Online Courses
Malware Analysis
Online Courses
Malware Analysis
  • Malware Analysis Bootcamp
  • What is Malware Analysis ?
  • Setting Up Our Environment
  • Static Analysis
  • File Type Identification
  • Generating Malware Hashes
  • Extracting Strings
  • Packers & Unpacking
  • Understanding The PE Header
    • Analyzing
  • Examining The Resources Section
  • Malware Classification And Identification
    • YARA Rules
Powered by GitBook
On this page

File Type Identification

Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.

  • An example of a Windows executable file is the PE (Portable Executable).

    • A PE could be in form of: .exe ; .dll ; etc

To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.

The file signature exists on the file header.

The file signature for PE files is represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).

PE programs also have the notice "This program cannot be run in DOS mode".

The PE header begins at hex 50 45.

Note

Attackers may use archiving/packing to evade signature based identification.

PreviousStatic AnalysisNextGenerating Malware Hashes

Last updated 1 year ago