Analyzing files starting with the ‘MZ’ magic value can be called a \u201cdaily bread\u201d for reverse engineers. The reason for this is pretty simple \u2013 if you look at the top of your average executable file you will notice that majority of them start with these 2 magic letters. Since it\u2019s the most common file format that malware analysts work with, in this post I will have a deeper (but still high-level) look at files of this type.<\/p>\n
There are so many types of executables starting with ‘MZ’ that looking at the first 2 bytes is often not enough. In fact, there are so many various flavors of MZ files, that it\u2019s pretty hard to list them all, but let\u2019s try anyway:<\/p>\n
From malware analysis point of view, we have to also include another categorization as well, which is very much related to \u201cextra\u201d file properties often added by malware authors, including:<\/p>\n
Finally, we can use as a classifier the presence and the content of the following metadata:<\/p>\n
It is super high-level, but as you may guess, analyzing any single executable listed on this list requires completely different approach.<\/p>\n
<\/p>\n
Update #1:<\/strong><\/p>\n fixed a mistake related to NE\/PE – NE files have been replaced by PE files on 32-bit Windows; thx to Imaginative (one of the best reversers I know) for picking it up \ud83d\ude42<\/p>\n Update #2:<\/strong><\/p>\n Just to clarify: NE files still run on Win XP + this file format is being used to store .fon files (Thx Ange @ corkami.com<\/a> – he is one of the best binary magicians out there!)<\/p>\n","protected":false},"excerpt":{"rendered":" Analyzing files starting with the ‘MZ’ magic value can be called a \u201cdaily bread\u201d for reverse engineers. The reason for this is pretty simple \u2013 if you look at the top of your average executable file you will notice that … Continue reading