One of the first things we do when we analyze malware is strings extraction. This is a good approach, but there is a problem – neither Sysinternals’ strings nor UNiX/cygwin version provide an ability to extract strings from a specific PE section. Being able to extract strings this way may be handy. It may simplify static analysis and even more importantly, it helps to avoid noise coming from bad strings. Examples of bad strings are sequences of machine instructions coming from a code section that are interpreted as actual strings. The same goes for ‘strings’ from resource section. This part of file often contain bitmaps, icons and other data that often holds a lot of data that ‘looks’ like strings. We may not want to see these in the output.
So, having an ability to extract strings from each section separately would be certainly helpful. There are many way to do so – if you like to code, you can write your own script.
Or…You can just use a simple method presented below.
It turns out that 7zip has an ability to extract sections from PE files. It is available from both GUI and command line. GUI is option is straightforward, as per the command line, use the following:
“c:\Program Files\7-Zip\7zG.exe” x <filename> -osections
Example for Notepad.exe is shown below. Note that 7zip also extracts resources into a subdirectory – another handy feature.
We can now extract strings from .text section only:
There are executables for which extracting strings from specific sections won’t help and may even make you miss something or draw wrong conclusions; these include Borland applications (code and data is mangled together), position-independent code (shellcodes, viruses, code injects), etc.
Comments are closed.