Which parts/sections of PE files (.exe .dll) contain most their behaviours?

1
votes

I’m doing Windows malware research by machine learning method. I read the PE format, using dumpbin to extract PE files and found that there are many parts in there. Eg:.idata .edata .pdata .data .rdata .sxdata .text .rscr .tls... But not all of them are used for actions/behaviours. I just care about their behaviours and to reduce the large data before the next steps. Thanks

3
windowsexeportable-executablemalwaredumpbin
What do you mean about behavior? If you mean what it does, see .text section which has codes. If you mean what it uses, see .idata section which has information about dll import. - ikh
@ikh yes sir, I mean code, their actions, their business. And I find .rdata is dll import part. Is there something wrong here? .text section has large size of raw data so I think you right here. If you sure, just correct me. Thanks - chickensoup
.rdata section is for Readonly DATA and .idata section is for dll Import DATA. - ikh
@ikh oh. I just found what you said in pecoff from microsoft. But what their tool (dumbpin) gave me the result is a bit different. There no .idata here. Here is what dumpbin output when run on putty.exe Or they just omit and I was misunderstood. - chickensoup

3 Answers

4
votes

Since you are analyzing malware, you shouldn't be looking at the name of the sections. It is not difficult for a malware developer to change the names of the sections, and the msvc compiler also allows you to create custom sections.

Instead what you should do, is look at the characteristics of the sections. By reading the IMAGE_SECTION_HEADER, you can see whether the section contains executable code, static data, if its writable, etc.

1
votes

I found an official doc from Microsoft. Here just down the word files.I read that .text is the code section.

1
votes

I figured it out by @user2073973. He mean the section has the word "Code" in header section. Like this:

SECTION HEADER #1
   .text name
   522B9 virtual size
    1000 virtual address (00401000 to 004532B8)
   52400 size of raw data
     400 file pointer to raw data (00000400 to 000527FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

He was right about not only .text section has Code. custom name section also has Code there.