[Chapter1] 기본적인 분석지식

기본 분석지식

• Microsoft 프로그램의 Linking 방식
• 대개 공통적으로 쓰여지는 윈도우 라이브러리 파일(.dll)
• Function Name Convention

---

조금 다시 상기할 부분만 정리

1. Microsoft 프로그램의 Linking 방식

MS Program uses 3 types of Linking methods. Static, Runtime and Dynamic Linking.

I only deal with Runtime Linking method.

Runtime linking is commonly used in malware, speciallly when it's packed or obfuscated.

.exe file that use runtime linking type connects to libraries only when that function is needed not like dynamically linked prorams.

Microsoft Windows functions allow programmers to import linked functions not listed in a that program's file header. The two functions most commonly used are LoadLibrary and GetProcAddress. Additionally, LdrGetProcAddress and LdrLoadDll are also used.

Neverthless, Identifying libraries and functions in PE header is important because it allows us to guess at what the program does.

---

2. 공통적으로 자주 쓰여지는 윈도우 라이브러리 파일(.dll)

Kernel32.dll : core, manage access and manipulation of memory, files, and hardware.
Advapi32.dll : provide access to core Windows components such as the Registry.
User32.dll : contains all the user-interface components such as buttons,scroll bars, and things for controlling and responding to user actions.
Gdi32.dll : functions for displayinng graphics.
Ntdll.dll : interface to the Windows kernel. This is usually indirectly imported by Kernel32.dll not directly in PE file. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Such as, hiding functionality
or manipulating processes.
WSock32.dll(and Ws2_32.dll) : networking DLL.
Wininet.dll : higher-level networking functions that impolement protocols such as FTP, HTTP, ETC...

You can analysis these libraries in PE file by using Dependency Walker in Windows10.

---

3. Funtion Name Convention

When Microsoft updates a function and the new function is incompatible with the old one, Microsoft continues to support the old function.

The new function is given the same name as the old function, with an added Ex suffix. Functions that have been
significantly updated twice have two Ex suffixes in their names.

Many functions that take strings as parameters include an A or a W at the end of their names, such as
CreateDirectoryW. This letter does not appear in the documentation for the function; it simply indicates
that the function accepts a string parameter and that there are two different versions of the function: one for
ASCII strings and one for wide character strings.

Remember to drop the trailing A or W when searching for
the function in the Microsoft documentation.