🎯 Lab Objectives
- Practical understanding of PE format
- Identifying important characteristics
- Identifying suspicious signs
📦 Part 1: Analysis with PE-bear
Choose any EXE file (recommended: notepad.exe or any normal program).
Task 1.1 - DOS Header
Open the file in PE-bear and find:
- What is the Magic Number? (should be MZ = 0x5A4D)
- What is the value of
e_lfanew? - What is at that offset? (should be PE)
Task 1.2 - File Header
In the File Hdr tab, find:
- Machine: 0x14C (i386) or 0x8664 (AMD64)?
- NumberOfSections: how many sections are there?
- TimeDateStamp: when was the file created?
- Characteristics: is this an EXE or DLL?
Task 1.3 - Optional Header
Find the following values:
- Magic: 0x10B (PE32) or 0x20B (PE32+)?
- AddressOfEntryPoint: what is the RVA of the entry point?
- ImageBase: what is the preferred loading address?
- Subsystem: GUI (2) or Console (3)?
💡 Calculating Entry Point Address
The real address = ImageBase + AddressOfEntryPoint
For example:
ImageBase = 0x00400000
EntryPoint RVA = 0x00001000
Real address = 0x00401000
📦 Part 2: Analyzing Sections
Task 2.1 - Check Sections
For each section, note:
| Name | VirtualSize | VirtualAddress | Permissions |
|---|---|---|---|
| .text | ____ | ____ | ____ |
| .data | ____ | ____ | ____ |
| .rdata | ____ | ____ | ____ |
| ... | ... | ... | ... |
Task 2.2 - Identifying Permissions
Section permissions (Characteristics):
0x20000000= Execute (X)0x40000000= Read (R)0x80000000= Write (W)
Check: Is there a section with RWX? (This can be suspicious!)
📦 Part 3: Analyzing Imports
Task 3.1 - Check Imports
In the Imports tab, answer the questions:
- Which DLLs does the program import from?
- How many functions are imported in total?
- Are there interesting functions? (see list below)
🔍 Suspicious Functions to Search For
| Category | Functions |
|---|---|
| Files | CreateFile, WriteFile, DeleteFile |
| Network | socket, connect, send, recv, InternetOpen |
| Registry | RegOpenKey, RegSetValue, RegCreateKey |
| Processes | CreateProcess, CreateThread, OpenProcess |
| Memory | VirtualAlloc, VirtualProtect, WriteProcessMemory |
| Encryption | CryptEncrypt, CryptDecrypt |
🔬 Part 4: Comparing Files
Task 4.1 - Compare
Open two different files (e.g., notepad.exe and calc.exe) and compare:
- Which one is larger?
- Which one has more sections?
- Which one has more imports?
- Is there a difference in compilation time?
🚨 Part 5: Suspicious Signs
⚠️ Red Flags in PE Analysis
- Section with RWX - code that can modify itself
- Strange section names - UPX0, .packed, etc.
- High Entropy - may indicate encryption/compression
- Few imports - may indicate dynamic loading
- Future/far past TimeDateStamp - forgery
- Entry Point not in .text - suspicious!
- VirtualSize >> SizeOfRawData - unpacking
Task 5.1 - Check Your File
- Is the Entry Point inside .text?
- Are there sections with RWX permissions?
- Are there sections with non-standard names?
- Is the TimeDateStamp reasonable?
🐍 Bonus: Analysis with Python
# pip install pefile
import pefile
pe = pefile.PE("sample.exe")
print(f"Machine: {hex(pe.FILE_HEADER.Machine)}")
print(f"Entry Point: {hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)}")
print(f"Image Base: {hex(pe.OPTIONAL_HEADER.ImageBase)}")
print("\n=== Sections ===")
for section in pe.sections:
print(f"{section.Name.decode().strip(chr(0))}: "
f"VA={hex(section.VirtualAddress)}, "
f"Size={section.Misc_VirtualSize}")
print("\n=== Imports ===")
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f"\n{entry.dll.decode()}:")
for imp in entry.imports[:5]: # first 5
print(f" {imp.name.decode() if imp.name else 'ordinal'}")