Try it yourself
To try out the tools we have learned about, let's try doing some static analysis on ch4_2.exe
. To help out, here's a list of what we need to find:
- File information:
- file type
- imported DLLs and APIs
- text strings
- file hash
- What the file does
Jumping right into getting file information, we will use TrID (http://mark0.net/soft-trid-e.html) to identify the file type. Execute the following line:
trid cha4_2.exe
The TrID result tells us that we have here a Windows 32-bit executable file that is UPX packed:
Knowing that this is a UPX packed file, we can try the UPX (https://upx.github.io/) tool's decompress feature to help us restore the file back to its original form before it was packed. A packed file is a compressed executable file that decompresses and then executes the program during runtime. The primary purpose of a packed file is to reduce the file size of executables while retaining the program's original behavior. We will be discussing more about packers in Chapter 10, Packing...