Category Archives: Software Releases

DeXRAY – Decrypting VBN files, Part 2

Posted on by

A few months back I posted about DeXRAY –  a generic script/file carver that tries to decrypt various Quarantine files + PE files hidden inside other files under a simple layer of a single-byte xor encryption.

Some time later, in one of my other posts I mentioned that newer VBN files used by Symantec Quarantine use a different encryption scheme; instead of using well-known xor with a 0x5A key, they now use 0xA5 key.

Turns out that I was right about it, but only partially as there is a twist to it – not only these files are encrypted, but they are also divided into chunks separated by a 5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers.

Simple, isn’t?

I updated DeXRAY.pl to handle this (quick & dirty patch, but it should work). If you find some VBN files that don’t get decrypted at all or get corrupted after decryption, please let me know.

I bet Symantec guys added this to prevent accidental detection of Quarantine files by theirs and other AV companies’ scanners; the way I think it goes is that many AV companies use X-rays technique during scans (that is, they may find malware even if it is encrypted with a single byte xor) and they could potentially/accidentally decrypt and detect the Quarantine file during scans. That could potentially lead to some ‘funny’ results (recursive detection, etc.); introducing ‘chunk divider’ breaks the file format of the encrypted file and AV scans no longer can ‘understand’ the corrupted file structure (especially if it is an encrypted PE file).

Download a new version from here:  DeXRAY.pl

 

PESectionExtractor – Extracting PE sections and their strings

Posted on by

In my old post I mentioned that one way to extract sections from Portable Executabls is to use 7zip. This, of course is not an elegant solution, so I wrote a script to do it in a more generic way.

The script attached to this post allows to:

  • extract PE sections to separate files

  • extract strings from all sections providing a context for each string

  • extract strings from all sections providing a context for each string, but in a bit smarter way i.e. excluding strings from sections named .rsrc/.reloc as they often contain a lot of strings that are just random data (e.g. from bitmaps or bytes by chance appearing to look like a ‘meaningful’ sequence of characters)

Notably, the string extraction excludes the appended data – this is a good news if you run the script over e.g. installers.  Installers, as explained in my older post, are very often setup.exe (stub) files with appended data that is compressed/encrypted and doesn’t provide any value to analysts unless decompressed/decrypted.

If the script fails to work, it is most likely a result of a packer/protector that makes some of the PE structures corrupted on purpose (e.g. using values outside reasonable boundaries that are still accepted by the Windows PE loader). The practical value of analysing sections/strings extracted from protected/packed/corrupted files is usually low, so I don’t add any checks in the scripts to detect such cases. Many of these techniques are discussed by Ange and he also offers practical examples – files that he crafted manually to test certain properties of PE files, so if you want to know more about this subject and perhaps improve the script his web site will give you all the info you need.

Btw. if you like python, you can easily toy around with Ero Carrera’s pefile module and re-create the script with the same/better functionality.

You can download PESectionExtractor.pl script here.