Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:07,200 Welcome to this lesson, to understand windows executables we must have some notions about their structure 2 00:00:09,866 --> 00:00:21,866 portable executable it's a structure used by windows to represent an executable like .exe, .dll, .sys among the best known 3 00:00:21,866 --> 00:00:32,399 for our proposes it's important because will give us some clues to catch malware, specially when we are performing static analysis. 4 00:00:34,266 --> 00:00:39,699 On this lesson I'm going to teach you the windows portable executable structure. 5 00:00:39,700 --> 00:00:50,133 As I said before this structure is in charge of manage windows executables and will give us some clues for our malware analysis 6 00:00:50,700 --> 00:00:57,600 Your gonna find this chart with some variations it doesn't matter. I am gonna explain the essential parts, 7 00:00:57,600 --> 00:01:06,100 the parts we need for malware analysis. This is in my opinion the most complete portable executable representation we can find, 8 00:01:06,100 --> 00:01:10,100 you can see the author here in the corner. 9 00:01:21,866 --> 00:01:31,099 What we got here is an executable file, name “simple”, which is only displaying the typical “Hello world” message. 10 00:01:33,766 --> 00:01:42,132 the executable is divided in two parts, header and sections, which in turn are divided into more parts. 11 00:01:42,900 --> 00:01:52,366 The DOS header section used to be for compatibility when windows and Dos coexist, so it really doesn't matter now. 12 00:01:59,366 --> 00:02:06,332 Let see the hexadecimal dump. As you probably know for your computer to understand instructions 13 00:02:06,333 --> 00:02:13,533 it has to be done in binary. An hexadecimal dump is a representation of a binary data stream, 14 00:02:13,533 --> 00:02:19,199 where the content of that stream are displayed in hexadecimal values. 15 00:02:22,300 --> 00:02:32,033 In the ascii dump column we have the ascci representation of these values, lets take this MZ and put it in this translator, 16 00:02:33,100 --> 00:02:45,000 as you can see the hexadecimal dump is 4d 5a This 4d5a is the distinctive mark, a seal If you want of Windows files, 17 00:02:49,300 --> 00:02:58,333 if you see this 4d5a in the hexadecimal dump you can be 100% sure is a windows file. 18 00:02:58,966 --> 00:03:03,966 By the way MZ stands for the developer Mark Zbikowski. 19 00:03:17,166 --> 00:03:21,166 Ok, next we have the portable executable header 20 00:03:25,133 --> 00:03:32,033 this starts with the signature, this PE stands for portable executable of course, 21 00:03:32,033 --> 00:03:42,233 then we have Machine and this hexadecimal is important because indicates the processor this executable is intended to work with. 22 00:03:42,233 --> 00:03:47,066 We’ll see this in more detail in the File type lesson 23 00:03:54,600 --> 00:04:04,666 Next part as its name states is optional if the executable has this header you can find the processor type here in the magic number 24 00:04:12,666 --> 00:04:20,732 Ok, on next section we have the data directories. These are pointers mostly to exports and imports. 25 00:04:21,300 --> 00:04:26,966 On Import section you’ll find all api functions this executable need to consume, 26 00:04:26,966 --> 00:04:32,299 and in Export section you’ll find all functions this executable is willing to share, 27 00:04:32,300 --> 00:04:37,166 hold that thought a I’ll show you this using a tool in a minute. 28 00:04:42,266 --> 00:04:49,799 This sections table Defines how the file is loaded in memory ,it contains a list of all sections in the executable, 29 00:04:49,800 --> 00:04:51,800 not important for now 30 00:04:55,366 --> 00:05:03,532 I remind you we are checking out this executable name “simple”, this file is only displaying the Hello world message, 31 00:05:03,533 --> 00:05:09,999 and here we have the code in assembly language you can see the assembly code's executable in a debugger, 32 00:05:10,000 --> 00:05:14,900 we are not going into assembly language, but If you wanna see a debugger in action, 33 00:05:14,900 --> 00:05:20,266 check lesson Analyzing malicious dlls more ahead on this course. 34 00:05:21,000 --> 00:05:29,766 I’d like to point out your not going to find this equivalent C code in the portable structure, you use a decompiler for that. 35 00:05:29,766 --> 00:05:36,599 is just something the author add for us to compare the assembly and its language C equivalent code. 36 00:05:40,500 --> 00:05:46,266 Now on this imports structures we can see the apis this .exe need for execution, 37 00:05:46,266 --> 00:05:51,132 note aside there are always more apis involve but for this example this is ok. 38 00:05:51,133 --> 00:05:58,166 For the message Hello world to display we need these apis Exit procces and messageboxA 39 00:05:58,166 --> 00:06:07,032 belonging to kernel32.dll and user32dll, you’ll see a lot of this apis when inspecting the file in static analysis 40 00:06:08,966 --> 00:06:16,799 Like any other program, Windows needs functions to do everything, these functions are the windows apis that are contained into dlls, 41 00:06:16,800 --> 00:06:19,800 let see this using cff explorer tool. 42 00:06:20,366 --> 00:06:25,366 I am just giving you a glance we’ll see this in detail later. 43 00:06:25,966 --> 00:06:30,566 on this tool we can see the import and export directory of this file, 44 00:06:30,566 --> 00:06:38,532 in the import directory you'll see a lot of this dll user32 dll and kernel32 dll 45 00:06:39,000 --> 00:06:43,266 they contain very important apis that this file needs to work, 46 00:06:47,900 --> 00:06:52,766 in the export directory we find the functions this file is willing to share 47 00:06:52,766 --> 00:06:56,766 we'll see more of this along the course. 48 00:06:58,833 --> 00:07:01,833 lets go back to our document 49 00:07:02,733 --> 00:07:08,733 Finally we have the string that will be display: Hello world 50 00:07:09,433 --> 00:07:14,466 we'll use this structure on next lessons, so don't worry if don't get it now. 51 00:07:14,466 --> 00:07:20,466 Also you can check all windows apis visiting resources section, I left you a link there. 52 00:07:20,766 --> 00:07:26,732 Don't miss next video, we'll use a malware sample on File Type lesson. 6792