Analyzing The PE Header
- The PE header contains the information the OS requires to run the executable.
- In static analysis, we are looking for information about the executable, that can give us a glimpse of it’s functionality and origin.
What information are we interested in?
- Compiler Stamp – When and where the malware was compiled.
- Subsystem – What subsystem is being used?
- Sections – Is the executable packed and are there any inconsistent permissions.
- Libraries & Imports – What libraries and imports are being used, and what information do they give us about the functionality of the malware.
Tools We Will Be Using
- Pestudio – The most efficient tool for static analysis.