Basic Static Analysis Part 2
Video Activity
This module steps deeper into the assembly code and its execution. It will explain how to go from a raw assembly to an executable file. Compilers create raw executable files that are included in a container called the PE (Portable Executable) files. Windows uses PE files to know which instruction to begin executing, what libraries, or other metadat...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or
Already have an account? Sign In »
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
This module steps deeper into the assembly code and its execution. It will explain how to go from a raw assembly to an executable file. Compilers create raw executable files that are included in a container called the PE (Portable Executable) files. Windows uses PE files to know which instruction to begin executing, what libraries, or other metadata it would need. You'll learn about various PE file parsers like PE Explorer, COFF explorer, PEiD, PE Studio, 010 Hexaeditor with the PE binary templates. To make your own PE files, refer to the Malware Analysis Cookbook. Next, we'll discuss the kind of files that use PE. Some malwares may use any of the PE file formats like .exe, .dll, .src, .cpl, .ocx, .sys, .drv, .efi, .fon. Further into the module, we'll discuss about EFLAGs registers, stacks flags, bit masks, size of data bytes, one's and two's complement. You'll also learn assembly instructions such as PUSH, POP, EBP, EIP, ESP, CALL, RET, NOP. We'll then move on and explain Endianness, and its two types. Lastly, we'll go through few notes or exceptions that every Malware Analyst should be aware of. Good reads to up-skill your knowledge on the subject include:
- The IDA Pro Book: The Unofficial Guide by Chris Eagle
- Professional Assembly Language by Richard Blum
- Reversing: Secrets of Reverse Engineering by Eldad Eilam
- Corkami (website) for crackers
- The Art of Assembly Language
Video Transcription
00:04
welcome to separately. Hi, My name is Sean Pierce from the Civic Matter. Extra firm.
00:08
A direction to malware analysis. Say we're gonna be talking about part two.
00:12
Okay,
00:13
Assembly execution.
00:16
So how we go from raw assembly
00:19
to e x e file.
00:22
Wealthy compiler created
00:25
the
00:26
raw execute herbal code and that included it in this container.
00:31
And this container
00:33
is called a P E file. And Windows usually uses these P files to know
00:40
what section of the code to begin executing what libraries it needs and what version of what compiler made it. And all this other metadata about the executed all code.
00:55
If you want to go explore that, I highly suggest
00:57
it because there's a wealth of information that we can use in there, such as time stamps like
01:03
compiler. Usually
01:04
ads in when this file was made, uh, usually says what its target platform and architecture for our what function calls is going to call and other information like that.
01:19
And there are several p e. Parsons p file format purser's P Explorers CFF Explorer and not C o FF IX for P I. D. P. Studio
01:34
010 Hex editor is really good if you use a P binary template.
01:41
Pdf file.
01:42
Binary template. And, of course, you can make your own. It's not super hard to do, and there's a lot of work already done for that.
01:51
If you look at them our Alice book,
01:53
they have a lot of scripts to help you with that, and you get to know the file format very well.
02:00
So what
02:01
is a
02:02
What use is the P E file format? Simply don t X C files are the most common deal. Oh, files are the exact same format with just a few flags changed and a few more function
02:17
exports are made.
02:20
The deal. Oh, mein being the only one that a deal Oh, foul needs to export in order for it to be used and loaded up by the windows loader for execution
02:29
SRC files or screen saver files. But they execute code
02:34
the exact same way.
02:35
Um, as a demonstration,
02:39
we'll open up our signal in terminal here.
02:44
And when we were talking last,
02:46
we made several
02:49
files. Uh,
02:51
like
02:52
ada e x E
02:54
prince. Hello, world.
02:57
I'll just cat the hell of world file. You can see it
03:00
a very simple program.
03:01
Ah,
03:02
we can change
03:05
a dot yet See
03:06
to any one of these things.
03:08
Ah, such as
03:12
a dot info in
03:15
list. We see that there is a doubt fon we're gonna execute that
03:22
and a prince Hello world. It's the same file format. Sometimes malware will use these other extensions, but it gets to be highly suspicious. So, um,
03:31
you know, most I've seen is SRC
03:35
so we can do like
03:37
this a d s r c. And we can execute a doubt as our C
03:43
and it's still executes it just like it would any other e x e file.
03:47
So it's good to be aware off this.
03:52
So we're talking about
03:53
assembly, and we're talking about actually executing it. I said I mentioned the flags were destroyed later,
04:00
and
04:01
this is
04:03
why it's so important is because it keeps state
04:05
of the instructions.
04:08
And if you look over on the far right here we have some X 86 assembly.
04:12
The first line is move one into ta X.
04:16
The next line a compare instruction is moved to
04:20
or compare the X to the number two
04:25
instruction Below that is Jay Z jump If zero is what it stands for.
04:30
So
04:32
basically,
04:34
if the above operation
04:36
was
04:40
resulting in zero,
04:42
then it would jump.
04:45
So the compare instruction
04:48
does the same thing is a sub strapped instruction
04:51
except it doesn't
04:54
store the result back to the register.
04:58
All it does is change. The flags register.
05:01
So
05:02
when compared, the X
05:04
comma too
05:08
was executed.
05:10
It would do a subtraction operation
05:13
so it's attracted
05:14
two from E X.
05:16
This would result in negative one,
05:18
but it would not result in zero.
05:20
So
05:23
if you see in the middle picture zero flag
05:27
and right above it the sign flag, those would both Or the sign flag would be flipped. So it would be a one in the sign flag and the zero flag would be zero.
05:38
So false zero true one.
05:42
So the zero flag would be zero signs like would be one. And so since
05:46
zero was not flagged, this jump
05:50
will not work. It will not jump to the label is too,
05:56
which is on line six. It will just simply fall through to the label is not
06:02
labels don't actually do anything. There's no assembly equivalent. They're just placeholders. And so
06:11
what will happen is Line five would be executed where two will be moved into the ex register
06:16
and then line six
06:18
will be executed. But since label doesn't actually
06:21
equate to any assembly code life seven will be executed. Zero will be moved into the axe.
06:30
So with these conditional jumps, compilers will turn if statements and loops and other control flow mechanisms,
06:38
um, like,
06:41
ah, spaghetti coud or switch statements or whatever
06:44
into
06:46
these instructions.
06:47
There are other flags that you should be aware of, but those are the biggest. Is the sign flag in the zero flag
06:55
Um
06:57
overflow. And under Flo flags will generally tell you if, ah, if you try to multiply or do something else and
07:04
you lost some information
07:06
Ah, the overflow and under Flo flag will
07:10
be flipped.
07:12
And sometimes code is good enough to check for that,
07:15
um, Carrie flag to see if
07:16
you know there's operation that had
07:19
you know what you add
07:20
added some bites to some register, and, uh,
07:27
the results
07:28
had to carry bit.
07:30
And, um,
07:31
belay said the most important ones are zero and sign.
07:36
So I said
07:38
I talked about the push and the pop instructions and the S P in the V p
07:43
registers. And I said they had to do with the stack. And
07:47
here we're gonna look at how excited six uses this data structure,
07:53
which is almost always at the top of memory, where the operating system is down at the bottom of memory.
08:00
Uh,
08:00
and the heap where Malik and Kallick
08:03
get new memory,
08:05
um,
08:07
is in the middle
08:09
stack is slowly growing down,
08:11
so it starts
08:13
a really high memory address. And every time you do a push
08:18
like
08:18
it'll decrease the E S P, which points the top of the stack,
08:24
and,
08:24
uh, the E V P is always above it. So the base pointer is always putting at the bottom of the stack, which is at the highest memory address. This might be kind of hard to wrap your head around, and a lot of people get confused by this.
08:39
So
08:39
if you
08:41
care to just draw it out on a piece of paper every once in a while and that really helps, it helps me, at least,
08:50
so the push instruction
08:52
Decorah mints
08:54
the stack pointer.
08:56
So it's kind of like you're adding
08:58
more memory
08:58
to the stack like you're You have a stack of plates
09:03
and, like all you can eat buffet or something. And you,
09:05
uh um,
09:07
somewhere and every time you put a plate on top, the whole set time moves down a little bit.
09:13
So
09:15
if you want to grab a plate, you have to
09:16
pop off the one on top.
09:18
And if you pop something, then you will take the data from
09:24
that stack and the E S P value will increments
09:30
by four, typically
09:31
four bites. And, uh, there are pushing pop instructions that can
09:37
do, like 16 bites and
09:39
or 16 bits, which is two bites.
09:43
Ah,
09:45
but
09:46
most common is push four bites and pop four bites.
09:50
And the call instruction will also affect the stack. Because each stack frame,
09:56
you know, between the E. S. P and the BP pointer
10:01
you've stacked frame
10:03
is the local scope for that function. So all local variables will be be between the ESPN E v p.
10:11
And if this sounds confusing, don't worry. You can look at some assembly,
10:16
uh, of what the functions
10:18
are doing,
10:18
and you will see how the stack is being manipulated
10:22
for each function. Cole.
10:26
So
10:26
when you call something.
10:30
You push the E i P value
10:33
onto the stack.
10:35
So wherever you returned place in memory is,
10:37
uh
10:39
or the next instruction is to be executed, is pushed onto the stack,
10:43
and then you can jump to a location
10:46
and memory, another location.
10:48
And when you call the Rhett instruction or the return instruction
10:54
you're going, the E I. P is going to be repopulated
10:56
with that address
10:58
that the call instruction had pushed onto the stack. And it is going to,
11:03
ah,
11:05
resume execution in that place that you called from.
11:09
Yes, it sounds confusing. Don't worry.
11:11
You're gonna see some assembly, and it's gonna make a bit more sense.
11:16
So as I said,
11:16
Stack grows downwards.
11:20
So
11:22
when you look at assembly and there's local variables
11:26
and we'll see an example and a little bit,
11:28
you'll see them usually addressed from E B P.
11:33
So black the E V p
11:35
plus a certain value
11:37
or, more appropriately, E V p minus a certain values. So if I want to access
11:43
the
11:45
last
11:46
parameter
11:48
of a function
11:50
Cole,
11:50
it'll be e V P minus four.
11:56
So when I
11:58
do a print F and pass it a single parameter
12:01
of
12:01
Hello world or a pointer to the string Hello, world
12:07
The functional reference that for Amber
12:09
Bye EVP minus four
12:11
That's how
12:13
it accesses that pointer
12:16
to that string.
12:20
I'm gonna let that sink in for just a minute.
12:22
So just a little miscellaneous information. There is something called a NOP instruction that stands for no operation and eyes, actually,
12:31
but it is an alias to the exchange.
12:35
Uh, yea x e x instruction. So it moves E X into be a X, so a result in nothing.
12:43
The napkins instruction is very useful. If you wanna manipulate malware so that you can say, Oh, I see it's doing a function called check to see if there's any bugger and dies. If
12:54
there's a debunker so it
12:56
knobs out, you can just put in op instructions in there, and that will result in the compiler
13:05
or in the CPU just completely doing nothing. For those instructions, I can show you example of knocking out some instructions.
13:15
Um,
13:16
I showed you the flags register bit Mask is good to know,
13:22
because it's doing basically a logical and isolate a piece of memory that it wants to. So
13:26
here are some examples where we want to get to a certain bit or a certain bite
13:33
to see what the value is.
13:35
And so we do a logical and
13:37
the bullying logical. And and, uh,
13:41
if you are curious about how this works, if you look at enough assembly, you'll eventually come across it.
13:48
But it's it's not that big a deal. You should just be aware of it.
13:52
Indian, it says, I pointed out earlier, is when spot bites are swapped around wind in storage.
13:58
When they're in registers, they look normal where
14:01
the most significant value is on the left hand side.
14:05
So when we typically read from left to right and our culture,
14:11
you should know that. And we're gonna cover that and I'll hear in the biz.
14:15
So we should also know,
14:16
Uh, no MacLeish er such as,
14:20
uh, data types.
14:22
Or you should also know the nomenclature surrounding data types such as word, D, word and cured and academia. Word means
14:31
the
14:33
unit of
14:35
memory in
14:37
architecture terms,
14:39
the base unit of memory and architecture terms. So,
14:43
uh,
14:46
if I'm talking about
14:48
ah, 32 bit computer, ah, word is generally
14:50
32 bits,
14:52
but
14:54
when Intel and
14:58
Microsoft we're making the programming languages they had to keep with compatibility, and the original word for the original
15:05
80 86 trip
15:07
was 16 bits.
15:09
They pretty much
15:11
made word synonymous with 16 bits.
15:15
So you'll often see and Microsoft AP eyes and websites and code
15:20
the term D word, which is double word, which is pretty much synonymous with
15:26
32 bits or four bites.
15:28
Q. Word is quad Word, so it's double that's 64 bits a eight bites
15:35
like this is the difference between, like
15:39
practical
15:41
industry standard and, uh, academia.
15:43
So
15:45
just be aware that when you see word or D word
15:48
or Q word, it means 16 32 and 64 bits.
15:54
Almost always,
15:56
unless you're reading a textbook
15:58
ones. Compliment is something you should be familiar with. It basically means you just flip all the bits. So if it was 0010
16:06
then you flip. All of this will be 1101
16:11
and you might go OK. It's very simple. Two's compliment
16:15
is where you flip all the bits and then
16:18
add one.
16:18
So
16:21
you had
16:22
001
16:26
and you flip all the bits would be 110
16:29
and if you add one to, that would be 111
16:33
So I'm talking about
16:34
all this in terms of binary, and you might think, OK, that's kind of weird. Why would you ever use that or need that? And it's used for negative numbers.
16:45
And it turns out
16:47
that if you store negative numbers as two's compliment
16:52
in binary,
16:53
you can use the same circuitry
16:56
in the computer
16:59
for addition and subtraction and other operations.
17:03
If a negative number is in twos. Compliment, that's pretty nifty. And it's a shortcut that the hardware designers took to make computers really fast and not have to have extra circuitry for both negative and positive numbers.
17:18
You'll probably never see it, though, but it is something to be aware of
17:22
in case you say,
17:25
Oh, you know, the output of this
17:26
function was like,
17:27
you know, 11111111
17:32
and then you see, like
17:34
the output from a print statement,
17:37
the
17:37
native zero. That's just like, How do you have a negative zero?
17:41
It's like, Well, technically, it's possible toe flip the sign bit
17:45
and it be
17:48
not not have one added to it. So it's native zero and then
17:53
native. One would be one
17:56
on top of that.
17:57
So
17:59
I mentioned earlier. Indian is important, and
18:03
it's kind of strange and rather confusing. And until it was really the only one that does it that I'm aware of,
18:08
um,
18:10
it means that swaps the bites.
18:12
So
18:15
the the the references kind from Gulliver's Travels,
18:18
where
18:19
he came across the land of small people who were fighting viciously over what end to crack their egg
18:27
from
18:29
and, ah,
18:30
and little Indian. It does exactly what you think, where the value is
18:37
12345678
18:38
and it's stored. That way.
18:41
We're
18:41
stored Little end first. So little Indian
18:47
is
18:48
the strange one in that
18:49
the least significant
18:52
portion
18:52
is stored
18:56
in the lowest address.
19:00
So example is 12345678
19:06
The bites or swap. So it's 78
19:07
563412
19:11
Intel is Lindy in, and it's like
19:15
I think the only one that I've ever seen this little Indian maybe aimed is, But I don't think so.
19:22
Um, Big Indian is exactly
19:26
what you would think it is So with the value of ah
19:29
number or ah, spot on memory is 12345678
19:33
Then
19:36
it's stored like that. So this is when network traffic is being sent across. Um, whatever device is sent his big Indian like, If that's
19:47
value,
19:48
then that's how it's sort of memory.
19:49
And Intel does this because
19:53
it's a some point, they found it to be more efficient
19:57
on they could do operations faster.
20:00
So a visual representation of this
20:03
would be something like
20:04
this
20:06
Little Indians on the left, Big Indians on the right.
20:11
If you're still a little confused, I'm gonna do it an example
20:15
right now
20:18
so we can take this number.
20:19
I'm gonna have to
20:22
do this.
20:23
So if we take this number,
20:26
I'm gonna split up into 28 byte segments.
20:30
So zero x
20:33
11 a B
20:36
for for
20:38
that's f
20:40
and then the second value would be zero x for Hexi decimal
20:45
a d d.
20:47
12 to 1.
20:49
Then I'm gonna swap
20:52
the bites. So zero x
20:56
f f
20:57
for four,
20:59
maybe
21:00
11
21:02
and then the other value would be zero x
21:08
21
21:11
12 d d a
21:15
and then we combined them back again.
21:22
So
21:22
this value
21:25
in a register
21:26
would be in an Intel Little Indian system
21:30
sword as this value.
21:37
I was just practicing it once or twice.
21:40
Uh,
21:41
if you want
21:45
so just some notes for the paranoid.
21:48
A CZ, I said earlier, just simply can't be wrong.
21:51
Um,
21:52
and without
21:53
like, it's ah,
21:56
it's an unsolvable problem without actually executing the code, it's
22:00
impossible to know exactly what the instructions will do sometimes more, or do things that will break assemblers or trick thumb.
22:07
Uh,
22:08
one good trick that I've seen is switching from x 86 assembly code X 64 code, which you can only do and 64 bit system.
22:18
But no,
22:19
this is simpler, or D bugger right now can handle it.
22:23
Um,
22:25
they just get the disassembly wrong because they make certain assumptions about the code. It's processing that they're processing,
22:30
um,
22:32
and also jumping into the middle of other instructions. So
22:37
yeah, uh,
22:38
programs out there
22:40
the very purposefully take advantage of the assumptions made by assemblers too.
22:48
This symbol of some disassemble some code so that it looks like a bunch of move instructions,
22:53
But What actually happens is that a jump instruction jumped into the middle of one of those instructions
23:00
and is actually executing something else.
23:03
Also,
23:06
when you statically disassemble something,
23:08
you can't make an assumption
23:10
that you're reading what is gonna be executed. But Mauer will very frequently
23:17
change its own code,
23:18
like as its executing. It will change the code ahead of it
23:23
to jump somewhere else or to decrypt something and then jump into that.
23:29
And we can see an example of that here
23:32
in the next few videos.
23:33
And it's pretty interesting because we might have to dump
23:37
it out of memory and then use a combination of static and dynamic analysis to figure out what's going on.
23:42
Some malware will statically compound
23:45
the library's. It's using into itself instead of relying on the print F function.
23:52
Being in a library that we can access
23:56
malware authors will include the whole seed.
24:00
The sea standard library, like it will include the entire STD Io
24:07
library,
24:08
and
24:10
that means that
24:11
are
24:12
like
24:14
five instruction or 10 instruction.
24:18
Uh, analysis just turned into,
24:21
you know, millions of instructions.
24:22
I'm a pro and others will try to identify
24:27
frequently used libraries and then tribal, label them and just say, Oh, this is string length or oh, this is
24:34
a string copy,
24:37
but it doesn't always catch it.
24:40
There's a lot of Mao out there. They will have what is called junk code, which functionally does nothing.
24:47
One of the first piece of malware that I was looking at for a good, long while,
24:52
I just spent a week on.
24:55
I had a lot of jump code where it would make function Cole's like get system time or get system information and then jump into functions that just had a lot of move instructions and a lot of jump instructions. And they didn't really do anything.
25:08
But
25:10
buried somewhere deep in one of the calls that it made
25:15
was Code two
25:17
unfold, decrypt some other code of the payload,
25:21
and then it would
25:22
use another function call to jump into that.
25:26
That's not uncommon,
25:27
but once you look at it for a while, you start to see some of the patterns that a lot of,
25:34
uh,
25:37
those kinds of tools those kinds of tools will produce. Like
25:41
I've seen
25:42
one thing that would go into unexcusable and just kind of insert random instructions like,
25:51
you know,
25:52
movie A X, e, x or exchange E, T X
25:57
and E X, and then exchange them back a few instructions later. So it's code that guarantees that the function of the program doesn't change. And you can see that it's pretty easy to associate meaningless instructions with certain
26:15
programs, like packers or critters.
26:19
When we're talking about push instructions as parameters as it loading up as it's loading up parameters. Keep in mind that the compilers the one generating these instructions
26:32
and that doesn't
26:33
unnecessarily
26:36
compilers don't necessarily have to follow those conventions.
26:38
But it does. When it has to interface with AP eyes
26:41
so internally it can load up
26:45
like we saw with 64 bit code, it could load up the parameters and registers.
26:49
But when it comes to actually calling system libraries,
26:55
it has to have the stack in a good
26:57
situation has to have it in a good state. If you want that a p I to work and we will take a look at some malware, which
27:06
ah corrupt its own stack
27:10
and its malware that we've already seen before in prior videos is that little IRC bought malware
27:17
so We'll take a look at that and it's Ah,
27:19
gonna be interesting. And there's many, many ways to do this stuff. Luckily, most malware does not try to be
27:27
super tricky.
27:29
Most malware authors aren't very sophisticated,
27:33
and most malware authors, frankly, just don't care
27:36
if they develop a new
27:38
anti analysis technique or an anti debugging technique. Or
27:41
you know
27:42
that they spend a week developing a new way to push and pop parameters on and off the stack. You know that maybe,
27:51
uh,
27:52
you know, good. It might be better
27:56
in defensive measures, but it would take them a week or two, and it would just take you, like
28:03
15 minutes, thio figure out. So it's really not a great time. Tradeoff for them. Our author, especially if they're my hour, has already been analyzed. That means,
28:14
you know they've their operation is probably already blown,
28:18
so
28:21
the pain on their motives it's usually not
28:25
time,
28:26
since
28:27
depending on the malware authors motives and depending on the purpose of the malware, it's usually not advantageous from our authors to put in a whole lot of defense's into their malware
28:40
searches to recap and a list of good resource is that I suggest you check out.
28:45
Um,
28:47
we went over the goals of stack analysis. We what? We want to understand what's going on
28:52
underneath the hood, and we want to find out more information and get IOC's and confirmed dynamic analysis and really wanna gauge sophistication and maybe eventually attribution of
29:03
the malware on the intent of the authors.
29:07
We went over a lot of technical details and exiting six assemblies. I highly suggest you check out how different control, flow structures and different data structures compile down and what the resulting assembly is like. How ah, switch statement compiles down or how nested
29:26
if statements compiled down
29:29
and see
29:30
exactly
29:32
what
29:33
meth all methodology of the compiler is using for optimization.
29:38
And there's a lot of different ideas about how to do this. And if you are interested in that,
29:44
I would suggest take
29:45
taking a look at the art of assembly.
29:48
That is a pretty good book, and it's relatively
29:52
neutral in terms off
29:55
looking at X 86 how to do things in terms of looking at, uh, arm and how to do something. Also
30:03
reversing secrets of reverse engineering
30:06
that is a fantastic book. Some people think it's dry and boring. I think it's fantastic for what you want to do.
30:14
And three eyed a pro book,
30:17
Um,
30:18
let's see. Unofficial at a pro book. But it's the only idea pro book, and it's pretty good,
30:23
Um,
30:25
especially if you're just beginning.
30:26
And I would also suggest checking out websites that hosts were called Crack Means.
30:33
And they're meant for reverse engineers and crackers to figure out
30:41
key generation algorithms or how to manipulate a program into getting the information that you want
30:47
and Miter
30:48
puts on a fantastic intro to x 86.
30:52
Attn. They're open security train got info website, and they have all the materials up there. The slides, challenges
31:00
and, um,
31:02
videos up on YouTube
31:04
posted YouTube playlist also suggests checking out
31:08
the Wikipedia
31:10
X 86 assembly language and the X 86 calling conventions. Calling conventions is something we didn't quite cover,
31:18
but we will go over in the future,
31:21
and we're
31:22
It's basically
31:23
how
31:26
functions
31:26
clean up the stack
31:29
before and after
31:30
they enter a function call.
31:34
Sometimes the function
31:37
the call, he will clean up the stack. It said, Okay, I'm gonna make
31:41
500 bytes for my own local
31:45
variables
31:47
on. Then at the end, it cleans up the 500 bites off the stack
31:51
on, then sometimes another calling conventions
31:53
like standard. Cole.
31:56
Uh, the Kolar cleans up the stack. It's like, OK, this function is going to need 500 fights for its local variables. I'm gonna give it 500 bison stack. Call the function. After it gets back,
32:08
I'll clean up the 500 bytes all clean up to stack.
32:12
So that's that's just what that is. Thank you for watching.
32:16
I highly suggest you go explore your own if you're interested in this stuff. I was just checking out malware stat. Stop Ward And you can see how many malware samples they have doing anti V M or anti disassembly techniques.
32:30
And you can see what function calls air using highlights. Just you also check out Cork. Am I or Coke? Mammy?
32:38
Ah, his all his information. He did a great job breaking down the P E
32:45
um format
32:46
and displaying it in a very understandable way. And he
32:51
goes through
32:52
a lot of the values and the P E file format, and he
32:57
messes with them, and he says. Okay, this one does this. This one does this. This one doesn't do anything. Even the Microsoft says it does.
33:04
Um, and he shows how much you can mess with,
33:07
um,
33:08
a portable X kyul file format before
33:13
the operating system refuses to try to execute it. And malware will use ah, lot of those same type of tricks,
33:20
uh, to avoid,
33:22
um, automated analysis systems
33:25
on. We'll take a look at that stuff in the future as well.
33:29
Thank you for watching. And I hope you
33:32
follow along to the next video.
Up Next
Instructed By
Similar Content
