dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2085
pchelp7
join:2001-03-05
Manson, WA

pchelp7

Member

Exe Extras

The ability to inspect executables relates rather well to security...

On a client's computer today, I installed a couple of "tweaks" I've been using for quite a long time. He was impressed! I realized I really should share them.

For editing and viewing executables, I commonly use WinVi32. It's an excellent binary file/hex editor.

I also often use Robin Keir's BinText to view text inside executables. It's definitely the nicest tool I've seen for this purpose.

To make it easy to use these tools, I created right-click options for .EXE files. The result can be seen in this image:

pc-help.org/misc/images/ExeExtras.gif

Here's a zipfile that contains two .reg files that implement those right-click options on Win95 and Win98:

pc-help.org/pub/ExeExtras.zip

Extract the .reg files and double-click to install.

The Registry entries produced by these .reg files assume that BinText is installed in C:\Program Files\Keir and that WinVi is in C:\Program Files\WinVi32. Both apps are distributed in a simple zip package and require the user to create or choose their folders of residence. You can place them wherever you like, just be sure the .reg files are adjusted accordingly prior to merging.

Naturally, a similar approach can be used on other file types and applications.

pchelp

Flagg1
@knology.net

Flagg1

Anon

Yeah! More tools! Thanks.

Rocktagon
Slightly Bent
Premium Member
join:2000-11-04
Chattaroy, WA

Rocktagon to pchelp7

Premium Member

to pchelp7
These work better than what I used, W32Dasm, which I don't understand anyway
I was told once, if you continue to read or view things you don't understand eventually some of it will stick.
I was wondering if you have any examples of malicious code embedded in an .exe file you could post. I know it would only be an example, but it may give those of us with limited programming knowledge an idea of the kinds of things to be looking for.
Your links, .reg files, and instructions were concise and installation was a breeze. I have viewed a couple attachments I keep around just to look at code and to tell you the truth a lot of it is Greek!
Thanks for the informative post pchelp
PS: The bintext program is located at Foundstone now.

Occasu$
join:2001-07-20
North Vancouver, BC

Occasu$ to pchelp7

Member

to pchelp7
said by rocktagon:
I was wondering if you have any examples of malicious code embedded in an .exe file you could post. I know it would only be an example, but it may give those of us with limited programming knowledge an idea of the kinds of things to be looking for.
That is a great idea rocktagon. This really has peaked my curiosity, thanks for those tools PChelp
pchelp7
join:2001-03-05
Manson, WA

pchelp7 to Rocktagon

Member

to Rocktagon
said by Rocktagon:
I was wondering if you have any examples of malicious code embedded in an .exe file you could post. I know it would only be an example, but it may give those of us with limited programming knowledge an idea of the kinds of things to be looking for.
Sure, good idea!

There are a few types of text that I watch for when trying to understand an executable. First is the API names. You know the .exe has at least the _potential_ to do unwanted things if you see APIs like:

RegSetValueExA Writes to the Registry
RegCreateKeyExA Makes a Registry key
Reg[whatever] Registry worries: Set, Delete, Create
CreateFileA Makes a file; could be innocent
NetShareAdd Creates a share
NetShareEnum Checks out shares
WNetAddConnectionA Maps a drive or resource
WNet[whatever] Windows Networking stuff

Also you'll find .DLL names. One to really watch out for:

wsock32.dll - Windows Sockets, aka TCP/IP networking.

Usually you'll find error messages and user feedback in plain text. A couple to raise your hair from BO2K:

Could not start listen socket
Could not move/rename directory

Look for email headers and NNTP protocol commands, common in worms:

Type: multipart/mixed
Encoding: base64
HELO
RCPT TO:

Known nasties often have their own name inside, which you may recognize:

begin 644 Happy99.Exe -- Happy99
(This's CV, No Nimda.) -- Nimda

If you see this or something similar down in the middle of a file (it's normally at the very top):

This program must be run under Win32

... then there's another executable contained _inside_ this one. Very common with keyloggers, which are often dropped by trojans and run independently.

If the thing plays with the Registry, you'll usually find Registry key and path names. Some to watch out for:

currentversion -- that's where the startup keys live.
exefile -- some modify this key for startup.

There are tons of other things, you just have to use your head. Here's some text from a porn-dialer trojan:

Port Opened
Openning port...
Initializing modem...
rasdialProb
rasdialProbPB
Undefined RAS Dial Error (%ld).

It's not uncommon to find obvious indicators of malware, such as llittle gloats or greetz to the writer's buddies. Not surprisingly, they're frequently in ungrammatical, misspelled or h@x0r1zed text.

Even compressed .exe's often reveal telltale bits of text.

Compression/encryption isn't unusual. Look for UPX and other PE compressor names early in the file, they usually announce themselves. It's not a sure sign of malware, but certainly not a good sign either.Often you can decompress them; just seek out a copy of the PE compressor utility, which is often available free or as a demo. It can be very revealing! The bad guys sometimes go really nuts in a proggy they're compressing, tossing in even more of the obvious telltales and taunts than usual.

Don't limit your curiosity to .exe's. Not all executables carry the .exe extension by a long shot; especially malware. Commonly used extensions on worms and other malware are .com, .scr, .pif, .shs, and other executable types; also .dll, .jpg, .txt. Anything is possible. An executable extension is not always necessary in order to make a program run. For instance, entries in the Registry startup keys (Run, RunServices, RunOnce, etc.) are executed regardless of extension.

pchelp
(edits in italics)
 
 
[text was edited by author 2002-02-03 15:19:52]

Rocktagon
Slightly Bent
Premium Member
join:2000-11-04
Chattaroy, WA

Rocktagon

Premium Member

Thanks guy, that is exactly the type of information I was looking for. I think this information should be voted into archive status. I knew about file extensions and some of the registry settings but you have opened our eyes to much that will help people take one additional step beyond anti-virus or anti-Trojan scanning, not to mention increase their awareness and knowledge.

Good work
pchelp7
join:2001-03-05
Manson, WA

pchelp7

Member

said by Rocktagon:
Thanks guy, that is exactly the type of information I was looking for. I think this information should be voted into archive status. I knew about file extensions and some of the registry settings but you have opened our eyes to much that will help people take one additional step beyond anti-virus or anti-Trojan scanning, not to mention increase their awareness and knowledge.

Good work
Thanks, Rocktagon!

I remembered another trick that can be very useful. It's one reason I like to use WinVi in conjunction with BinText.

Textual data in an .exe is not always in strings BinText can handle. This is particularly true of menu-type data that's displayed in application windows, but it applies to other things too, such as error message strings. Most often, each text character is followed by a null byte (00), so the text goes: letter, null, letter, null. Since BinText looks for a certain minimum number of text chars in sequence, these get missed.

I unpacked the BioNet v3.13 trojan server with UPX, then used WinVi to look inside. Here's how that type of text looks. It's readable in the hex editor, but with difficulty.

Now, the trick is, you can do a search-and-replace with WinVi, and simply remove all the null bytes in the whole file. Then save it and text-scan the result (which is certainly no longer executable, so be sure and keep a backup if you value the file) with BinText, and the text will emerge.

pchelp

OzarkMan$
join:2000-12-22
Ozark Mtns.

OzarkMan$ to pchelp7

Member

to pchelp7
pchelp....thanks for the wonderful info !

BTW....Robin Keir's BinText is now part of the Foundstone group and finding it difficult to find. By chance do you have another link for BinText ?

TIA
pchelp7
join:2001-03-05
Manson, WA

pchelp7

Member

said by OzarkMan:
pchelp....thanks for the wonderful info !
My pleasure!
quote:
BTW....Robin Keir's BinText is now part of the Foundstone group and finding it difficult to find. By chance do you have another link for BinText ?
Oh, I see. My link was a bit dated, eh? And the link from there is not direct. Here's a link that works for me:

www.foundstone.com/knowledge/termsofuse.html?filename=bintext.zip

They want to make that license agreement impossible to miss! I'm inclined to go along with that; it's their software, and a generous service. There's a simple button on that page to allow anonymous download. You don't have to sign up for the mailing list!

pchelp

Rocktagon
Slightly Bent
Premium Member
join:2000-11-04
Chattaroy, WA

Rocktagon to OzarkMan$

Premium Member

to OzarkMan$
You can try here, it is a direct link. You have to enable some HactiveX and JavaScript to get to the download link at Foundstone.

OzarkMan$
join:2000-12-22
Ozark Mtns.

OzarkMan$

Member

Thanks Keith and Rock for the link....
quote:
You have to enable some HactiveX and JavaScript to get to the download link at Foundstone
Only if you do not have Foundstone already in a Kind of Trust Zone
pchelp7
join:2001-03-05
Manson, WA

pchelp7

Member

I've adapted my right-click option-enabling .reg files to include not only .exe's but also these extensions:

.com
.bat
.pif
.scr
.shs
.shb
.dll

Incidentally, I changed the hotkey for BinText to X instead of T, which I finally realized was already taken by the Cut option. (Those making heavy use of the keyboard instead of the mouse may notice this, but I suspect no one else will care. I wonder how many people even know how to bring up right-click options without using the mouse? [Shift-F10])

I also had an opportunity to verify that the .reg files work just fine to enable the right-clicks on WinXP Home. This means they almost certainly work on NT, Win2K and XPPro as well.

I also established that both BinText and WinVi32 do run properly on XP.

The ExeExtras.zip file has ben updated with the expanded .reg files and is still in the same place:

pc-help.org/pub/ExeExtras.zip

Now, it can be super-easy for anyone to examine all those file types with BinText and WinVi32.

pchelp

CrazyM
Premium Member
join:2001-05-16
BC Canada

CrazyM

Premium Member

said by pchelp:
I also had an opportunity to verify that the .reg files work just fine to enable the right-clicks on WinXP Home. This means they almost certainly work on NT, Win2K and XPPro as well.

The registry files worked without a hitch on W2K sp2. Thanks for the great info and reg files.

CrazyM

davidovv
join:2001-06-19
Netherlands

davidovv to pchelp7

Member

to pchelp7
Thumbs up, Keith

regards.

paul wilders

»www.wilders.org security