Re-sauce, Part 2

Posted on by

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name the resources and use them instead of numerical IDs. Many of these are prefixed with the ‘IDD_’, so it makes for an easy target.

Grepping through a large collections of exported resources one can find the following ‘custom-named’ resource names (see file).

Browsing through the content one can find a number of IDDs that are clearly very old e.g.

  • IDD_WIZ97SHEET
  • IDD_DISKETTE
  • IDD_INSERT_DISK

but also lots of very boring names e.g.

  • IDD_DIALOG1
  • IDD_DIALOG2
  • IDD_DIALOG3
  • IDD_DIALOG4
  • IDD_ABOUTBOX
  • IDD_DIALOG_FONT
  • IDD_FONT
  • IDD_UNUSED1
  • etc.

— most likely names auto-created by RAD resource editors. There are some funny typos e.g. IDD_SPLAHSCREEN. Finally, there same some more enigmatic and interesting names like

  • IDD_DEBUG*
  • IDD_NTOPEN
  • IDD_NTCLOSE
  • IDD_CREDITCARD

but these are not really research-worthy.

How can you use this list?

Apart from being an archaeological curiosity this may actually be quite helpful to know which IDD_ resources are at least known in a ‘good sampleset’ space. With that you could create yara rules, and perhaps more advanced ‘good file’ detections. And if you write a PE Viewer/editor/parser, you could always highlight these as ‘known good resources’.

Overall, curiosity more than anything useful, but that’s one of the reasons why we are digging it… out.

DeXRAY 2.25 update

Posted on by

I recently learned there is a lot of new (to me) AV companies that I never heard of. As such, it became an opportunity to update DeXRAY with additional decryption routines.

Such is the case with Total AV that I just added to the list. After I installed the product the actual analysis took literally 15 seconds after I realized the quarantine file is just a ZIP file encrypted with a password ‘infected’. Oh well, adding features sometimes is easy.

The latest version of DeXRAY can be downloaded here.

DeXRAY supports:

  • AhnLab (V3B)
  • Amiti (IFC)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • Cisco AMP
  • CMC Antivirus (CMC)
  • Comodo (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • G-Data (Q) (Magic@0=0xCAFEBABE)
  • K7 Antivirus (<md5>.QNT)
  • Kaspersky (KLQ, System Watcher’s .bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Antimalware / Microsoft Security Essentials
  • Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
  • Panda Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • Total AV ({GUID}.dat) ‘infected’
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal files
  • Vipre (_ENC2)
  • Zemana files+quarantine.db
  • Any binary file (using X-RAY scanning)