This module steps deeper into the assembly code and its execution. It will explain how to go from a raw assembly to an executable file. Compilers create raw executable files that are included in a container called the PE (Portable Executable) files. Windows uses PE files to know which instruction to begin executing, what libraries, or other metadata it would need. You'll learn about various PE file parsers like PE Explorer, COFF explorer, PEiD, PE Studio, 010 Hexaeditor with the PE binary templates. To make your own PE files, refer to the Malware Analysis Cookbook. Next, we'll discuss the kind of files that use PE. Some malwares may use any of the PE file formats like .exe, .dll, .src, .cpl, .ocx, .sys, .drv, .efi, .fon. Further into the module, we'll discuss about EFLAGs registers, stacks flags, bit masks, size of data bytes, one's and two's complement. You'll also learn assembly instructions such as PUSH, POP, EBP, EIP, ESP, CALL, RET, NOP. We'll then move on and explain Endianness, and its two types. Lastly, we'll go through few notes or exceptions that every Malware Analyst should be aware of. Good reads to up-skill your knowledge on the subject include:
- The IDA Pro Book: The Unofficial Guide by Chris Eagle
- Professional Assembly Language by Richard Blum
- Reversing: Secrets of Reverse Engineering by Eldad Eilam
- Corkami (website) for crackers
- The Art of Assembly Language
Intro to Malware Analysis and Reverse Engineering
In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.