Static Analysis in Practice

Now that you understand the basics of static analysis, let’s examine some real malware. We’ll look at a potential keylogger and then a packed program.

PotentialKeylogger.exe: An Unpacked Executable

Table 1-2 shows an abridged list of functions imported by PotentialKeylogger.exe, as collected using Dependency Walker. Because we see so many imports, we can immediately conclude that this file is not packed.

Table 1-2. An Abridged List of DLLs and Functions Imported from PotentialKeylogger.exe

Kernel32.dll	User32.dll	User32.dll (continued)
`CreateDirectoryW`	`BeginDeferWindowPos`	`ShowWindow`
`CreateFileW`	`CallNextHookEx`	`ToUnicodeEx`
`CreateThread`	`CreateDialogParamW`	`TrackPopupMenu`
`DeleteFileW`	`CreateWindowExW`	`TrackPopupMenuEx`
`ExitProcess`	`DefWindowProcW ...`

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Static Analysis in Practice

PotentialKeylogger.exe: An Unpacked Executable

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly