The not so boring land of Borland executables, part 2

In the part 1 we explored the case of the resource timestamps that may come handy while building a timeline, or at least when you are trying to figure out when a specific Borland executable was compiled (I use ‘Borland’ here, but we know it means all the possible variations of Borland-esque compilers/products we can think of: Delphi, Borland C++, Code Gear, Embarcadero) .

The other interesting fact you may come across is the family of Borland files that are compiled with an old version of Borland C++. They have 2 very interesting and peculiar properties:

  • They have 2 exports: __GetExceptDLLinfo ___CPPdebugHook
  • They also include an original name of the executable

The first one makes it easy to recognize them.

The second one, while it may not be the most forensically interesting information it may still give you some clues for further research. It may come handy if the exported name is unique enough as it may allow e.g. to search for samples from the very same family (e.g. on Google, VirusTotal, Malwr)

For example, running the good-old pedump.exe over the file with a hash 3E19EF9C9A217D242787A896CC4A5B03 gives us the following:

exports table:

  Name:            winmgmtc.exe
  Characteristics: 00000000
  TimeDateStamp:   00000000 -> Thu Jan 01 08:00:00 1970
  Version:         0.00
  Ordinal base:    00000001
  # of functions:  00000002
  # of Names:      00000002

  Entry Pt  Ordn  Name
  00001059     1  __GetExceptDLLinfo
  0000C128     2  ___CPPdebugHook

The Export Directory is populated with the name of the original .exe and followed by 2 exports.

And yes, many online AV checkers/sandboxes do not show this information.

So, 2 things to remember now:

  • If it is an older Delphi file, check its resource section’s compilation timestamp
  • If it is Borland C++, check the export directory