In the part 1 we explored the case of the resource timestamps that may come handy while building a timeline, or at least when you are trying to figure out when a specific Borland executable was compiled (I use ‘Borland’ here, but we know it means all the possible variations of Borland-esque compilers/products we can think of: Delphi, Borland C++, Code Gear, Embarcadero) .
The other interesting fact you may come across is the family of Borland files that are compiled with an old version of Borland C++. They have 2 very interesting and peculiar properties:
- They have 2 exports: __GetExceptDLLinfo ___CPPdebugHook
- They also include an original name of the executable
The first one makes it easy to recognize them.
The second one, while it may not be the most forensically interesting information it may still give you some clues for further research. It may come handy if the exported name is unique enough as it may allow e.g. to search for samples from the very same family (e.g. on Google, VirusTotal, Malwr)
For example, running the good-old pedump.exe over the file with a hash 3E19EF9C9A217D242787A896CC4A5B03 gives us the following:
exports table: Name: winmgmtc.exe Characteristics: 00000000 TimeDateStamp: 00000000 -> Thu Jan 01 08:00:00 1970 Version: 0.00 Ordinal base: 00000001 # of functions: 00000002 # of Names: 00000002 Entry Pt Ordn Name 00001059 1 __GetExceptDLLinfo 0000C128 2 ___CPPdebugHook
The Export Directory is populated with the name of the original .exe and followed by 2 exports.
And yes, many online AV checkers/sandboxes do not show this information.
So, 2 things to remember now:
- If it is an older Delphi file, check its resource section’s compilation timestamp
- If it is Borland C++, check the export directory