Reverse Engineering Malware (Part 4)

by Don Parker
Sept. 1, 2017 0 comments TechGenix windows client security

Well in part three of this article series we left off at the point where we recognized that the piece of malware was indeed not a zipped archive, but rather in the PE format. We ascertained this by opening up the piece of malware in a hex editor, which allowed us to examine its contents without actually executing it. You will remember that the characters “MZ” in the file told us that this was actually the aforementioned PE file format. An important point to remember here is that all of this information is free for the having. There is nothing magical or mysterious about it. None of it is squirreled away in some government vault, unlike what the conspiracy theorists would have you believe. What I’m getting at here is that reverse engineering is more about digging deep and applying yourself than it is about some black art. Documentation on things such as the PE header can be easily obtained from the Microsoft website, or Google itself. Reverse engineering methodology and tools can ea...