The first chapter static analysis technology
Common DLL programs
Dll |
Describe |
Kernel32.dll |
Includes core functions of the system , such as accessing and manipulating memory, files, and hardware |
Advapi32.dll |
Provides access to core Windows components , such as service Manager and Registry |
User32.dll |
Contains all user interface components, such as buttons, scroll bars, and controls and responses to users ' actions |
Gdi32.dll |
Functions that contain graphical display and manipulation |
Ntdll.dll |
the interface of the Windows kernel. An executable file is typically not imported directly into the function, but is indirectly imported by Kernel32.dll , If an executable file is imported , which means that the author attempts to use those that are not normally available to Windows the function used by the program . Some tasks, such as hiding functions and operating processes, will use this interface |
Wsock32.dll |
Networking DLLs, or performing network-related tasks |
Ws2_32.dll |
Ditto |
Wininet.dll |
Includes higher-level network functions and implements protocols such as FTP HTTP NTP |
Windows Platform Executable sub-section in PE file
Sub-section name |
Describe |
. text |
Contains executable code |
. rdata |
Contains read-only data that is accessible in the program |
. Data |
Global data that can be accessed in a stored program |
. idata |
The Import function information is sometimes displayed and stored , and if the section does not exist , the import function information is stored in the . Rdata Section |
. edata |
The exported function information is sometimes displayed and stored , and if the section does not exist , the import function information is stored in the . Rdata Section |
. pdata |
Store exception handling information only in a. exe file |
. rsrc |
Resources required to store executable files |
. reloc |
Contains information to relocate a library file |
PE file header information
Information field |
Revealing the information |
Import function |
Which functions in the library are used by malicious code |
Export function |
A function that malicious code expects to be called by another program or library |
Time stamp |
The time the program was compiled |
Sub-section |
The names of the file sections and their size in disk and memory |
Subsystem |
Program that indicates whether the program is a command line or a graphical interface |
Resources |
String icon menu items and other information contained in the file |
"Malicious Code Analysis Combat" study notes (1)