Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,000 --> 00:00:07,200
Welcome to this lesson, to understand windows executables we must have some notions about their structure
2
00:00:09,866 --> 00:00:21,866
portable executable it's a structure used by windows to represent an executable like .exe, .dll, .sys among the best known
3
00:00:21,866 --> 00:00:32,399
for our proposes it's important because will give us some clues to catch malware, specially when we are performing static analysis.
4
00:00:34,266 --> 00:00:39,699
On this lesson I'm going to teach you the windows portable executable structure.
5
00:00:39,700 --> 00:00:50,133
As I said before this structure is in charge of manage windows executables and will give us some clues for our malware analysis
6
00:00:50,700 --> 00:00:57,600
Your gonna find this chart with some variations it doesn't matter. I am gonna explain the essential parts,
7
00:00:57,600 --> 00:01:06,100
the parts we need for malware analysis. This is in my opinion the most complete portable executable representation we can find,
8
00:01:06,100 --> 00:01:10,100
you can see the author here in the corner.
9
00:01:21,866 --> 00:01:31,099
What we got here is an executable file, name “simple”, which is only displaying the typical “Hello world” message.
10
00:01:33,766 --> 00:01:42,132
the executable is divided in two parts, header and sections, which in turn are divided into more parts.
11
00:01:42,900 --> 00:01:52,366
The DOS header section used to be for compatibility when windows and Dos coexist, so it really doesn't matter now.
12
00:01:59,366 --> 00:02:06,332
Let see the hexadecimal dump.
As you probably know for your computer to understand instructions
13
00:02:06,333 --> 00:02:13,533
it has to be done in binary.
An hexadecimal dump is a representation of a binary data stream,
14
00:02:13,533 --> 00:02:19,199
where the content of that stream are displayed in hexadecimal values.
15
00:02:22,300 --> 00:02:32,033
In the ascii dump column we have the ascci representation of these values, lets take this MZ and put it in this translator,
16
00:02:33,100 --> 00:02:45,000
as you can see the hexadecimal dump is 4d 5a
This 4d5a is the distinctive mark, a seal If you want of Windows files,
17
00:02:49,300 --> 00:02:58,333
if you see this 4d5a in the hexadecimal dump you can be 100% sure is a windows file.
18
00:02:58,966 --> 00:03:03,966
By the way MZ stands for the developer Mark Zbikowski.
19
00:03:17,166 --> 00:03:21,166
Ok, next we have the portable executable header
20
00:03:25,133 --> 00:03:32,033
this starts with the signature, this PE stands for portable executable of course,
21
00:03:32,033 --> 00:03:42,233
then we have Machine and this hexadecimal is important because indicates the processor this executable is intended to work with.
22
00:03:42,233 --> 00:03:47,066
We’ll see this in more detail in the File type lesson
23
00:03:54,600 --> 00:04:04,666
Next part as its name states is optional if the executable has this header you can find the processor type here in the magic number
24
00:04:12,666 --> 00:04:20,732
Ok, on next section we have the data directories. These are pointers mostly to exports and imports.
25
00:04:21,300 --> 00:04:26,966
On Import section you’ll find all api functions this executable need to consume,
26
00:04:26,966 --> 00:04:32,299
and in Export section you’ll find all functions this executable is willing to share,
27
00:04:32,300 --> 00:04:37,166
hold that thought a I’ll show you this using a tool in a minute.
28
00:04:42,266 --> 00:04:49,799
This sections table Defines how the file is loaded in memory ,it contains a list of all sections in the executable,
29
00:04:49,800 --> 00:04:51,800
not important for now
30
00:04:55,366 --> 00:05:03,532
I remind you we are checking out this executable name “simple”, this file is only displaying the Hello world message,
31
00:05:03,533 --> 00:05:09,999
and here we have the code in assembly language you can see the assembly code's executable in a debugger,
32
00:05:10,000 --> 00:05:14,900
we are not going into assembly language, but If you wanna see a debugger in action,
33
00:05:14,900 --> 00:05:20,266
check lesson Analyzing malicious dlls more ahead on this course.
34
00:05:21,000 --> 00:05:29,766
I’d like to point out your not going to find this equivalent C code in the portable structure, you use a decompiler for that.
35
00:05:29,766 --> 00:05:36,599
is just something the author add for us to compare the assembly and its language C equivalent code.
36
00:05:40,500 --> 00:05:46,266
Now on this imports structures we can see the apis this .exe need for execution,
37
00:05:46,266 --> 00:05:51,132
note aside there are always more apis involve but for this example this is ok.
38
00:05:51,133 --> 00:05:58,166
For the message Hello world to display we need these apis Exit procces and messageboxA
39
00:05:58,166 --> 00:06:07,032
belonging to kernel32.dll and user32dll, you’ll see a lot of this apis when inspecting the file in static analysis
40
00:06:08,966 --> 00:06:16,799
Like any other program, Windows needs functions to do everything, these functions are the windows apis that are contained into dlls,
41
00:06:16,800 --> 00:06:19,800
let see this using cff explorer tool.
42
00:06:20,366 --> 00:06:25,366
I am just giving you a glance we’ll see this in detail later.
43
00:06:25,966 --> 00:06:30,566
on this tool we can see the import and export directory of this file,
44
00:06:30,566 --> 00:06:38,532
in the import directory you'll see a lot of this dll user32 dll and kernel32 dll
45
00:06:39,000 --> 00:06:43,266
they contain very important apis that this file needs to work,
46
00:06:47,900 --> 00:06:52,766
in the export directory we find the functions this file is willing to share
47
00:06:52,766 --> 00:06:56,766
we'll see more of this along the course.
48
00:06:58,833 --> 00:07:01,833
lets go back to our document
49
00:07:02,733 --> 00:07:08,733
Finally we have the string that will be display: Hello world
50
00:07:09,433 --> 00:07:14,466
we'll use this structure on next lessons, so don't worry if don't get it now.
51
00:07:14,466 --> 00:07:20,466
Also you can check all windows apis visiting resources section, I left you a link there.
52
00:07:20,766 --> 00:07:26,732
Don't miss next video, we'll use a malware sample on File Type lesson.
6792
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.