CPP-PE-Hunter: Zero-Dependency Malware Scanner

A specialized Static Analysis tool written in raw C++ that manually dissects Windows Executables (PE files) to detect malware traits without execution.

Unlike standard tools that rely on libraries like pefile, this project manually maps binary structures from scratch. It calculates Shannon Entropy to detect packed ransomware and scans section characteristics for RWX (Read-Write-Execute) vulnerabilities used in shellcode injection.

---

Key Features

• Zero Dependencies: No external headers (<Windows.h> is NOT used). All structs are manually defined, making this cross-platform.
• Entropy Heuristics: Uses Information Theory to detect if code is hidden/packed.
• Anomaly Detection: Flags sections that are both Writable and Executable (a major security red flag).
• Forensic Output: Detailed breakdown of section permissions and raw sizes.

---

The Engineering Behind It

This tool was built to understand Malware Persistence at the binary level. Here are the core concepts used:

1. Manual Memory Mapping (The "Hard" Way)

Instead of using an API, I manually defined the Windows DOS and NT headers to parse raw bytes. This allows the tool to run on Linux servers to analyze Windows viruses safely.

Code Snippet (src/main.cpp):

// Manually defining the PE Header to avoid OS dependencies
struct PE_SectionHeader {
    uint8_t  Name[8];
    uint32_t VirtualSize;
    uint32_t VirtualAddress;
    uint32_t SizeOfRawData;
    uint32_t Characteristics; // <--- The Security Flags live here
};

2. Shannon Entropy (Math vs. Malware)

Malware authors use "Packers" (like UPX or custom encrypters) to hide their code from Antivirus. We detect this by measuring the randomness of the data.

• Normal Code: Entropy ~5.0 - 6.5
• Packed/Encrypted: Entropy > 7.2

Code Snippet (Entropy Calculation):

// H = -Σ p(x) log2 p(x)
for (size_t count : byte_counts) {
    if (count > 0) {
        double p = (double)count / size;
        entropy -= p * std::log2(p);
    }
}

PART 3: Usage & Footer (Paste this at the end) Markdown

🛠️ Usage

Build

You only need a C++ compiler (g++, clang, or cl).

Using CMake (Recommended):

mkdir build && cd build
cmake ..
cmake --build .

Using G++ directly:

g++ src/main.cpp -o pe_hunter.exe -O3

Run

./pe_hunter.exe targets/suspicious_file.exe

Sample Analysis

Running the tool on a packed binary (e.g., a UPX-compressed file):

[*] Scanning Artifact: malware_sample.exe (450KB)

SECTION    ENTROPY    PERMISSIONS    ANALYSIS
---------------------------------------------------------
.text      6.12       R-X            Clean
.data      2.45       RW-            Clean
.rsrc      4.10       R--            Clean
.upx0      0.00       RWX            [!!!] RWX DETECTED (Injection Risk)
.upx1      7.92       RWX            [!] HIGH ENTROPY (Packed?)

References & Docs Used

Resources consulted during the reverse engineering of the PE format:

• Microsoft PE Format Docs: The official specification for the IMAGE_NT_HEADERS and IMAGE_SECTION_HEADER structs.
• Aldeid - Entropy in Malware: Excellent resource on why Entropy > 7.2 indicates packing.
• OSDev Wiki - PE: Detailed offsets for the DOS Stub and e_lfanew pointers.

Disclaimer

This tool is for Educational and Defensive purposes only. Always analyze unknown binaries in an isolated Virtual Machine.