{"id":6723,"date":"2019-08-31T23:09:04","date_gmt":"2019-08-31T23:09:04","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6723"},"modified":"2019-08-31T23:26:33","modified_gmt":"2019-08-31T23:26:33","slug":"pdb-goodness","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/08\/31\/pdb-goodness\/","title":{"rendered":"PDB Goodness"},"content":{"rendered":"\n<p>In a recently published <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2019\/08\/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\">Definitive Dossier of Devilish Debug Details<\/a>, <a href=\"https:\/\/twitter.com\/stvemillertime\">Steve Miller<\/a> is going on a very entertaining adventure of looking at PDB paths of known malware campaigns and authors. I love this article, because I have always felt that PDB is a great forensic artifact, often overlooked, and even if I did some research on it <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/03\/10\/mz-file-format-flavours-malware\/\">in<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/05\/08\/and-the-most-popular-windows-account-for-compiling-malware-is\/\">the<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/06\/02\/playing-with-program-database-paths\/\">past<\/a> myself, I have never seen a comprehensive study on a level that Steve delivered. <\/p>\n\n\n\n<p>Inspired by it, I had a quick look at PDB paths of&#8230; primarily clean files. I am saying <em>primarily<\/em>, because while I am almost certain that most of them are clean one can never be sure 100%&#8230; To support the claim, I can list a couple of paths I found in this (allegedly) clean corpora suggesting that <em>clean<\/em> probably means different things to different people:<\/p>\n\n\n\n<ul><li>D:\\TEMP\\fuckingasus\\Debug\\fuckingasus.pdb<\/li><li>D:\\Work\\pgtool\\svn\\pgtoolfuck\\Release\\RTNicPgW32.pdb<\/li><li>D:\\Work\\pgtool\\svn\\pgtoolfuck\\x64\\Release\\RTNicPgW64.pdb<\/li><li>d:\\tmp\\1driver\\fuck4\\rtl818xb\\platform\\ndis6\\usb\\objfre_wlh_x86\\i386\\rtl8187.pdb<\/li><li>C:\\TMP\\shit\\msikbd.2k\\objfre\\i386\\msikbd2k.pdb<\/li><li>c:\\WORK\\XPSDriver\\oishitts_view\\oishitts_xpsdrv093_051208_build\\XPSRenderer092\\xpsdriver\\AquaFilter\\Release\\Win32\\AquaFilter.pdb<\/li><li>C:\\Users\\lol g\\Desktop\\PowerBiosServer_20561\\PowerBiosServer_20080428\\PowerBiosServer\\obj\\Release\\PowerBiosServer.pdb<\/li><\/ul>\n\n\n\n<p>I still believe that most of these are clean, and&#8230; perhaps an honest mistake made these paths incorporated into final executables ;), and who knows&#8230; maybe even some of them got signed \ud83d\ude09<\/p>\n\n\n\n<p>Looking at all these paths we can draw some quick conclusions:<\/p>\n\n\n\n<ul><li>We could use them to generate a bunch of <em>good<\/em> yara signatures that catch good stuff; helps with clustering<\/li><li>Of course, since the file is now public, it means that bad guys could re-use existing paths to bypass aforementioned potential yara sigs by making them trigger on bad stuff pretending to be a good stuff<\/li><li>We see that Perforce, SVN, CVS, GIT are popular repos and perhaps their presence can indicate a proper software development practice at a company that generated the executables (could this alone be a good indicator for determining if the file is benign?)<\/li><li>Lots of different programming languages in use<\/li><li>Lots of personal build environments (1K user unique names under c:\\users folder alone!)<\/li><li>Some coders compiled programs under an Administrator account (in fairness, my corpora are files between 2000-2019, so plenty of files come from the old-school times when <em>Admin<\/em> was a default for everything)<\/li><li>There are traces of some beautiful build environments out there; seriously, these are symptoms of very mature development practices visible directly in some of these PDB paths (their clusters)<\/li><li>Surprisingly, many paths are outside of C: drive &#8212; could this be a generic indicator of &#8216;good&#8217; too?<\/li><li>Also, some of the usernames are clearly test-related; I am curious if these are overlooked in a final build, or some files were &#8216;leaked&#8217;? (<em>test<\/em>, <em>Test<\/em>, <em>SKtester<\/em>, <em>nbtester<\/em>, <em>cvcctest<\/em>, <em>Pretest<\/em>, <em>tester<\/em>, <em>test5<\/em>, <em>TestUser<\/em>, <em>Test2<\/em>, <em>Test05<\/em>, <em>TestPC<\/em>, <em>Pinocchio_test<\/em>)<\/li><li>We have users from all over the place: English\/American, Chinese, Indian, Irish, French, Korean, Russian, Arabic, etc.<\/li><\/ul>\n\n\n\n<p>You can download a zipped archive with PDB paths <a href=\"https:\/\/hexacorn.com\/d\/good_PDB.zip\">here<\/a>.<\/p>\n\n\n\n<p>Note: This file is watermarked; you cannot use it for commercial purposes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a recently published Definitive Dossier of Devilish Debug Details, Steve Miller is going on a very entertaining adventure of looking at PDB paths of known malware campaigns and authors. I love this article, because I have always felt that &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/08\/31\/pdb-goodness\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[39,88],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6723"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6723"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6723\/revisions"}],"predecessor-version":[{"id":6730,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6723\/revisions\/6730"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}