PeStudio is a Windows application, I have never tried to run it in Wine.
PeStudio is an amazing all-in-one surface analysis tool for Portable Executables. There are a thousand examples of this type of logic which just takes hands-on work and liberal use of to learn. If it imports IsDebuggerPressent(), then we can easily assume that the file is aware if it being debugged. Or we can use the library imports to help identify some problems the PE file may give us during runtime analysis. We can also do searches fo the hash on popular malware sites, such as, to see if the sample had been analyzed. No reverse engineering necessary to identify this. If a file contains an IP address “1.2.3.4” and contains imports for ws2_32.dll, then we can probably make an assumption that the sample is going to create a Socket to the aforementioned ip address. This is where we statically identify the properties of a files, such as the hash value, strings, and library imports, to draw some conclusions based on our past experience and research. We can do some basic surface analysis of the file, it can also be called property analysis. There are two basic types of analysis an incident responder can do quickly to answer those questions.
Some of the questions asked by the incident responders are “What does it do?”, “Is it malicious?”, and lastly “Did it execute?”. Incident responders are often brought in to situations where some sort of portable executable was downloaded onto a host and executed. Sometime in the future I will go through how I perform some basic surface and runtime analysis of PE files.
I wrote a short blog post about PE files in my first blog post last year. Windows binaries are packed in a format called Portable Executable, or PE. This tool is a must have in every Incident Reponder’s toolbox. Also a great opportunity to work with the updated version of PE Studio as there have been some amazing changes to the program in the past 12 months. I thought it would be a good idea to come back around now that I am transitioning back into a technical role. I meant to write this post a long time ago, but life got crazy and my job got far less technical.
0 kommentar(er)
