🎥 Analyzing Portable Executable Files with PEStudio

Подписаться 18 тыс.

Просмотров 17 тыс.

50% 1

Malware authors routinely deliver malware using the portable executable file format (PE). This is a binary file format that stores executable code, along with resources and other data necessary for the Microsoft Windows operating system to load and execute it. In this session, we'll take a look at the portable executable (PE) file format and how you can analyzing it using PEStudio. We'll cover the basics of the file format, make sense of the data it contains and discuss complications that you may encounter. This will be the beginning of a series in which we'll take a deep dive into the PE file format, so make sure you subscribe to get notified of the next session!

Наука

Опубликовано:

27 апр 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 26

@Manavetri 9 месяцев назад

One of the most professionals, clearest RU-vidr I ever heard. I appreciate your commitment to share your knowledge. Thank you

@jstrosch 9 месяцев назад

You are very welcome, thank you for the kind words!

@jyotigaur242 2 года назад

Thank you Josh for this video

@jstrosch 2 года назад

My pleasure! Thank you for the comment :)

@daeheeyoun3026 Год назад

thank you so much

@jstrosch Год назад

You’re very welcome!

@mmm-me4kk Год назад

Hello Josh , thank you very much. Quick question, can you consider the "functions" section as the IAT ?

@jstrosch Год назад

Yes, the functions and imports are just mapping the IAT from the file.

@digitalblue8158 2 года назад

Following your tut, I'm a budding sec analyst. Some hotlinks to your resources would be helpful. Thanks for the thorough explanations

@jstrosch 2 года назад

Really glad to hear the explanations have been helpful! I've been hesitant to drop links in the video description because I've received strikes against my account if something flags that content as malicious - which is often the case when I link to tools, etc. I'll try again and maybe even add some links that can't be parsed programmatically but visually. Feel free to DM me as well on LinkedIn or Twitter if I can help with specific questions.

@amadoumane7600 9 месяцев назад

GREAT

@jstrosch 9 месяцев назад

Glad you liked it :)

@TRYEYTSG Год назад

hey when iam open pestudio i can see only 3 category any idea y ? indicators virustotal strings and not match of information

@jstrosch Год назад

Usually that is due to the file you are opening not being a PE file. PEStudio will still provide limited information as you point out for non-PE files, but it is really designed for those file types. If you are unsure, you can open a terminal on a Mac or Linux and use the file utility, output along the lines of "PE32..." are the files you are after. Let me know if this helps!

@sscoconut1265 8 месяцев назад

why does my hex editor shows the offset to next section being 00 10 00 00 instead of F8 00 00 00?

@jstrosch 8 месяцев назад

That is the offset to the image_nt_headers, it will be different between PE files. I can't say for sure why it's not consistent, but it won't be - you'll see a variety of values here. That is why that value is read than added to the beginning of the file to locate that section, instead of just locating image_nt_headers without referencing it.

@kumarsiddappa6118 Год назад

Any sample PE file to analyze

@jstrosch 9 месяцев назад

Any PE file will suffice - that is, a file in Windows with a .exe extension. I've also added the compiled binaries to my "Learning Reverse Engineering" repository on Github - so you can download those as well.

@trens 2 года назад

Have you seen Malcat?

@jstrosch 2 года назад

I have heard of it, but haven't had a chance to take a look. Looks really impressive from the website, will definitely check it out soon and maybe even make a video... Thanks for the tip!