Today was all about catching up on what I missed yesterday due to the power outage. I focused on finishing the labs, especially the ones related to Malware Analysis. It’s kind of like solving a puzzle, you have to dig into how a file behaves and figure out what it’s doing under the hood. There are two main types of analysis: static and dynamic.
- Static analysis means looking at the code or file without running it. You inspect the file to see what it might do.
- Dynamic analysis involves actually running the file in a safe environment to see what it does in real time.
Then I learned about the PE header. PE stands for Portable Executable, which is the file format used for Windows programs. A PE file usually doesn’t include all the code it needs to run. Instead, it uses functions provided by the Operating System (like Windows) to save space and avoid reinventing the wheel.
In simple terms: think of a PE file like a recipe. Instead of including the instructions for how to boil water, it just says “boil water” and trusts that the kitchen (the OS) already knows how to do that.
Next, I dove into the topic of strings. In computing, strings refer to sequences of characters – like words, names, or messages—that a program uses or displays. These can be hardcoded into the application, meaning they’re built into the file itself. For example, a program might store things like default usernames or error messages as strings.
Then things got a bit overwhelming, we moved on to x86 architecture. I learned about how a CPU works, including components like:
- Control Unit – the part of the CPU that directs operations (like a manager giving instructions).
- Arithmetic Logic Unit (ALU) – where the actual math and logic happen.
- Registers – small, fast storage areas inside the CPU.
Registers were tricky for me, so I’m going to try explaining them to see if it sticks.
Registers are the CPU’s way of quickly storing and accessing data while it’s working. They come in different types:
- Instruction Pointer (IP) – keeps track of the next instruction the CPU will run.
- General Purpose Registers – used to temporarily store data that the CPU is working on (like numbers or addresses).
- Status Flag Registers – keep track of things like whether the last operation resulted in zero or if there was an error.
- Segment Registers – help manage different parts of memory the program is using.
We also looked briefly at General-Purpose Registers like EAX, EBX, ECX, EDX, etc., but I won’t go deep into that now. Maybe another day.
Then I got a quick overview of memory, especially the stack. Here’s a super simple way to think about it:
- Stack Pointer (SP) – tells the CPU where the top of the stack is (like the last thing added).
- Base Pointer (BP) – marks a fixed point in the stack to help keep track of variables in functions.
After reviewing all that, I finally got to the static analysis lab I missed yesterday. I used FLARE VM, which is a virtual machine loaded with tools for reverse engineering and malware analysis. It’s like a sandbox environment built for this kind of work.
One of the tools I used was PE Studio. It gives more detailed info about the strings inside a file, like what type of text encoding it uses, how big the string is, where it’s found inside the file, and what it might be related to.
I also had a quick intro to capa, but I’ll save more on that for Thursday.
It was a pretty intense day trying to make up for lost time. The next few days are going to be tough too, especially balancing the TryHackMe pentesting path with the optional bootcamp rooms I need to finish.
