DriverPack – Clean PDB paths

July 2, 2022 in Archaeology, File Formats ZOO, Forensic Analysis

Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths out, use a randomized string, or use a programming language and compiler that don’t leave these forensic artifacts behind).

The very same approach can be used for a classification of ‘good’ files. The only problem is finding a nice, sorted sampleset of clean files that we can extract a larger list of ‘good’ pdb paths from.

Luckily, there exist very well organized samplesets of good, clean files that can be downloaded easily and quickly. For instance, a DriverPack. After you download their torrent you get 32GB of popular driver files that are neatly sorted and placed in sub directories referring to both classes of drivers (audio, video, etc.), and vendor names aka companies providing the software added to the pack.

The bonus is that many of these files are relatively fresh (although you will find a lot of oldies there too).

Running a simple parser over the extracted I created a quick and dirty list of clean PDB paths mapped to vendor names in no time. How useful is that? Again, you can build automated yara rules, use it in offline analysis, speed up a triage of forensic investigations w/o relying on hash sets, fuzzy hash sets, etc.

Comments are closed.