{"id":891,"date":"2012-04-30T19:01:58","date_gmt":"2012-04-30T19:01:58","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=891"},"modified":"2012-05-01T09:43:57","modified_gmt":"2012-05-01T09:43:57","slug":"file-formats-zoo-installers","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/04\/30\/file-formats-zoo-installers\/","title":{"rendered":"File Formats ZOO – Installers"},"content":{"rendered":"

Continuing on my previous post<\/a> I am adding some more information about file signatures.<\/p>\n

First, the illustration \ud83d\ude42<\/p>\n

\"\"<\/a><\/p>\n

One of the types of Portable Executable file format that is not so often discussed are installers. For these who don’t know, in most cases a typical installer for Windows is a standalone Portable Executable file with some extra data appended to it (with a notable exception of .msi files that are containers handles by the Windows Installer<\/a>).<\/p>\n

The installer file usually contains two parts. The first part is a standalone setup file that is unique and identical across all installers created with the same version of the (installation) packager\/wizard\/script. The second part is the actual software that is about to be installed – often preserved in a compressed\/encrypted way. The most popular installers include Nullsoft Scriptable Install System (NSIS)<\/a> and Inno Setup<\/a>, but there are literally hundreds of them available.<\/p>\n

Let me say here that ‘installer’ is a very wide term and can include pretty much any .exe file with any file appended to its end and in some cases – files embedded inside the main .exe (either directly as a data\/encrypted data, or as a resource embedded within a resource section). Many well-known formats are used as an appended data. So, one can find .exes with appended JPG files, Flash Movies, other .exe files and many other variants. One very popular type of installers (even if they don’t necessarily classify as a software installer) are self extracting archives e.g. RarSFX, CABSFX, 7ZSFX, etc. All of these are treated here equally ==> .exe + something appended to it.<\/p>\n

From a forensic perspective, determining that some .exe is an installer could help in data reduction as long as we can confirm the installer has been executed on the investigated system. All you have to do is to extract the installer and run it in a test environment. The collected artifacts can be then removed from the local copy of the evidence e.g. by a file name. If you remember my preaching post a few days ago on speeding up case processing<\/a> – deleting files created by a confirmed installer could be a good thing to do \/as long as the installer itself is out of scope\/. Let’s not overlook this possibility as removing thousands of small files created by software packages often present on the investigated systems could be a very good data reduction technique. Whether it is Java Runtime Environment, Microsoft Visual Studio, Adobe software, or any other large package, we could save a lot of time simply removing these from our view. While I am saying this, I must emphasize that this is a very unexplored area and needs both more research and new tools. Still, any data reduction technique available to an examiner is more than needed and whoever gets it right and gets there first will be cracking cases in no time.<\/p>\n

MZ...PE... I.n.s.t.a.l.l.S.h.i.e.l.d.<\/strong><\/span><\/pre>\n
InstallShield Installer. Contains no appended data.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20\u00a0 t be run in DOS<\/pre>\n
62 29 00 00 00 00 00 00 00 00 50 45<\/strong> 00 00 4C 01\u00a0 b)........PE<\/strong>..L.<\/pre>\n
\u2026<\/pre>\n
00 23 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E\u00a0 .#...C.o.m.p.a.n<\/pre>\n
00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 49<\/strong>\u00a0 .y.N.a.m.e.....I<\/strong><\/pre>\n
00 6E 00 73 00 74 00 61 00 6C 00 6C 00 53 00 68\u00a0 .n.s.t.a.l.l.S.h<\/pre>\n
00 69 00 65 00 6C 00 64 00 20 00 53 00 6F 00 66\u00a0 .i.e.l.d. .S.o.f<\/pre>\n
\u2026<\/pre>\n
MZ...PE... _winzip_ \u2026<\/span><\/strong><\/pre>\n
A self extracting WinZip32 executable. Contains stub (archive extractor) and a typical Zip file. There is no appended data.<\/p>\n
4D 5A <\/strong>90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 05 00 F0 A4 F5 47 00 00 00 00\u00a0 PE<\/strong>..L......G....<\/pre>\n
00 00 00 00 E0 00 03 01 0B 01 08 00 00 E0 00 00\u00a0 ................<\/pre>\n
...<\/pre>\n
[section table]<\/pre>\n
2E 74 65 78 74 00 00 00 B4 D5 00 00 00 10 00 00\u00a0 .text...........<\/pre>\n
00 E0 00 00 00 10 00 00 00 00 00 00 00 00 00 00\u00a0 ................<\/pre>\n
00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00\u00a0 .... ..`.rdata..<\/pre>\n
42 29 00 00 00 F0 00 00 00 30 00 00 00 F0 00 00\u00a0 B).......0......<\/pre>\n
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40\u00a0 ............@..@<\/pre>\n
2E 64 61 74 61 00 00 00 DC 54 00 00 00 20 01 00\u00a0 .data....T... ..<\/pre>\n
00 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00\u00a0 . ... ..........<\/pre>\n
00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00\u00a0 ....@....rsrc...<\/pre>\n
88 91 00 00 00 80 01 00 00 A0 00 00 00 40 01 00\u00a0 .............@..<\/pre>\n
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40\u00a0 ............@..@<\/pre>\n
5F 77 69 6E 7A 69 70 5F<\/strong> 00 30 0A 00 00 20 02 00\u00a0 _winzip_<\/strong>.0... ..<\/pre>\n
00 30 0A 00 00 E0 01 00 00 00 00 00 00 00 00 00\u00a0 .0..............<\/pre>\n
00 00 00 00 40 00 00 42\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ....@..B<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | \u2026 dbload<\/span><\/strong><\/pre>\n
A perl script converted into an executable with a perl2exe utility.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 1C B2 B8 3B 00 00 00 00\u00a0 PE<\/strong>..L......;....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 10 00 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
\u2026<\/pre>\n
64 62 6C 6F 61 64 20 31 2E 30 20 73 69 67 6E 61\u00a0 dbload 1.0 signa<\/pre>\n
74 75 72 65<\/strong> 0D 0A 0D 0A 80 80 80 80 80 80 80 80\u00a0 ture<\/strong>............<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | !sfx!.<\/strong><\/span><\/pre>\n
Self extracting WinAce installer\/archive.<\/p>\n
4D 5A<\/strong> 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00\u00a0 MZ<\/strong>P.............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00\u00a0 PE<\/strong>..L....^B*....<\/pre>\n
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 DE 01 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
21 73 66 78 21<\/strong> 00 53 03 00 00 00 01 B8 AF 00 00\u00a0 !sfx!<\/strong>.S.........<\/pre>\n
01 00 00 00 11 00 00 00 06 00 00 00 14 00 00 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | 7z<\/strong><\/span><\/pre>\n
Self extracting 7z installer\/archive. Contains stub (archive extractor) and a typical 7z archive.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 49 B5 57 47 00 00 00 00\u00a0 PE<\/strong>..L...I.WG....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 92 01 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
37 7A<\/strong> BC AF 27 1C 00 02 E1 AB 8F 68 7E DB C6 00\u00a0 7z<\/strong>..'......h~...<\/pre>\n
00 00 00 00 26 00 00 00 00 00 00 00 37 1C 2D 11\u00a0 ....&.......7.-.<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | BZh<\/strong><\/span><\/pre>\n
Self extracting Bzip2 installer\/archive. Contains stub (archive extractor) and a typical Bzip2 archive.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 B4 CE 3D 3C 00 00 00 00\u00a0 PE<\/strong>..L.....=<....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 A0 01 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
42 5A 68<\/strong> 39 31 41 59 26 53 59 75 91 99 30 00 02\u00a0 BZh<\/strong>91AY&SYu..0..<\/pre>\n
D9 7F FF FF DF FB FF E3 F5 FF FF FF FF FF FF FF\u00a0 ...............<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | CWS<\/strong><\/span><\/pre>\n
Macromedia Flash Player. Contains stub (flash player) and a typical compressed Flash file (CWS).<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
...<\/pre>\n
50 45<\/strong> 00 00 4C 01 06 00 38 AD 57 3F 00 00 00 00\u00a0 PE<\/strong>..L...8.W?....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 0C 00\u00a0 ................<\/pre>\n
...<\/pre>\n
[Appended data]<\/pre>\n
43 57 53<\/strong> 07 5E 9A 01 00 78 9C BC 3B 5B 90 1C D5\u00a0 CWS<\/strong>.^...x..;[...<\/pre>\n
75 67 7A 7A 66 7A DF 0F AD 34 7A EC 4A 42 12 82\u00a0 ugzzfz...4z.JB..<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | FWS<\/strong><\/span><\/pre>\n
Macromedia Flash Player. Contains stub (flash player) and a typical Flash file (FWS).<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 05 00 FD 8A 49 37 00 00 00 00\u00a0 PE<\/strong>..L.....I7....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 03 00\u00a0 .............0..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
46 57 53<\/strong> 04 ED A0 03 00 70 00 09 C4 00 00 FA 00\u00a0 FWS<\/strong>.....p.......<\/pre>\n
00 0C 54 00 43 02 FF FF FF 00 06 44 0B 06 00 00\u00a0 ..T.C......D....<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | \u2026 IFCM<\/strong><\/span><\/pre>\n
Microsoft Help 2.x.<\/p>\n
4D 5A<\/strong> 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 02 00 00 00 00 00 00 00 00 00\u00a0 PE<\/strong>..L...........<\/pre>\n
00 00 00 00 E0 00 01 20 0B 01 00 00 00 00 00 00\u00a0 ....... ........<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
\u2026<\/pre>\n
49 46 43 4D<\/strong> 01 00 00 00 00 20 00 00 00 00 10 00\u00a0 IFCM<\/strong>..... ......<\/pre>\n
FF FF FF FF FF FF FF FF 09 00 00 00 00 00 00 00\u00a0 ................\u2026<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | Inno Setup<\/strong><\/span><\/pre>\n
Inno Setup installer.<\/p>\n
4D 5A<\/strong> 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00\u00a0 MZ<\/strong>P.............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00\u00a0 PE<\/strong>..L....^B*....<\/pre>\n
00 00 00 00 E0 00 8F 81 0B 01 02 19 00 90 00 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
49 6E 6E 6F 20 53 65 74 75 70 20 53 65 74 75 70\u00a0 Inno Setup Setup<\/strong><\/pre>\n
20 44 61 74 61 20 28 35 2E 31 2E 31 33 29 00 00\u00a0\u00a0 Data (5.1.13)..<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | MZ<\/strong><\/span><\/pre>\n
An executable with the appended data that probably contains another executable. It may be either a custom installer or a wrapper.<\/p>\n
4D 5A<\/strong> 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00\u00a0 MZ<\/strong>P.............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00\u00a0 PE<\/strong>..L....^B*....<\/pre>\n
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 0E 04 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | Rar!<\/strong><\/span><\/pre>\n
A self extracting WinRar executable. Contains stub (archive extractor) and a typical Rar file.<\/p>\n
4D 5A<\/strong> 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00\u00a0 MZ<\/strong>P.............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 E6 68 F2 46 00 00 00 00\u00a0 PE<\/strong>..L....h.F....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 05 00 00 40 01 00\u00a0 .............@..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
52 61 72 21<\/strong> 1A 07 00 CF 90 73 00 00 0D 00 00 00\u00a0 Rar!<\/strong>.....s......<\/pre>\n
00 00 00 00 83 59 7A 00 80 23 00 6E 00 00 00 6E\u00a0 .....Yz..#.n...n<\/pre>\n
\u2026<\/pre>\n
MZ... PE... | SQ5SFX<\/strong><\/span><\/pre>\n
Squeez self-extracting executable.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 03 00 BA 1F 9F 48 00 00 00 00\u00a0 PE<\/strong>..L......H....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
53 51 35 53 46 58<\/strong> CE B0 01 00 05 00 00 00 C7 0C\u00a0 SQ5SFX<\/strong>..........<\/pre>\n
00 00 5B 64 65 73 63 72 69 70 74 69 6F 6E 5D 0D\u00a0 ..[description].<\/pre>\n
\u2026<\/pre>\n
MZ... PE... | sRBV... ResJ<\/strong><\/span><\/pre>\n
AWinstall Installer.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 \u00a0MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 94 AD EF 47 00 00 00 00\u00a0 PE<\/strong>..L......G....<\/pre>\n
00 00 00 00 E0 00 03 01 0B 01 09 00 00 C6 01 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
73 52 42 56<\/strong> 06 68 1F 00 16 68 1F 00 06 03 00 00\u00a0 sRBV<\/strong>.h...h......<\/pre>\n
52 65 73 4A<\/strong> 7F FF FB 81 C1 79 91 46 DE D1 BB 72\u00a0 ResJ<\/strong>.....y.F...r<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | Smart Install Maker<\/strong><\/span><\/pre>\n
Installer created with Smart InstallMaker.<\/p>\n
4D 5A<\/strong> 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00\u00a0 MZ<\/strong>P.............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00\u00a0 PE<\/strong>..L....^B*....<\/pre>\n
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 62 01 00\u00a0 .............b..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
53 6D 61 72 74 20 49 6E 73 74 61 6C 6C 20 4D 61\u00a0 Smart Install Ma<\/strong><\/pre>\n
6B 65 72<\/strong> 20 76 2E 20 35 2E 30 30 00 30 00 30 00\u00a0 ker<\/strong> v. 5.00.0.0.<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | SZDD<\/strong><\/span><\/pre>\n
Executable with appended file being SZDD archive.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
...<\/pre>\n
50 45<\/strong> 00 00 4C 01 05 00 CE F8 9B 3E 00 00 00 00\u00a0 PE<\/strong>..L......>....<\/pre>\n
00 00 00 00 E0 00 0E 01 0B 01 04 14 00 0C 01 00\u00a0 ................<\/pre>\n
...<\/pre>\n
[Appended data]<\/pre>\n
53 5A 44 44<\/strong> 88 F0 27 33 41 6D F0 A3 01 00 FF 49\u00a0 SZDD<\/strong>..'3Am.....I<\/pre>\n
54 53 46 03 00 00 00 F5 60 F5 F0 01 F5 F0 33 15\u00a0 TSF.....`.....3.<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | wwgT<\/strong><\/span><\/pre>\n
Installer created with Install Creator.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 03 00 C0 9F C2 41 00 00 00 00\u00a0 PE<\/strong>..L......A....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 01 00\u00a0 .............0..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
77 77 67 54<\/strong> 29 48 35 14 01 00 6E 02 00 00 F2 06\u00a0 wwgT<\/strong>)H5...n.....<\/pre>\n
00 00 01 78 DA AD 94 4F 68 13 41 14 C6 DF EE 6C\u00a0 ...x...Oh.A....l<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | 0xA3 HK<\/strong><\/span><\/pre>\n
AutoIt or AutoHotkey script.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 03 00 A2 3E 49 47 00 00 00 00\u00a0 PE<\/strong>..L....>IG....<\/pre>\n
00 00 00 00 E0 00 23 01 0B 01 08 00 00 70 03 00\u00a0 ......#......p..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
A3 48 4B<\/strong> BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D\u00a0 .HK<\/strong>..lJ..LS...H}<\/pre>\n
41 55 33 21 45 41 30 36 F0 6B 89 18 C1 BC 11 F7\u00a0 AU3!EA06.k......<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | 0xEF 0xBE 0xAD 0xDE nsisinstall<\/strong><\/span><\/pre>\n
Old version of Nullsoft Installer. Note characteristic hex string \u201cDEADBEEF\u201d (0xEFBEADDE) at the beginning of the appended data.<\/p>\n
4D 5A <\/strong>90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 04 00 85 A8 25 3A 00 00 00 00\u00a0 PE<\/strong>..L.....%:....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 60 00 00\u00a0 .............`..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
EF BE AD DE<\/strong><\/span> 6E 73 69 73 69 6E 73 74 61 6C 6C<\/strong> 00\u00a0 ....nsisinstall<\/strong>.<\/pre>\n
0D F0 AD 0B 2C 13 00 00 D1 46 09 00 44 46 58 20\u00a0 ....,....F..DFX<\/pre>\n
\u2026<\/pre>\n
MZ... PE... |\u00a0 \u20260xEF 0xBE 0xAD 0xDE... NullsoftInst<\/strong><\/span><\/pre>\n
Nullsoft Installer. Note characteristic hex string \u201cDEADBEEF\u201d (0xEFBEADDE) at the beginning of the appended data. In some cases, versions of Nullsoft Installer can be found inside the manifest (in the resources of PE executable).<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 05 00 1A 5A A0 49 00 00 00 00\u00a0 PE<\/strong>..L....Z.I....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 5C 00 00\u00a0 .............\\..<\/pre>\n
\u2026<\/pre>\n
00 00 00 00 EF BE AD DE<\/strong><\/span> 4E 75 6C 6C 73 6F 66 74<\/strong>\u00a0 ........Nullsoft<\/strong><\/pre>\n
49 6E 73 74<\/strong> 1D 27 02 00 33 90 17 00 5D 00 00 80\u00a0 Inst.'..3...]...<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | \u2026 PK<\/span><\/strong><\/pre>\n
A self extracting Zip executable. Contains stub (archive extractor) and a Zip file.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45<\/strong> 00 00 4C 01 03 00 5A F5 36 48 00 00 00 00\u00a0 PE<\/strong>..L...Z.6H....<\/pre>\n
00 00 00 00 E0 00 03 01 0B 01 08 00 00 00 01 00\u00a0 ................<\/pre>\n
\u2026<\/pre>\n
[End of file]<\/pre>\n
50 4B<\/strong> 05 06 00 00 00 00 04 00 04 00 EF 00 00 00\u00a0 PK<\/strong>..............<\/pre>\n
FF 99 48 01 00 00 00 00 00 00 00 00 50 15 00 00\u00a0 ..H.........P...<\/pre>\n
\u2026<\/pre>\n
MZ... PE...\u00a0 | \u2026 Wise<\/span><\/strong><\/pre>\n
WISE Installer.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
\u2026<\/pre>\n
50 45 <\/strong>00 00 4C 01 04 00 3F 6C D8 3B 00 00 00 00\u00a0 PE<\/strong>..L...?l.;....<\/pre>\n
00 00 00 00 E0 00 0F 05 0B 01 06 00 00 22 00 00\u00a0 .............\"..<\/pre>\n
\u2026<\/pre>\n
[Appended data]<\/pre>\n
\u2026<\/pre>\n
57 69 73 65 <\/strong>20 49 6E 73 74 61 6C 6C 61 74 69 6F\u00a0 Wise<\/strong> Installatio<\/pre>\n
6E 20 57 69 7A 61 72 64 2E 2E 2E 00 ED 5B CD 8F\u00a0 n Wizard.....[..<\/pre>\n
\u2026<\/pre>\n
MZ...PE... | \u2026 ESIV<\/strong><\/span><\/pre>\n
VISE Installer.<\/p>\n
4D 5A<\/strong> 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ<\/strong>..............<\/pre>\n
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0 ........@.......<\/pre>\n
...<\/pre>\n
50 45<\/strong> 00 00 4C 01 05 00 49 E3 5E 37 00 00 00 00\u00a0 PE<\/strong>..L...I.^7....<\/pre>\n
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00\u00a0 ................<\/pre>\n
...<\/pre>\n
[End of file]<\/pre>\n
DA E1 E1 47 47 DA DA E1 E1 47 47 DA DA E1 E1 47\u00a0 ...GG....GG....G<\/pre>\n
8F D9 A8 DE F4 9C 03 FF 45 53 49 56<\/strong> 00 10 01 00\u00a0 ........ESIV<\/strong>....<\/pre>\n
\u2026<\/pre>\n","protected":false},"excerpt":{"rendered":"
Continuing on my previous post I am adding some more information about file signatures. First, the illustration \ud83d\ude42 One of the types of Portable Executable file format that is not so often discussed are installers. For these who don’t know, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[21],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/891"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=891"}],"version-history":[{"count":15,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/891\/revisions"}],"predecessor-version":[{"id":917,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/891\/revisions\/917"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}