windows exe portable-executable malware dumpbin

Which parts/sections of PE files (.exe .dll) contain most their behaviours?

I’m doing Windows malware research by machine learning method. I read the PE format, using dumpbin to extract PE files and found that there are many parts in there. Eg:.idata .edata .pdata .data .rdata .sxdata .text .rscr .tls... But not all of them are used for actions/behaviours. I just care about their behaviours and to reduce the large data before the next steps. Thanks

Solution

Since you are analyzing malware, you shouldn't be looking at the name of the sections. It is not difficult for a malware developer to change the names of the sections, and the msvc compiler also allows you to create custom sections.

Instead what you should do, is look at the characteristics of the sections. By reading the IMAGE_SECTION_HEADER, you can see whether the section contains executable code, static data, if its writable, etc.

How to Enumerate Threads using CreateToolhelp32Snapshot and Python ctypes?
Problem when adding dependencies to pyinstaller using poetry to manage dependencies
Is there any way to run a Flutter app through background on macOS or Windows desktop?
How do I allocate space to call GetInterfaceInfo using the windows crate?
Are there issues with DTN_DATETIMECHANGE breakpoints and the date time picker control?
Rust Windows Crate CreateWindowExW
Docker compose V2: unknown shorthand flag 'f' (windows)
Unicode (utf-8) with git-bash
Cannot locate tkinter icon file when using pyinstaller with poetry on Windows10
Why my ActiveMQ doesn't start
How do I determine a mapped drive's actual path?
How to find version of an application installed using c#
How to detect Windows 8 Operating system using C# 4.0?
"Run with PowerShell" gives execution policy error but running directly in PowerShell window does not
Which comment style should I use in batch files?
What is the closest thing Windows has to fork()?
NPM: npm-cli.js not found when running npm
Can PyTorch GPU Use Shared GPU Memory (from RAM, shows in Windows Task Manage)?
Pipe dot graphviz with echo windows from command line gives corrupted output
How to modify ~/.ssh folder & files in windows?
How to save python script output in GitHub Actions running on windows-latest?
Why is my VS Code always opened with the default profile?
Where is MySQL's my.ini located on Windows?
nmake: using environment variables and falling back to default values
Build shared library with static library
many missing .lib files in the installed OpenCV3.2.0 for Windows 10 64bit
Why does a module from the WinApi crate not exist when its in the docs?
"continue" equivalent command in nested loop in Windows Batch
How to Intentionally cause Windows Heap Corruption?
Flutter sqflite database location on desktop