Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader ...