You are browsing the archive for Software Releases.

Playing with section names…

June 2, 2019 in PESectionExtractor, Random ideas

This post breaks my old tool PESectionExtractor.pl.

Any part of the .exe structure can be controlled by an attacker. This includes imported DLL names, imported function names, PDB paths, as well as section names.

My tool extracts PE sections by walking through them one by one and then dumps them to a file that is named according to the following scheme:

  • filename_sectionname_fileoffset_filesize_sectionflags

It works all and nice for your typical scenario, but fails miserably when a section name includes a colon e.g. .text:xy.

As you may guess the file name written by will be saved as an ADS e.g:

C:\test\test.exe_.text:xy_00000400_00001200_XR_CODE.dat

So, if you extract sections from PE files in an automatic way and use section name extracted from the file to build an output file name you may need to ensure colons are replaced with something else.

Fixed tool here.

Updated 3R (RegRipper Ripper)

November 4, 2018 in 3R, Forensic Analysis, Software Releases

It’s been 2 years since I last updated the 3R so I decided to download the latest regripper repo (https://github.com/keydet89/RegRipper2.8) and re-run my tool on it.

I had to do quick fix to handle the slack.pl script, but other than that, it’s the same old 3r.pl script generating the very same content as before, except it now covers all the new plugins Harlan added over last 2 years – if I am not wrong, there are over 40 new scripts. Kudos to Harlan for maintaining the repo for so many years.

So, there you have it, the Regripper is still here and kicking; if you ever need to write a new plug-in feel free to leverage the free online tool 3RPG, or, just learn perl 🙂