Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Packed and Obfuscated Malware
Дальше: Linked Libraries and Functions

So far, we have discussed tools that scan executables without regard to their format. However, the format of a file can reveal a lot about the program’s functionality.

The Portable Executable (PE) file format is used by Windows executables, object code, and DLLs. The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code. Nearly every file with executable code that is loaded by Windows is in the PE file format, though some legacy file formats do appear on rare occasion in malware.

PE files begin with a header that includes information about the code, the type of application, required library functions, and space requirements. The information in the PE header is of great value to the malware analyst.

Назад: Packed and Obfuscated Malware
Дальше: Linked Libraries and Functions

sss
sss