0

So this is an intro class I am taking in reverse engineering.

So I have two files that are the same program and one is supposed to have a trojan in it.

I looked at both files and have found some very odd things. However, I don't have reasons as to why it would happen.

  1. The PE header is different. In one file in the DOS header the PE header is located at offset F0 and the other at F8. Why? I don't really understand. Why would someone change the PE header by 8 bytes?
  2. I noticed the code entry points are different too. Does this mean that the start of the program is jumping else where meaning both programs are running from different locations.
  3. I noticed all of the RVA's for say the export or import table have increased or shifted up higher. I assume this is because the PE header shifted by 8 bytes, therefore everything else in the file will shift up too.
  4. The size of code value is different, as I found one file is a bit larger than the other. The time stamps are different too meaning that the file must have been edited.
  5. One of the files has the import symbol execve, while the other does not. I don't know what this symbol does?

Lastly, I think 1 of the export symbols has jumps and such, that the other does not have. Meaning that it is doing something it shouldn't be doing.

Anyway, these are some observations I have noticed. I just need help making sense of what these observations might mean.

Thanks.

A Noob reverse engineer.

cf-
  • 8,598
  • 9
  • 36
  • 58
user3419132
  • 21
  • 1
  • 2
  • Well, that's how a virus is supposed to work. Change your programs entry point to execute it's own code and after that execute the original code. – ToBe Mar 14 '14 at 09:21

1 Answers1

1

hopefully this will clear some things up.

I noticed the code entry points are different too. Does this mean that the start of the program is jumping else where meaning both programs are running from different locations.

Ok the change in the code entry points can clearly indicate that the code has been tampered with and often means that the malicious code will be called on entry and then the malicious code will run the normal code there-after. This is done so that the user does not notice the application has been tampered with.

The size of code value is different, as I found one file is a bit larger than the other. The time stamps are different too meaning that the file must have been edited.

The change in size can also indicate that there is malicious code in the executable because executables are not supposed to grow (I don't know you are feeding yours).

One of the files has the import symbol execve, while the other does not. I don't know what this symbol does?

As for execv, please see _execv, _wexecv MSDN

Keagan Ladds
  • 458
  • 3
  • 15