Usually, malware interacts with the file, registry, network, and so on. To perform such interactions, malware frequently depends on the functions exposed by the operating system. Windows exports most of its functions, called Application Programming Interfaces (API), required for these interactions in Dynamic Link Libary (DLL) files. Executables import and call these functions typically from various DLLs that provide different functionality. The functions that an executable imports from other files (mostly DLLs) are called imported functions (or imports).
For example, if a malware executable wants to create a file on disk, on Windows, it can use an API CreateFile(), which is exported in kernel32.dll. To call the API, it first has to load kernel32.dll into its memory and then call the CreateFile() function.
Inspecting the DLLs that a malware relies upon and the API functions that it imports from the DLLs can give an idea about the functionality and capability of malware and what to anticipate during its execution. The file dependencies in Windows executables are stored in the import table of the PE file structure.
In the following example, the spybot sample was loaded in pestudio. Clicking on the libraries button in pestudio displays all the DLL files the executable depends on and the number of imported functions imported from each DLL. These are the DLL files that will be loaded into the memory when the program is executed:
Clicking on the imports button in pestudio displays the API functions imported from those DLLs. In the following screenshot, the malware imports network-related API functions (such as connect, socket, listen, send, and so on) from wsock32.dll, indicating that the malware, upon execution, will most likely connect to the Internet or perform some network activity. pestudio highlights the API functions that are frequently used by malwares in the blacklisted column. In subsequent chapters, the techniques to inspect API functions will be covered in more detail:
Sometimes, malware can load a DLL explicitly during runtime using API calls such as LoadLibrary() or LdrLoadDLL(), and it can resolve the function address using the GetProcessAdress() API. Information about the DLLs loaded during runtime will not be present in the import table of the PE file and therefore will not be displayed by the tools.
In addition to determining the malware functionality, imports can help you detect whether a malware sample is obfuscated. If you come across a malware with very few imports, then it is a strong indication of a packed binary.
To demonstrate that, let's compare the imports between the unpacked sample of spybot and the packed spybot sample. The following screenshot shows 110 imports in the unpacked spybot sample:
On the other hand, the packed sample of spybot shows only 12 imports:
Sometimes you might want to use Python to enumerate DLL files and imported functions (probably to work with a large number of files); this can be done using Ero Carerra's pefile module (https://github.com/erocarrera/pefile). The installation of the pefile module on Ubuntu Linux VM was covered in Chapter 1, Introduction to Malware Analysis. If you are using any other operating system, then it can be installed using pip (pip install pefile). The following Python script demonstrates the use of the pefile module to enumerate the DLLs and the imported API functions:
import pefile
import sys
mal_file = sys.argv[1]
pe = pefile.PE(mal_file)
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print "%s" % entry.dll
for imp in entry.imports:
if imp.name != None:
print "\t%s" % (imp.name)
else:
print "\tord(%s)" % (str(imp.ordinal))
print "\n"
The following is the result of running the preceding script against the spybot_packed.exe sample; from the output, you can see the list of DLLs and imported functions:
$ python enum_imports.py spybot_packed.exe
KERNEL32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
ADVAPI32.DLL
RegCloseKey
CRTDLL.DLL
atoi
[...REMOVED....]