1

I’m doing Windows malware research by machine learning method. I read the PE format, using dumpbin to extract PE files and found that there are many parts in there. Eg:.idata .edata .pdata .data .rdata .sxdata .text .rscr .tls... But not all of them are used for actions/behaviours. I just care about their behaviours and to reduce the large data before the next steps. Thanks

chickensoup
  • 334
  • 1
  • 17
  • 1
    What do you mean about *behavior*? If you mean *what it does*, see .text section which has codes. If you mean *what it uses*, see .idata section which has information about dll import. – ikh Mar 20 '17 at 06:31
  • @ikh yes sir, I mean code, their actions, their business. And I find .rdata is dll import part. Is there something wrong here? .text section has large size of raw data so I think you right here. If you sure, just correct me. Thanks – chickensoup Mar 20 '17 at 09:51
  • .rdata section is for Readonly DATA and .idata section is for dll Import DATA. – ikh Mar 21 '17 at 06:32
  • @ikh oh. I just found what you said in pecoff from microsoft. But what their tool (dumbpin) gave me the result is a bit different. There no .idata here. Here is what [dumpbin output when run on putty.exe](http://pastebin.com/0wEV5zEj) Or they just omit and I was misunderstood. – chickensoup Mar 21 '17 at 07:27

4 Answers4

4

Since you are analyzing malware, you shouldn't be looking at the name of the sections. It is not difficult for a malware developer to change the names of the sections, and the msvc compiler also allows you to create custom sections.

Instead what you should do, is look at the characteristics of the sections. By reading the IMAGE_SECTION_HEADER, you can see whether the section contains executable code, static data, if its writable, etc.

user2073973
  • 564
  • 6
  • 21
  • Oh. Thank you so much. Can you help me more detail ? I'm quite new to malware detection. It's just graduation thesis. I don't have any malware analyse before. Thanks – chickensoup Apr 05 '17 at 15:38
  • Please.btw I'm using dumpbin from microsoft to extract feature from PE files. I chose to use it because it can be call from my project. I need create a demo malware detection. So please help me with this tool (dumpbin ) – chickensoup Apr 05 '17 at 15:41
  • I understand what that mean – chickensoup Apr 07 '17 at 01:00
  • @chickensoup Sorry I didn't see your messages, if you ever have any questions about code injection etc, tag me in your comment. I'd be glad to help. – user2073973 Jul 18 '17 at 07:56
2

I found an official doc from Microsoft. Here just down the word files.I read that .text is the code section.

chickensoup
  • 334
  • 1
  • 17
  • Another guide I found to be extremely helpful is https://win32assembly.programminghorizon.com/pe-tut1.html (You have to change the tut number in the url, since there are no links on the page itself – user2073973 Jul 18 '17 at 07:58
1

I figured it out by @user2073973. He mean the section has the word "Code" in header section. Like this:

SECTION HEADER #1
   .text name
   522B9 virtual size
    1000 virtual address (00401000 to 004532B8)
   52400 size of raw data
     400 file pointer to raw data (00000400 to 000527FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

He was right about not only .text section has Code. custom name section also has Code there.

chickensoup
  • 334
  • 1
  • 17
0

If you're looking for a powershell DLL, here's a good one:

<#
.Synopsis
    Gets the DLLs loaded by processes on the system.
.DESCRIPTION
   Gets the DLLs loaded by processes on the system.
.EXAMPLE
   Get-Dll -ProcessName Notepad
.EXAMPLE
   Get-Dll -ModuleName mydll.dll
#>
function Get-Dll
{
    [CmdletBinding()]
    param(
    # The process to get the DLLs of
    [Parameter(ValueFromPipeline=$true, ParameterSetName="Process")]
    [System.Diagnostics.Process]$Process,
    # The process name to get the DLLs of
    [Parameter(ValueFromPipeline=$true, ParameterSetName="ProcessName")]
    [String]$ProcessName = "",
    # The process ID to get the DLLs of
    [Parameter(ValueFromPipeline=$true, ParameterSetName="ProcessId")]
    [Int]$ProcessId = 0,
    # The module name to search for
    [Parameter()]
    [String]$ModuleName,
    # Whether to returned only unsigned modules
    [Parameter()]
    [Switch]$Unsigned
    )

    Begin{
        $script:Modules = @()
        $script:Processes = @()
    }

    Process {
        if ($Process -ne $null)
        {
            $Modules += $Process.Modules 
        }
        elseif (-not [String]::IsNullOrEmpty($ProcessName))
        {
            $Modules += Get-Process -Name $ProcessName | Select-Object -ExpandProperty Modules 
        }
        elseif ($ProcessId -ne 0)
        {
            $Modules += Get-Process -Id $ProcessId | Select-Object -ExpandProperty Modules
        }
        elseif(-not [String]::IsNullOrEmpty($ModuleName))
        {
            $Processes =  Get-Process | Where-Object { ($_.Modules).ModuleName -Contains $ModuleName }
        }
        else 
        {
            $Modules += Get-Process | Select-Object -ExpandProperty Modules
        }
    }

    End {
        if ($Processes.Length -gt 0)
        {
            $Processes
            return
        }

        if (-not [String]::IsNullOrEmpty($ModuleName))
        {
            $Modules = $Modules | Where-Object { $_.ModuleName -eq $ModuleName }
        }

        if ($Unsigned)
        {
            $Modules = $Modules | Where { -not [PoshInternals.AuthenticodeTools]::IsTrusted($_.FileName) }
        }

        $Modules
    }
}

Site: PowerShell Gallery

iaskquestions
  • 38
  • 5