You are browsing the archive for Software Releases.

PEFix – simple PE file re-aligner

July 9, 2016 in Malware Analysis, PEFix, Software Releases

Every time you dump a PE file from memory its dump is aligned on the memory page size boundary (4096) instead of a typical file alignment boundary which is 512 (except for some PE tricks and less common file alignments).

There are many really cool tools that rebuild PE files directly from memory and do it in an excellent way, but sometimes it’s good to have a simple, stupid script at hand that does the re-alignment only. The re-aligned file can’t be executed, but will make more sense when you load them into IDA. And such stupid script comes handy when images are loaded using manual/reflective loading, and there is more of them in the same process space (or you just have lots of them); rebuilding such memory dumps manually is a pain, so the script that I am attaching to this post will just do this dirty job for you (you can run it as a batch job).

So, say you locate a memory dump where malware hides its PE file, you then dump it f.ex. using Process Hacker, hiperdrop, or any memdumping tool, and then you can run pefix.pl over it (or them) and you should get a ‘.fixed’ file (or files) that will be just a realigned version(s) of your memory dump(s).

Load it into IDA, happy analysis…

In case malware wipes out the MZ/PE markers you can always mod the script a bit to bypass it and still rebuild the file. For completely wiped out MZ/PE markers/header/section table/etc. it’s going to be a manual job although one could think of some heuristics… who knows.. maybe in the next version :).

This is the script.

DeXRAY update

June 25, 2016 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Added:

  • ESafe (VIR)
  • Microsoft Windows Defender (partial support)
  • Spypot – Search & Destroy

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

You can download it here.