\n\nThis page has been machine-translated from the original page.
\n
This chapter performs surface analysis of DoPClient and DoPDriver, the programs analyzed in this book.
\nSurface analysis generally refers to analysis methods that use information such as program metadata and strings contained in a file to understand the overall nature of the target.
\nFor example, when you perform surface analysis on Windows executables, you can identify the following kinds of information.
\nThe type of the target file can be identified through surface analysis.
\nOn Linux, commands such as file, which are installed on many distributions, can easily identify the type of a target file.
On Windows, by contrast, it is common to use third-party tools to examine file types.
\nThis book does not cover file-type investigation tools in detail, but TrID 1 is one commonly used option.
\nTrID is also provided as an online tool, so it is convenient when it is acceptable to upload the file being analyzed to an external site, as in this case.
\nOnline TrID File Identifier:
\nhttps://mark0.net/onlinetrid.html
\nWhen the executables analyzed in this book are checked with the online tool above, they are identified as likely 64-bit Windows executables, as shown below.
\nNote: Uploading files that are not publicly available to Internet-based analysis sites can become a serious security incident, so please use such sites with great care.
\nWindows executables are normally created in the PE file format 2.
\nPE file headers contain a wide variety of information about the executable.
\nThis book does not explain PE file headers in detail, but in general you can inspect the following kinds of information from a PE header.
\nIn addition, by analyzing data inside the executable, you can inspect the following kinds of information as well.
\nNow let’s actually try some surface analysis on DoPClient and DoPDriver.
\nThere are several tools that can be used for surface analysis of Windows programs, but in this book we use the free edition of PEStudio 3.
\nThere are also several useful tools for surface analysis of Windows programs besides PEStudio.
\nThis book does not use them, but CFF Explorer included in Explorer Suite 4 and PE Bear are also extremely useful tools.
\nWhen you analyze DoPClient and DoPDriver with PE Studio, a wide range of information is displayed at once, as shown in the image below.
\nFrom here, you can inspect information such as hashes and timestamps for the target files.
\nYou can also inspect the strings embedded in DoPClient by opening the [strings] tab for DoPClient.
\nAnd from the [strings] tab of DoPDriver, we can confirm that the string FLAG{The_important_process_is_ is defined.
This looks like the first half of the correct Flag, and it seems likely to become an important keyword as we continue the analysis.
\nIn this chapter, we used PEStudio to perform surface analysis of DoPClient and DoPDriver, the programs targeted in this book.
\nAlthough it did not appear in this chapter, surface analysis can sometimes reveal even more information, such as sensitive data embedded as text or data that may be encrypted or obfuscated.
\nFor various techniques related to surface analysis of Windows programs, “リバースエンジニアリングツール Ghidra 実践ガイド” 6 and “Practical Malware Analysis” 7 are extremely helpful references.
\nTrID - File Identifier https://mark0.net/soft-trid-e.html
\n↩\nPE Format https://learn.microsoft.com/ja-jp/windows/win32/debug/pe-format
\n↩\nPEStudio https://www.winitor.com/download
\n↩\nExplorer Suite https://ntcore.com/explorer-suite/
\n↩\nPE Bear https://github.com/hasherezade/pe-bear
\n↩\nリバースエンジニアリングツール Ghidra 実践ガイド セキュリティコンテスト入門からマルウェア解析まで (中島 将太, 小竹 泰一, 原 弘明, 川畑 公平 著 / マイナビ出版 / 2020 年)
\n↩\nPractical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Michael Sikorski, Andrew Honig 著 / No Starch Press / 2012 年)
\n↩\n