Scribd
Upload
7 views

lab5

This document outlines a lab focused on cybersecurity attacks and detection, specifically emphasizing hashing, file signatures, and the use of PEstudio. It explains how hashing serves as a unique identifier for malware and discusses the challenges posed by packed and obfuscated malware. Additionally, it details the Portable Executable (PE) file format and the significance of its header for malware analysis.

Uploaded by

يوسف محمد مغيمش
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

lab5

This document outlines a lab focused on cybersecurity attacks and detection, specifically emphasizing hashing, file signatures, and the use of PEstudio. It explains how hashing serves as a unique identifier for malware and discusses the challenges posed by packed and obfuscated malware. Additionally, it details the Portable Executable (PE) file format and the significance of its header for malware analysis.

Uploaded by

يوسف محمد مغيمش
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

CYBERSECURITY ATTACKS

AND DETECTION

LAB 5

FILE IDENTIFICATION
Lab Objective:
Learn about:
*Hashing
*File Signature
*PEstudio

Lab tools
• Hex Editor
https://mh-nexus.de/en/hxd/
• Pestudio
https://www.winitor.com/download
HASHING

Hashing: A Fingerprint for Malware Hashing is a common method


used to uniquely identify malware. The malicious software is run
through a hashing program that produces a unique hash that
identifies that malware (a sort of fingerprint). The Message-Digest
Algorithm 5 (MD5) hash function is the one most commonly used for
malware analysis, though the Secure Hash Algorithm 1 (SHA-1) is also
popular.
Hash Tool
Packed and Obfuscated Malware

Malware writers often use packing or obfuscation to make their files more difficult to
detect or analyze. Obfuscated programs are ones whose execution the malware author has
attempted to hide. Packed programs are a subset of obfuscated programs in which the
malicious program is compressed and cannot be analyzed. Both techniques will severely
limit your attempts to statically analyze the malware
Portable Executable File Format

So far, we have discussed tools that scan executables without regard to their
format. However, the format of a file can reveal a lot about the program’s
functionality. The Portable Executable (PE) file format is used by Windows
executables, object code, and DLLs. The PE file format is a data structure that
contains the information necessary for the Windows OS loader to manage the
wrapped executable code. Nearly every file with executable code that is loaded
by Windows is in the PE file format, though some legacy file formats do appear
on rare occasion in malware.
PE files begin with a header that includes information about the code, the type
of application, required library functions, and space requirements. The
information in the PE header is of great value to the malware analyst.
PE HEADER SUMMARY
The PE header contains useful information for the malware analyst,
and we will continue to examine it in subsequent chapters. Table 1-7
reviews the key information that can be obtained from a PE header.
Pestudio
Hex Editor and Disk Editor

FILE SIGNATURES TABLE


https://www.garykessler.net/library/file_sigs.html

You might also like