{"id":2683,"date":"2014-12-18T18:29:40","date_gmt":"2014-12-18T18:29:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2683"},"modified":"2014-12-19T12:57:10","modified_gmt":"2014-12-19T12:57:10","slug":"the-not-so-boring-land-of-borland-executables-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/12\/18\/the-not-so-boring-land-of-borland-executables-part-2\/","title":{"rendered":"The not so boring land of Borland executables, part 2"},"content":{"rendered":"<p>In the <a title=\"The not so boring land of Borland executables, part 1\" href=\"https:\/\/www.hexacorn.com\/blog\/2014\/12\/05\/the-not-so-boring-land-of-borland-executables-part-1\/\">part 1<\/a> we explored the case of the resource timestamps that may come handy while building a timeline, or at least when you are trying to figure out when a specific Borland executable was compiled (I use &#8216;Borland&#8217; here, but we know it means all the possible variations of Borland-esque compilers\/products we can think of: Delphi, Borland C++, Code Gear, Embarcadero) .<\/p>\n<p>The other interesting fact you may come across is the family of Borland files that are compiled with an old version of Borland C++. They have 2 very interesting and peculiar properties:<\/p>\n<ul>\n<li>They have 2 exports: __GetExceptDLLinfo ___CPPdebugHook<\/li>\n<li>They also include an original name of the executable<\/li>\n<\/ul>\n<p>The first one makes it easy to recognize them.<\/p>\n<p>The second one, while it may not be the most forensically interesting information it may still give you some clues for further research. It may come handy if the exported name is unique enough as it may allow e.g. to search for samples from the very same family (e.g. on Google, VirusTotal, Malwr)<\/p>\n<p>For example, running the good-old pedump.exe over the file with a hash <a href=\"https:\/\/www.virustotal.com\/en\/file\/9bcc1ab30a900906e4dbccc341f3722383f7666a03ab5d898a153aa58f4c9428\/analysis\/\">3E19EF9C9A217D242787A896CC4A5B03<\/a> gives us the following:<\/p>\n<pre>exports table:\r\n\r\n\u00a0 Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 winmgmtc.exe\r\n\u00a0 Characteristics: 00000000\r\n\u00a0 TimeDateStamp:\u00a0\u00a0 00000000 -&gt; Thu Jan 01 08:00:00 1970\r\n\u00a0 Version:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.00\r\n\u00a0 Ordinal base:\u00a0\u00a0\u00a0 00000001\r\n\u00a0 # of functions:\u00a0 00000002\r\n\u00a0 # of Names:\u00a0\u00a0\u00a0\u00a0\u00a0 00000002\r\n\r\n\u00a0 Entry Pt\u00a0 Ordn\u00a0 Name\r\n\u00a0 00001059\u00a0\u00a0\u00a0\u00a0 1\u00a0 __GetExceptDLLinfo\r\n\u00a0 0000C128\u00a0\u00a0\u00a0\u00a0 2\u00a0 ___CPPdebugHook<\/pre>\n<p>The Export Directory is populated with the name of the original .exe and followed by 2 exports.<\/p>\n<p>And yes, many online AV checkers\/sandboxes do not show this information.<\/p>\n<p>So, 2 things to remember now:<\/p>\n<ul>\n<li>If it is an older Delphi file, check its resource section&#8217;s compilation timestamp<\/li>\n<li>If it is Borland C++, check the export directory<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the part 1 we explored the case of the resource timestamps that may come handy while building a timeline, or at least when you are trying to figure out when a specific Borland executable was compiled (I use &#8216;Borland&#8217; &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/12\/18\/the-not-so-boring-land-of-borland-executables-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2683"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2683"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2683\/revisions"}],"predecessor-version":[{"id":2689,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2683\/revisions\/2689"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}