STATIC ANALYSIS BASICS

Mount live Sysinternats toots drive:

\\\\[live.sysinternals.com](<http://live.sysinternals.com/>)\\tools

Signature check of dlt, exe files:

Ref. http://technet.microsoft.com/en­us/sysinternals/bb897441.aspx

C:\\> sigcheck.exe -u -e (:\\<DIRECTORY>

Send to VirusTotat:

C:\\> sigcheck.exe -vt <SUSPICIOUS FILE NAME>

Windows PE Analysis:

View Hex and ASCI of PE{exe or any file), with optional -n first 500 bytes:

hexdump -C -n 500 <SUSPICIOUS FILE NAME>
od -x somefile.exe
xxd somefile.exe

In Windows using debug toot {works for .java files too):

C:\\> debug <SUSPICIOUS FILE NAME>
>-d (just type d and get a page at a time of hex)
>-q (quit debugger)

Windows PE analysis: PE Fite Compile Date/Time pert script below (Windows PE only script). Ref. https://www.perl.org/get.html Ref. http://www.perlmonks.org/bare/?node_id=484287

C:\\> perl.exe <SCRIPT NAME>.pl <SUSPICIOUS FILE NAME>
#! perl -slw
use strict;
open EXE, '<:raw', $ARGV[0] or die "$ARGV[0] : $!";
my $dos = do{ local $/ = \\65536; <EXE>};
die "$ARGV[0] is not a .exe or .dll (sig='${ \\substr
$dos, 0, 2 }')" unless substr( $dos, 0, 2 ) eq 'MZ';
my $coffoff = 8+ unpack 'x60 V', $dos;
read( EXE, $dos, $coffoff - 65536 + 4, 65536 ) or
die $! if $coffoff > 65536;

my $ts = unpack "x$coffoff V", $dos;
print "$ARGV[0] : ", defined $ts
	? ( scalar( localtime $ts) || "has unfathomable
timestamp value$ts" )
	: 'has no timestamp';
_END_

View strings within PE and optional string length -n option: Using stings in Linux:

strings -n 10 <SUSPICIOUS FILE NAME>

Ref. https://technet.microsoft.com/en­us/sysinternals/strings.aspx Using strings in Windows:

C:\\> strings <SUSPICIOUS FILE NAME>