Implementation of Portable Executable File Analysis Framework (PEFAF)

The Portable executable file format is the format of executables, object code and DLL’s (Dynamic Link Library) in Microsoft Windows Operating system. It is the standard of how executable files are organized within file system in Microsoft Windows. The Portable executable file format was designed for Windows NT 3.1 that released in 1993. Many of its features are inherited from COFF (Common object file format) used in Unix Operating systems. It consists of header and sections; headers are rules that tell windows loader how the section should be mapped and loaded into memory. The section are nothing but the data or content. Different sections hold different kind of data for example code section contains executable code while bss (Block Started by Symbol) sections contains uninitialized data. Portable executable file could be used in a way to dent the security of computer, therefore great care should be taken while downloading and running Portable executable files. In our work we develop a static malware analysis tool called ‘Portable Executable File Analysis Framework (PEFAF)’ using data mining techniques. A collection of 8 thousand benign and 7 thousand malicious files were used in this work. We extracted 60 features, analyzed them and found that 34 of them are significant for the detection of malware threats. Based on these 34 indicators our tool classifies input file into malicious or non-malicious.