Malware Analysis – Identifying File Types

Video Link

Identifying File Types

  • Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.
  • An example of a Windows executable file is the PE (Portable Executable).
  • A PE could be in the form of; .exe, .dll etc.
  • To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.
  • The file signature exists on the file header.
  • The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).
  • PE programs also have the notice “This program cannot be run in DOS mode”
  • The PE header begins at hex 50 45.

Note: Attackers may use archiving/packing to evade signature based identification. We will cover this in the packing section.

Tools We Will Be Using

  • HxD – Hex Editor
  • Exeinfo PE – Retrieves the windows PE header information. It also detects if the executable has been packed and detects the paker version and how to unpack it.
  • Pestudio
  • CFF explorer