You are browsing the archive for Software Releases.

DeXRAY 2.15 update

July 18, 2019 in Batch Analysis, DeXRAY, Software Releases

I have added full support for Windows Defender files.

Now it processes both metadata files and content files. So if you run it on the whole folder you should get a decryption working properly for all files.

Note, I am still not sure how to parse the metadata files; it’s pretty complex – try to generate a quarantine file that includes registry data and you will know what I mean when you see the decrypted quarantined metadata files (that was quite a mouthful :).

You can find the latest version of DeXRAY here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Antimalware / Microsoft Security Essentials
  • Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
  • Panda <GUID> Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)

Playing with section names…

June 2, 2019 in PESectionExtractor, Random ideas

This post breaks my old tool PESectionExtractor.pl.

Any part of the .exe structure can be controlled by an attacker. This includes imported DLL names, imported function names, PDB paths, as well as section names.

My tool extracts PE sections by walking through them one by one and then dumps them to a file that is named according to the following scheme:

  • filename_sectionname_fileoffset_filesize_sectionflags

It works all and nice for your typical scenario, but fails miserably when a section name includes a colon e.g. .text:xy.

As you may guess the file name written by will be saved as an ADS e.g:

C:\test\test.exe_.text:xy_00000400_00001200_XR_CODE.dat

So, if you extract sections from PE files in an automatic way and use section name extracted from the file to build an output file name you may need to ensure colons are replaced with something else.

Fixed tool here.