Assignment 3

Aim: To perform a comparative study of various malware analysis tools.

Tool Name : CFF explorer

Introduction to the tools : CFF Explorer was designed to make PE editing as easy as possible,
but without losing sight on the portable executable’s internal structure. This application
includes a series of tools which might help not only reverse engineers but also programmers.
It offers a multi-file environment and a switchable interface.

Tool details : It’s the first PE editor with full support for the .NET file format. With this tool
you can easily edit metadata’s fields and flags. If you’re programming something that has to
do with .NET metadata, you will need this tool. The resource viewer supports .NET image
formats like icons, bitmaps, pngs. You’ll be able to analyze .NET files without having to install
the .NET framework, this tool has its own functions to access the .NET format.

Behaviour :

Features: -> Process Viewer -> Drivers Viewer -> Windows Viewer -> PE and Memory
Dumper -> Full support for PE32/64 -> Special fields description and modification (.NET
supported) -> PE Utilities -> PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong
Name Signature Remover, Image Base Changer) -> View and modification of .NET internal
structures -> Resource Editor (full support for Windows Vista icons) -> Support in the
Resource Editor for .NET resources (dumpable as well) -> Hex Editor -> Import Adder -> PE
integrity checks -> Extension support -> Visual Studio Extensions Wizard -> Powerful
scripting language -> Dependency Walker -> Quick Disassembler (x86, x64, MSIL) -> Name
Unmangler -> Extension support -> File Scanner -> Directory Scanner -> Deep Scan method -
> Recursive Scan method -> Multiple results -> Report generation -> Signatures Manager ->
Signatures Updater -> Signatures Collisions Checker -> Signatures Retriever

Malware details :

Name of file – cff explorer.exe and ghyte.exe

History : Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF
Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields
description and modification (.NET supported), utilities, rebuilder, hex editor, import adder,
signature scanner, signature manager, extension support, scripting, disassembler,
dependency walker etc. First PE editor with support for .NET internal structures. Resource
Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The
suite is available for x86 and x64.

Analysis with Screenshots :

Introduction to the malware : cff explorer.exe is an executable file that is part of CFF
Explorer developed by Daniel Pistelli. The Windows 7 version of the software: 7.9.0.0 is
usually about 3493376 bytes in size, but the version you have may differ.

Malware details : The .exe extension of a file name displays an executable file. In some
cases, executable files can damage your computer. But further reading needs to be done to
decide for yourself whether the cff explorer.exe file on your computer is a virus or malware
that you should delete, or if in fact it is a valid Windows operating system file or reliable
application.
The first thing that will help you determine if a particular file is a legitimate Windows process
or a virus, is the location of the executable itself. With cff explorer.exe for example, it's path
will probably be something like C:\Program Files\Daniel Pistelli\CFF Explorer\cff explorer.exe

To determine it's path, open Task Manager, go to View -> Select Columns and select "Image
Path Name" to add a location column to your Task Manager. If you find a suspicious
directory here, it may be a good idea to investigate this process further.

Another tool that can sometimes help you detect bad processes is Microsoft's Process
Explorer. Start the program (it does not require installation) and activate "Check Legends"
under Options. Now go to View -> Select Columns and add "Verified Signer" as one of the
columns.

If the "Verified Signer" status of a process is listed as "Unable to Verify", you should take a
moment look at the process. Not all good Windows processes have a Verified Signature
label, but neither do any of the bad ones.

The most important facts about cff explorer.exe:

Name: cff explorer.exe

Software: CFF Explorer

Publisher: Daniel Pistelli

Expected Location: C:\Program Files\Daniel Pistelli\CFF Explorer\ subfolder

Expected Full Path: C:\Program Files\Daniel Pistelli\CFF Explorer\cff explorer.exe

SHA1: 8f76ad283a7485a17a3c6d14e9cbbb5917ffb820

SHA256: f716b1bbde9ca4603660c07feb695298020de59ac71def5ec152734e6597cd17

MD5: ffc218143d392023ed4a0a025e95e1d0

Known to be up to 3493376 bytes in size on most Windows;

If you had any difficulties with this executable, you should determine if it's trustworthy
before deleting cff explorer.exe. To do this, find this process in Task Manager.

Find its location and compare the size etc with the above facts.

If you suspect that you may be infected with a virus, then you must attempt to fix it
immediately. To delete the cff explorer.exe virus, you must download and install a full
security application like this. Note that not all tools can detect every type of malware, so you
may need to try several options before you're successful.

In addition, the functionality of the virus may itself affect the deletion of cff explorer.exe. In
this case, you must enable Safe Mode with Networking - a secure environment that disables
most processes and loads only the most required services and drivers. When there, you can
run a security program and a complete system analysis.

You should not delete a safe executable file without a valid reason, as this may affect the
performance of any associated programs that use that file. Be sure to keep your software
and programs up to date to avoid future problems caused by corrupted files. With regard to
software functionality issues, check driver and software updates more often, so there is little
or no risk of such problems occurring.

The best diagnosis for these suspicious files is a complete system analysis with either ASR
Pro or this antivirus and malware remover. If the file is classified as malicious, these
applications will also delete cff explorer.exe and get rid of the associated malware.

However, if it is not a virus and you need to delete cff explorer.exe, then you can uninstall
CFF Explorer from your computer using its uninstaller. If you cannot find it's uninstaller, then
you may need to uninstall CFF Explorer to completely delete cff explorer.exe. You can use
the Add/Remove Program function in the Windows Control Panel.

Behaviour : The most common cff explorer.exe errors that can appear are:

• "cff explorer.exe Application Error."

• "cff explorer.exe failed."

• "cff explorer.exe has encountered a problem and needs to close. We are sorry for the
inconvenience."

• "cff explorer.exe is not a valid Win32 application."

• "cff explorer.exe is not running."

• "cff explorer.exe not found."

• "Cannot find cff explorer.exe."

• "Error starting program: cff explorer.exe."

• "Faulting Application Path: cff explorer.exe."

These .exe error messages can occur during the installation of a program, during the
execution of it's associate software program, CFF Explorer, during the startup or shutdown
of Windows, or even during the installation of the Windows operating system. Keeping a
record of when and where your cff explorer.exe error occurs is important information when
it comes to troubleshooting.

How to fix cff explorer.exe

A clean and tidy computer is one of the best ways to avoid problems with cff explorer.exe.
This means performing malware scans, cleaning your hard disk with cleanmgr and sfc
/scannow, uninstalling programs you no longer need, monitoring any auto-start programs
(with msconfig), and enabling automatic Windows updates. Don't forget to always make
regular backups or at least define recovery points.

If you have a bigger problem, try to remember the last thing you did or the last thing you
installed before the problem. Use the resmon command to identify the processes that are
causing your problem. Even in case of serious problems, instead of reinstalling Windows, you
should try to repair your installation or, in the case of Windows 8, by executing the
command DISM.exe /Online /Cleanup-image /Restorehealth. This allows you to repair the
operating system without data loss.
To help you analyze the cff explorer.exe process on your computer, you may find the
following programs useful: Security Task Manager displays all Windows tasks running,
including built-in hidden processes such as keyboard and browser monitoring or auto-start
entries. A single security risk rating indicates the probability that it is spyware, malware or a
potential Trojan horse. This anti-virus detects and removes spyware, adware, Trojans,
keyloggers, malware and trackers from your hard disk.

History : cff explorer.exe is an executable file that is part of CFF Explorer developed by
Daniel Pistelli. The Windows 7 version of the software: 7.9.0.0 is usually about 3493376
bytes in size, but the version you have may differ. The .exe extension of a file name displays
an executable file. In some cases, executable files can damage your computer. But further
reading needs to be done to decide for yourself whether the cff explorer.exe file on your
computer is a virus or malware that you should delete, or if in fact it is a valid Windows
operating system file or reliable application.

Analysis with Screenshots :

Tool Name : DOS Header

Introduction to the tools : The DOS MZ executable format is the executable file format used
for .EXE files in DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A)
at the beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski,
one of the leading developers of MS-DOS. The DOS executable header contains relocation
information, which allows multiple segments to be loaded at arbitrary memory addresses,
and it supports executables larger than 64k; however, the format still requires relatively low
memory limits. These limits were later bypassed using DOS extenders.

Tool details : DOS header starts with the first 64 bytes of every PE file. It’s there because
DOS can recognize it as a valid executable and can run it in the DOS stub mode. As we can
investigate on the winnt.h/Windows.inc we can see below details.

Same thing can be found on the cff-explorer which is very popular malware analysis tool for
PE file validation. We also have a same implementation as a picture (below).

As we can see we have a list of structure that came under DOS header such as magic and
ifanew structure.
Behaviour : The first field, e_magic, is the so-called magic number. This field is used to
identify an MS-DOS-compatible file type. All MS-DOS-compatible executable files set this
value to 0x54AD, which represents the ASCII characters MZ. MS-DOS headers are sometimes
referred to as MZ headers for this reason. It starts at offset 0 (this can be view with a hex
editor). This one is developed by Mark Zbikowski (MZ).

We can see above that we have list of structure for Image_DOS_Header and the important
header, as we already discussed

Here, using CFF, explorer we can verify the offset value of the structure and DOS MZ header
and we also see that the file has the data type WORD.

ifanew is the only required element (besides the signature) of the DOS HEADER to turn the
EXE into a PE. It is relative offset to the NT headers. The windows loader looks for this offset
so it can skip the DOS stub and go directly to the PE header.

Segment handling

The environment of an EXE program run by DOS is found in its Program Segment Prefix.

EXE files normally have separate segments for the code, data, and stack. Program execution
begins at address 0 of the code segment, and the stack pointer register is set to whatever
value is contained in the header information (thus if the header specifies a 512 byte stack,
the stack pointer is set to 200h). It is possible to not use a separate stack segment and
simply use the code segment for the stack if desired.

The DS (data segment) register normally contains the same value as the CS (code segment)
register and is not loaded with the actual segment address of the data segment when an EXE
file is initialized; it is necessary for the programmer to set it themselves, generally done via
the following instructions:

MOV AX, @DATA

MOV DS, AX

Termination

In the original DOS 1.x API, it was also necessary to have the DS register pointing to the
segment with the PSP at program termination; this was done via the following instructions:

PUSH DS

XOR AX, AX

PUSH AX

Program termination would then be performed by a RETF instruction, which would retrieve
the original segment address with the PSP from the stack and then jump to address 0, which
contained an INT 20h instruction.

The DOS 2.x API introduced a new program termination function, INT 21h Function 4Ch
which does not require saving the PSP segment address at the start of the program, and
Microsoft advised against the use of the older DOS 1.x method.

Malware details :

Name of file – content

What does it do: installs a backdoor into computers - hijack browsers to change the default
search engine, and track their web traffic - ability to remotely run any code on the victim's
machine, or download new malicious files.

History : The DOS MZ executable format is the executable file format used for .EXE files in
DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the
beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski, one of
the leading developers of MS-DOS. The MZ DOS executable file is newer than the COM
executable format and differs from it. The DOS executable header contains relocation
information, which allows multiple segments to be loaded at arbitrary memory addresses,
and it supports executables larger than 64k; however, the format still requires relatively low
memory limits.

Compatibility

MZ DOS executables can be run from DOS and Windows 9x-based operating systems. 32-bit
Windows NT-based operating systems can execute them using their built-in Virtual DOS
machine (although some graphics modes are unsupported). 64-bit versions of Windows
cannot execute them. Alternative ways to run these executables include DOSBox, DOSEMU,
Wine, and Cygwin.
MZ DOS executables can be created by linkers, like Digital Mars Optlink, MS linker, VALX or
Open Watcom's WLINK; additionally, FASM can create them directly.

Analysis with Screenshots :

The C program looks like this.

The following code is in 16-bit MASM. This will be our MS-DOS stub program.
After assembling and linking we get the 16-bit DOS executable.

ml /c /Fo hello.obj hello.asm

seglink hello.obj, stub.exe,nul,,nul

Tool Name : Virus total

Introduction to the tools : VirusTotal was founded in 2004 as a free service that analyzes
files and URLs for viruses, worms, trojans and other kinds of malicious content. VirusTotal
inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in
addition to a myriad of tools to extract signals from the studied content. Any user can select
a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a
number of file submission methods, including the primary public web interface, desktop
uploaders, browser extensions and a programmatic API. The web interface has the highest
scanning priority among the publicly available submission methods. Submissions may be
scripted in any programming language using the HTTP-based public API.

Tool details :

Products and services

Windows Uploader

VirusTotal's Windows Uploader was an application that integrates into the Explorer's (right-
click) contextual menu, listed under Send To > Virus Total. The application also launches
manually for submitting a URL or a program that is currently running in the OS.

VirusTotal stores the name and various hashes for each scanned file. Already scanned files
can be identified by their known (e.g., VT default) SHA256 hash without uploading complete
files. The SHA256 query URL has the form https://www.virustotal.com/latest-scan/SHA256.
File uploads are normally limited to 128 MB. In 2017 VirusTotal discontinued support of the
Windows Uploader.

VirusTotal for Browsers

There are several browser extensions available, such as VT4Browsers for Mozilla Firefox, and
Google Chrome and vtExplorer for Internet Explorer. They allow the user to download files
directly with VirusTotal's web application prior to storing them in the computer, as well as
scanning URLs.

VirusTotal for Mobile

The service also offers an Android App that employs the public API to search any installed
application for VirusTotal's previously scanned ones and show its status. Any application not
previously scanned can be submitted, but an API key must be provided and other restrictions
to public API usage may apply (see #Public API).

Public API

VirusTotal provides as a free service a public API that allows for automation of some of its
online features such as "upload and scan files, submit and scan URLs, access finished scan
reports and make automatic comments on URLs and samples". Some restrictions apply for
requests made through the public API, such as requiring an individual API key freely
obtained by online signing up, low priority scan queue, limited number of requests per time
frame, etc.

Malware details :

Name of file – content

What does it do: installs a backdoor into computers - hijack browsers to change the default
search engine, and track their web traffic - ability to remotely run any code on the victim's
machine, or download new malicious files.

Behaviour : VirusTotal aggregates many antivirus products and online scan engines called
Contributors. In November, 2018, the Cyber National Mission Force, a unit subordinate to
 the U.S. Cyber Command became a Contributor. The aggregated data from these
Contributors allows a user to check for viruses that the user's own antivirus software may
have missed, or to verify against any false positives. Files up to 650 MB can be uploaded to
the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies
of files that were flagged by other scans but passed by their own engine, to help improve
their software and, by extension, VirusTotal's own capability. Users can also scan suspect
URLs and search through the VirusTotal dataset. VirusTotal uses the Cuckoo sandbox for
dynamic analysis of malware. VirusTotal was selected by PC World as one of the best 100
products of 2007.

History : VirusTotal is a website created by the Spanish security company Hispasec Sistemas.
Launched in June 2004, it was acquired by Google in September 2012. The company's
ownership switched in January 2018 to Chronicle, a subsidiary of Google.

Analysis with Screenshots :

Tool Name : Export table

Introduction to the tools : Exports are functions that a DLL/EXE may “export” or share that
allow other programs to leverage. While any PE file may have an “export” table, this table is
more commonly found inside of DLLs, as they contain the code needed by many executables
to function.

Tool details : The first entry of IMAGE_DATA_DIRECTORY of the optional header field
contains information about the export table. The 4 bytes located at PE + 0x78 (i.e., offset 120
bytes) is the relative address (relative to DLL base address) of the export table, and the next
byte (at offset 0x7C) is the size of the export table.

The data type for the export table is IMAGE_EXPORT_DIRECTORY.

typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics; //offset 0x0
DWORD TimeDateStamp; //offset 0x4
WORD MajorVersion; //offset 0x8
WORD MinorVersion; //offset 0xa
 DWORD Name; //offset 0xc
DWORD Base; //offset 0x10
DWORD NumberOfFunctions; //offset 0x14
DWORD NumberOfNames; //offset 0x18
DWORD AddressOfFunctions; //offset 0x1c
DWORD AddressOfNames; //offset 0x20
DWORD AddressOfNameOrdinals; //offset 0x24
}
Here, we need some manual calculation of addresses for each attribute for our later analysis.
In the above definition, WORD is a computer word of 16 bites (2bytes), and DWORD is 4
bytes. We can easily infer that, MajorVersion is located at offset 0x8, and
AddressOfFunctions is located at offset 0x1c.
Now assume that IMAGE_EXPORT_DIRECTORY is located at 0x7C903400, the following is the
dump from WinDbg (here "dd" is to display memory):
kd> dd 7c903400
7c903400 00000000 48025c72 00000000 00006786
7c903410 00000001 00000523 00000523 00003428
7c903420 000048b4 00005d40 00057efb 00057e63
7c903430 00057dc5 00002ad0 00002b30 00002b40
7c903440 00002b20 0001eb58 0001ebb9 0001e3af
7c903450 0002062d 000206ee 0004fe3a 00012d71
7c903460 000211e7 0001eaff 0004fe2f 0004fdaa
7c903470 0001b08a 0004febb 0004fe6d 0004fde6
We can soon infer that there are 0x523 functions exposed in the export table, and there are
0x523 names exposed. Why? Because the NumberOfFunctions is located at offset 0x14 (thus
its address is 0x7c903400+0x14 = 0x7c903414) For another example, look at the attribute
"Name" which is located at offset 0xc (i.e., its address: 0x7c90340c), we have number
0x00006787. This is the address relative to the base DLL address (assume it is 0x7c900000).
Then we have the name of the module located at 0x7c906786. We can verify using the "db"
command in WinDbg (display memory contents as bytes): you can verify that the module
name is indeed ntdll.dll.
kd> db 7c906786
7c906786 6e 74 64 6c 6c 2e 64 6c-6c 00 43 73 72 41 6c 6c ntdll.dll.CsrAll
7c906796 6f 63 61 74 65 43 61 70-74 75 72 65 42 75 66 66 ocateCaptureBuff
The "AddressOfFunctions", "AddressOfNames", and "AddressOfNameOdinals" are the most
important attributes. There are three arrays (shown as below), and each of the above
attributes contains one corresponding starting address of an array.
PVOID Functions[523]; //each element is a function pointer
char * Names[523]; //each element is a char * pointer
short int Ordinal[523]; //each element is an 16 bit integer
For example, by manual calculation we know that the Names array starts at 7C9048B4 (given
the 0x48B4 located at offset 0x20, for attribute AddressOfNames; and assuming the base
address is 0x7C900000). We know that each element of the Names array is 4 bytes. here is
the dump of the first 8 elements:
kd> dd 7c9048b4
7c9048b4 00006790 000067a9 000067c3 000067db
7c9048c4 00006807 0000681f 00006831 00006845
We can verify the first name (00006790): It's CsrAllocateCaptureBuffer. Note that a "0" byte
is used to terminate a string.
kd> db 7c906790
7c906790 43 73 72 41 6c 6c 6f 63-61 74 65 43 61 70 74 75 CsrAllocateCaptu
7c9067a0 72 65 42 75 66 66 65 72-00 43 73 72 41 6c 6c 6f reBuffer.CsrAllo
We can also verify the second name (000067a9): It's CsrAllocateMessagePointer.
kd> db 7c9067a9
7c9067a9 43 73 72 41 6c 6c 6f 63-61 74 65 4d 65 73 73 61 CsrAllocateMessa
7c9067b9 67 65 50 6f 69 6e 74 65-72 00 43 73 72 43 61 70 gePointer.CsrCap
Now, given a Function name, how do we find its entry address? The following is the formula:
Note that array index starts from 0.
Assume Names[x].equals(FunctionName)
Function address is Functions[Ordinal[x]]

Behaviour : We now start to analyze the code, starting at 0x40105C. Set a hardware
breakpoint at 0x40105C (in code pane, right click -> Go To Expression (0x40105c) and then
right click -> breakpoints -> hardware, on execution). Press F9 to run to the point. The first
instruction should be PUSH DS:[EAX+8]. If you see a bunch of BYTE DATA instructions, that's
caused by the byte scission of the code. Highlight all these BYTE DATA instructions, right click
-> Treat as Command during next analysis and we should have the correct disassembly
displayed in IMM.

Now let us analyze the first couple of instructions starting at 0x40105C (in Figure). After
reading the module information (one by one), the code jumps out of the loop when it
encounters the ntdll.dll. At this moment, EAX contains the address of offset 0x18 of
LDR_DATA_TABLE_ENTRY. In another word, EAX points to the attribute "DllBase". Thus, the
instruction at 0x40105C, i.e., PUSH DWORD DS:[EAX+8] is to push the DllBase into the stack.
Executing this command, you will find that 0x7C900000 appearing on top of the stack.

The control flow soon jumps to 0x401077 and 0x401078. It soon follows that at 0x401070,
ECX now has value 0x7C90000 (the DLL base). Now consider the instruction 0x40107D:

MOV EAX, DWORD PTR DS:[ECX+3C]

Recall that the beginning of a PE file is the DOS header (which is 64 bytes) and the last 4
bytes of the DOS header contains the location of the PE header (offset relative to the DLL
base). Hex value 0x3C is decimal value 60! So we now have EAX containing of PE offset.
Observing the registry pane, we have EAX = 0xE0. We then infer that PE header is located at
0x7C9000E0 (which is 0x7C900000 base + offset 0xE0).

Now observe instruction at 0x401087:

MOV ESI, DWORD PTR DS:[EAX+78]

Note the offset 0x78, its decimal value is 120. We can soon infer that offset 0x78 is the
address of the EXPORT table data entry in the IMAGE_DATA_DIRECTORY of the optional
 header. Thus, ESI now contains the entry address of the export table (offset relative to DLL
base) ! After instruction at 0x40108c, Its value is now 0x7C903400 (starting address of
EXPORT TABLE).

Analysis with Screenshots :

Tool Name : Conversion between Offset, Rva and Va

Introduction to the tools :

Virtual Address (VA)

Applications do not directly access physical memory, they only access virtual memory. In
other words, the Virtual Addresses (VAs) are the memory addresses that are referenced by
an application.

Relative Virtual Address (RVA)

Relative Virtual Address or RVA (here afterward) is the difference between two Virtual
Addresses (VA) and represents the highest one.

File Offsets

When we talk about offsets, we usually either refer to physical memory, a physical file on
disk or in another general in cases where we treat data as raw data.

Details :

Virtual Address (VA)

Virtualizing access to memory provides flexibility in the way applications use available
physical memory. In fact, an application doesn't have to occupy a contiguous piece of
physical memory; it can be broken down into parts, without the application even needing to
know about it.

Relative Virtual Address (RVA)

Virtual Address is the original address in the memory whereas Relative Virtual Address (RVA)
is the relative address with respect to the ImageBase. ImageBase here means the base
address where the executable file is first loaded into the memory.

We can calculate RVA with the help of the following formula:

RVA = VA – ImageBase

Have a look at the example below for more clarification:

An application is loaded into the memory having a Base Address at 0x400000 and the VA is
at 0x401000. So the RVA is calculated as:

Virtual Address = 0x00401000

ImageBase = 0x00400000

RVA = 0x00001000

File Offsets

The file offset is actually a location within that particular file. To make it easier for you to
understand it is actually the distance from the starting point either the start of the file or the
start of a memory address. The offset value is added to the base value to determine the
actual value.

So, if we have to calculate the file offset of the entry point in a PE file, consider the below
table which shows the important fields within the PE optional header and section header for
a particular application.
Now, the steps with which we calculate the file execution start offset are followed as below:

 First, determine the Address of entry point from the field under Optional Header.
 Next, check in which section's virtual space the address of entry point lies.
 Once the right section header is determined, make a note of its virtual address and
pointer to raw data fields.
 Now, calculate the difference between the address of entry point and the virtual address
of the earlier identified section in which the entry point lies.
 Finally, add the difference to the pointer to the raw data which will give the file-based
execution start offset of that file.

In short the formula for calculating execution start file offset would be:

Offset of entry point in EXE file = (AddressOfEntryPoint – .section[VirtualAddress])

+ .section[PointerToRawData]

In this case, the address of entry point lies in the .text section as the .text section starts at
0x00001000 and ends at 0x00007748 and the address of entry point is 0x0000739D.

So, the file offset for the execution start is:

(0x0000739D – 0x00001000) + 0x0000400 = 0x0000679D

Behaviour :

PE File Header

The PE header is located by looking at the e_lfanew field of the MS-DOS Header. The
e_lfanew field gives the offset of the PE header location. The field e_lfanew denotes the file
header of the new .exe header. The main PE Header is a structure of type
IMAGE_NT_HEADERS and mainly contains SIGNATURE, IMAGE_FILE_HEADER, and
IMAGE_OPTIONAL_HEADER.
IMAGE_OPTIONAL_HEADER: One should not assume from the name itself that this is an
optional header and is not a relevant one. This header contains some critical information
that is beyond the basic information contained in the IMAGE_FILE_HEADER data structure.
Some of the important fields that one should be aware of are listed below:-

Magic: The magic field tells whether an executable image is of 32-bit or 64-bit. The value set
in the Magic field is IMAGE_NT_OPTIONAL_HDR_MAGIC and the value is defined as
IMAGE_NT_OPTIONAL_HDR32_MAGIC (0x10b) in a 32-bit application and as
IMAGE_NT_OPTIONAL_HDR64_MAGIC (0x20b) in a 64-bit application.

AddressOfEntryPoint: It is the address where the Windows loader will begin execution. This
holds the RVA (Relative Virtual Address) of the Entry Point (EP) of the module and is usually
found in the .text section. For executable, this is the starting address. For device drivers, this
is the address of the initialized function. The entry point function is optional for DLLs and
when no entry point is present, this member is zero.

The BaseOfCode and BaseOfData members hold the RVAs of the beginning of the code and
data sections respectively.

Section Header Table

Section Header Table is an array of IMAGE_SECTION_HEADER structures and contains

information related to the various sections available in the image of an executable file. The
sections in the image are sorted by the RVAs rather than alphabetically. Sections Headers
Table contains the following important fields:

 SizeOfRawData: This specifies the real size of the section in the file. If this is the last
section and we sum this value with the PointerToRawData value, then the result will
be the size of the value itself.
 VirtualSize: This section indicates the size of the section in memory.
 PointerToRawData: This is the offset where the Raw Data section starts in the file.
So, by adding this to the value above and assuming that the file alignment property
is set to default, we can obtain the offset of where the next section starts in the file.
 VirtualAddress: The RVA of the section in memory. Using VirtualAddress and
VirtualSize info. we can obtain the RVA of the next section, assuming that the
memory alignment property is set to default.

History : An RVA is simply an offset in memory, relative to where the PE file was loaded.

Analysis with Screenshots :

Conclusion :

Tool 1: Using CFF Explorer, we can view and modify the resources of a PE file, view the functions
that the DLL file can call, and modify the function entry address to achieve the purpose of creating a
crash screen. We fed the explorer 2 files (.exe files) and saw what's inside an executable and what it
does, I.e. checked them for malware using CFF explorer which is a PE editor. CFF explorer is a very
efficient tool to see what's inside an executable and what it does, verify the publisher and the
integrity of the signed executable files etc.

Tool 2: DOS executable header contains relocation information, which allows multiple segments to
be loaded at arbitrary memory addresses. DOS MZ executable format is the executable file format
used for .EXE files in DOS. We analyzed the structure of DOS header and utilized it for malware
analysis.

Tool 3: Analyzes suspicious files and URLs to detect types of malware and malicious content using
antivirus engines and website scanners. The report contains the total number of VirusTotal partners
who consider this file harmful out of the total number of partners who reviewed the file, the
reputation of the given URL as determined by VirusTotal's Community etc.

Tool 4: Exports are functions that a DLL/EXE may “export” or share that allow other programs to
leverage. Export Address Table is an array of function pointers that contain the address of exported
functions.

Tool 5: Compared, contrasted and drew parallels between Offset, Rva and Va. Also converted Offset,
Rva and Va to one another in a step by step manner.