Static Analysis - The program itself is not run at this time(In contrast, when performing dynamic analysis actually runs the program.)
Sometimes the strings detected by the Strings program are not actual strings. Those bytes could be a memory address, CPU instructions, or data used by the program. Often, the most useful information obtained by running Strings is found in error messages.
DLL itself is not necessarily malicious; malware often uses legitimate libraries and DLLs to further its goals.
If upon searching a program with Strings, you find that it has only a few strings, it is probably either obfuscated or packed, suggesting that it may be malicious.
Packed and obfuscated code will often include at least the functions LoadLibrary and GetProcAddress, which are used to load and gain access to additional functions.
- LoadLibrary : Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
- GetProcAddress : Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
댓글 없음:
댓글 쓰기