Category Archives: Forensic Analysis

Two PE tools you might have never heard of. Now you do.

Posted on by

There are tones of PE tools out there and lots of them are rehashing the very same ideas over and over again. It is easy to find numerous PE viewers, PE editors, PE dumpers, PE identification tools and so on and so forth. It is sad to see that many of them rarely reach quality and usability levels as the good-ol’ LordPE, PE Tools, or PEiD.

Still, there are gems out there that are not very popular, yet it is really worth having them at hand during reverse engineering sessions.

Here are two of them:

Extensive File Dumper

Pretty much everyone heard of IDA Pro and Hex-Rays Decompiler.

But how many heard of Extensive File Dumper?

The tool is freely available online on the Hex-Rays web page.

Go and grab it.

It is one of not so many dumping tools that supports crazy number of file formats – as per the Hex-Rays page:

EXE, NE, LE, LX, PE, NLM, XCOFF, COFF, OMF, DBG, PRC, PEF, OS9, N64, PSX, EPOC, AR, AMIGA, ELF, ECOFF, HP SOM, GEOS, OLE2, AIF, AOF, AOUT, PE+, OMF166, MachO, XE/XBE, JPG, CIFF, TMOBJ, MRW, TIFF, MPG, CWLIB XCP.DAT, WMF, DSO, PDB

Notably, this is one of not so many tools available on Windows platform that parses Mac executable files – anyone wanting to view the internal info of Mac executables typically uses ‘otool’ on Mac. Being able to view similar info on Windows is really handy.

To spice things up, it is a multiplatform tool and Hex-Rays distributes it in 3 versions (refer to folders win, mac, linux inside efd.zip)

Example:

efd.exe showing info on the efd (MAC version)

efd_1

efd_2

efd_3

Detect It Easy a.k.a. DIE

This is an awesome compiler/packer detector available on http://ntinfo.biz/.

The reason why it stands out?

Here are a couple:

  • The author uses a dedicated signature engine to detect various types of files (not only PE)
  • It recognizes nearly 1000 file types
  • PE detection is based not only on patterns, but also on more complex algorithms – it can not only determine that a file is compiled f.ex. with Microsoft Visual Studio – it also give you the most probable version of the compiler + some extra info, if available

die_1

  • Bonus: scripts are readable and you can view/modify algos (see db folder), or click Signatures button (after loading a file)

die_4

  • Bonus#2: The scripts can be debugged !

die_5

  • It shows entropy of the file in a graphical way

die_2

  • Allows to copy snippets of data to clipboard in many ways + extract them as a binary

die_3

Beyond good ol’ Run key, Part 31

Posted on by

The last piece in the series talked about Synaptics software – a program to manage the touchpad on some of the popular laptops (e.g. from Toshiba).

Turns out Synaptics is not the only company providing a software managing the touchpad extensions and this short post introduces yet another one – from Alps company. The relationship between these two aforementioned companies seems to be actually quite close; I have not investigated it very thoroughly, but if you google these two, you will find a lot of overlaps; I personally don’t care too much – at the end of the day they both use different Registry entries, and this is all that matters ;).

So, anyways, Alps touchpads can be found on many popular laptops e.g. from Dell and Toshiba. Here, I will talk about the Dell version.

Looking at available options we can easily find the familiar ‘Run’ command that can be associated with buttons’ activities:

DellA simple test (Run Notepad when we click Left button on the touchpad) allows us to quickly discover the location in the Registry where the settings are stored:

AlpsThe key is located under HKCU:

  • HKEY_CURRENT_USER\Software\Alps

and the specific settings for buttons are located at:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\Button

where:

  • AppReg1 = <path to executable>
  • ButtonFunction1 = 0x1b to run the program (while default=0x5 means simply ‘Click’)

(this is for the Left button specifically – other buttons use consecutive numbers i.e. AppReg2, AppReg3; ButtonFunction2, ButtonFunction3)

Again, it’s more  a curiosity than a real threat, but still good to have it documented, even if that briefly 🙂

If you know any other software like this, and can send me screenshots/reg entries I will be forever grateful 🙂 Thanks in advance.