I’m doing Windows malware research by machine learning method. I read the PE format, using dumpbin to extract PE files and found that there are many parts in there. Eg:.idata .edata .pdata .data .rdata .sxdata .text .rscr .tls... But not all of them are used for actions/behaviours. I just care about their behaviours and to reduce the large data before the next steps. I asked this on stackoverflow and I received that .text is code part while other guy said: "Since you are analyzing malware, you shouldn't be looking at the name of the sections. It is not difficult for a malware developer to change the names of the sections, and the msvc compiler also allows you to create custom sections.
Instead what you should do, is look at the characteristics of the sections. By reading the IMAGE_SECTION_HEADER, you can see whether the section contains executable code, static data, if its writable, etc." I replied him for more detailed but still no response. So please help me.
Thank so much.
Here is the link to stackoverflow
http://stackoverflow.com/questions/42897034/which-parts-sections-of-pe-files-exe-dll-contain-most-their-behaviours
http://stackoverflow.com/questions/42897034/which-parts-sections-of-pe-files-exe-dll-contain-most-their-behaviours
https://social.msdn.microsoft.com/Forums/vstudio/en-US/1b85b601-77a9-43d0-9dff-338302a2a04d/which-partssections-of-pe-files-exe-dll-contain-most-their-behaviours?forum=vcgeneral
- Badges
- Science topic
- Similar topics
- Computer Science and Engineering
- Coding