Tag: forensics

Malware Analysis

Extract resources from Windows binaries

Resource Hacker™ has been designed to be the complete resource editing tool: compiling, viewing, decompiling and recompiling resources for both 32bit and 64bit Windows executables. Resource Hacker™ can open any type of Windows executable (*.exe; *.dll; *.scr; *.mui etc) so that individual resources can be added modified or deleted within these files. Resource Hacker™ can …

Malware Analysis

Detect packers, cryptors and compilers

PEiD is used to detect most common packers, cryptors and compilers found in PE executable files. The current version of PEiD can detect over 7000 different signatures which are loaded from userdb.txt. The official website (www.peid.info) has been discontinued.   Download PEiD 0.95 from MediaFire. Download userdb.txt from MediaFire. All files in .7z file have …

Forensics, Reverse Engineering

Detect executable dependencies

Dependency Walker – scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Detects many common …

Forensics, Malware Analysis

Viewing strings in executables

strings – utility displays strings of printable characters found in file(s). Strings is available in Linux, Unix and Windows Systems. Scan entire file: strings -a /path/to/executablestrings -a /path/to/executable Scan data sections only: strings -d /path/to/executablestrings -d /path/to/executable Options: -a – –all Scan the entire file, not just the data section [default] -d –data Only scan …

Forensics, Malware Analysis

Show all dynamic libraries required by executable

ldd is used to list the shared libraries required by programs. ldd should never be used with untrusted executables. Instead use objdump. ldd is available on Linux and Unix systems. For Windows users, ldd, is available through cygwin. Examples: ldd /path/to/executable/filenameldd /path/to/executable/filename ldd -v /path/to/executable/filenameldd -v /path/to/executable/filename Print unused dependencies: ldd -u /path/to/executable/filenameldd -u /path/to/executable/filename …

Forensics, Malware Analysis, Sysinternals

Scan windows for suspicious executable images

> Download Sysinternals Suite. > Run command line tool(cmd) with administrative privileges. > To scan Windows for unverified binary images, execute: c:\path\to\sysinternals_suite\sigcheck.exe -e -u -s c:\c:\path\to\sysinternals_suite\sigcheck.exe -e -u -s c:\ -e Scan executable images only -u Show unverified files -s recurse subdirectories > To scan Windows for unverified binary images and also query VirusTotal during …

Forensics, Reverse Engineering

List symbols from binary files

nm is used to examine binary files and to display the contents of those files, meta information, names of functions and global variables declared in the file. nm is available in Unix and Linux System. For Windows users, nm command is available through cygwin. Supported Targets: elf64-x86-64 elf32-i386 elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little …