"Malicious Code Analysis Combat" study notes (1)

The first chapter static analysis technology

Common DLL programs

Dll	Describe
Kernel32.dll	Includes core functions of the system , such as accessing and manipulating memory, files, and hardware
Advapi32.dll	Provides access to core Windows components , such as service Manager and Registry
User32.dll	Contains all user interface components, such as buttons, scroll bars, and controls and responses to users ' actions
Gdi32.dll	Functions that contain graphical display and manipulation
Ntdll.dll	the interface of the Windows kernel. An executable file is typically not imported directly into the function, but is indirectly imported by Kernel32.dll , If an executable file is imported , which means that the author attempts to use those that are not normally available to Windows the function used by the program . Some tasks, such as hiding functions and operating processes, will use this interface
Wsock32.dll	Networking DLLs, or performing network-related tasks
Ws2_32.dll	Ditto
Wininet.dll	Includes higher-level network functions and implements protocols such as FTP HTTP NTP

Windows Platform Executable sub-section in PE file

Sub-section name	Describe
. text	Contains executable code
. rdata	Contains read-only data that is accessible in the program
. Data	Global data that can be accessed in a stored program
. idata	The Import function information is sometimes displayed and stored , and if the section does not exist , the import function information is stored in the . Rdata Section
. edata	The exported function information is sometimes displayed and stored , and if the section does not exist , the import function information is stored in the . Rdata Section
. pdata	Store exception handling information only in a. exe file
. rsrc	Resources required to store executable files
. reloc	Contains information to relocate a library file

PE file header information

Information field	Revealing the information
Import function	Which functions in the library are used by malicious code
Export function	A function that malicious code expects to be called by another program or library
Time stamp	The time the program was compiled
Sub-section	The names of the file sections and their size in disk and memory
Subsystem	Program that indicates whether the program is a command line or a graphical interface
Resources	String icon menu items and other information contained in the file

"Malicious Code Analysis Combat" study notes (1)