Basic Static Analysis Techniques

Question 1

What is Static Analysis?

Answer 1

Static analysis describes the process of analyzing the code or structure of a program to
determine its function. The program is not run at that time.

Question 2

What is Dynamic Analysis

Answer 2

The analyst actually runs the program

Question 3

What do Antivirus tools rely on? Where is it stored?

Answer 3

File signatures, behaviors, and patterns. Antivirus databases, not the actual application

Question 4

Malware writers can modify their code to prevent ___

Answer 4

Detection

Question 5

What do hashes help with?

Answer 5

Identifying programs as legitimate

Question 6

What is a string?

Answer 6

A sequence of characters.

Question 7

What program can you use to search an executable for strings?

Answer 7

The Strings program in the Sysinternals Suite.

Question 8

What format are strings stored in?

Answer 8

Either ASCII or Unicode

Question 9

How do you terminate ASCII and Unicode strings

Answer 9

With a NULL terminator

Question 10

What are obfuscated programs?

Answer 10

Programs whose execution the malware author has attempted to hide

Question 11

What are packed programs?

Answer 11

A subset of obfuscated programs in which the malicious program is compresses and cannot be analyzed

Question 12

What two types of programs strongly limit the ability to statically analyze malware

Answer 12

Obfuscated and packed programs

Question 13

What is a packing file?

Answer 13

You open up an executable that causes another executable to run.

Question 14

What type of files use Portable Executable (PE) format?

Answer 14

Windows executables, object code, and DLLs

Question 15

What is the Portable Executable format?

Answer 15

It is a data structure that contains the information necessary for Windows to manage the wrapped executable code. Almost all files with executable code that is loaded by Windows is in the PE file format.

Question 16

What are Imports?

Answer 16

Functions used by one program that are actually stored in a different program.

Question 17

What are code libraries that contain functionality common to many programs an example of?

Answer 17

Imports

Question 18

How are code libraries connected to the main executable?

Answer 18

Linking

Question 19

What is the main executable?

Answer 19

The program being run

Question 20

Why would programmer what to link imports?

Answer 20

So that they don’t need to re-implement certain functionality in multiple programs

Question 21

What happens when a library is statically linked to an executable?

Answer 21

All code from that library is copied into the executable, which makes the executable grow in size

Question 22

What is Static linking?

Answer 22

Linking in which the executable includes the files that the program needs

Question 23

What is Dynamic linking?

Answer 23

~Linking in which the compiling and linking of code is put into a form that is loadable by programs at run time as well as link time.

Question 24

What is the Imported Functions header?

Answer 24

A PE file header that includes information about the specific functions used by an executable.

Question 25

What is the Exported functions header?

Answer 25

A PE header that contains information about functions that a file exports. Because DLLs are specifically implemented to provide functionality used by EXEs, exported functions are most common in DLLs.

Question 26

What is the Exported functions header?

Answer 26

A PE header that contains information about functions that a file exports. Because DLLs are specifically implemented to provide functionality used by EXEs, exported functions are most common in DLLs.

Question 27

What does the Kernel32.dll import tell you?

Answer 27

This software can open and manipulate processes and functions. It also means that the software can search through directories.

Question 28

What does the User32.dll import tell you?

Answer 28

This software can open and manipulate GUI elements

Question 29

What three functions allow you to open and manipulate processes?

Answer 29

OpenProcess, GetCurrentProcess, and GetProcessHeap

Question 30

What three functions allow you to open and manipulate files?

Answer 30

ReadFile, CreateFile, and WriteFile

Question 31

What two functions allow you to search directories?

Answer 31

FindFirstFile and FindNextFile

Question 32

What three functions show that an executable has a GUI?

Answer 32

RegisterClassEx, SetWindowText, and ShowWindow

Question 33

What function is commonly used in spyware and is the most popular way that keyloggers receive keyboard inputs?

Answer 33

SetWindowsHookEx

Question 34

What function registers a hotkey so that whenever a hotkey combination is pressed the program is alerted?

Answer 34

RegisterHotKey

Question 35

What does the GDI32.dll tell you about an executable?

Answer 35

The software is graphics related and has a GUI

Question 36

What does the Advapi32.dll tell you about an executable?

Answer 36

The program uses the registry

Question 37

What does it mean when the software is in the Software\Microsoft\Windows\CurrentVersion\Run portion of the registry.

Answer 37

The program runs at startup.

Question 38

What is the LowLevelKeyboardProc function used for?

Answer 38

Used with the SetWindowsHookEx to specify which function will be called when a low-level keyboard event occurs

Question 39

What is the LowLevelMouseProc function used for?

Answer 39

Used with the SetWindowsHookEx to specify which function will be called when a low-level mouse event occurs