Identifying File Types
- Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.
- An example of a Windows executable file is the PE (Portable Executable).
- A PE could be in the form of; .exe, .dll etc.
- To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.
- The file signature exists on the file header.
- The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).
- PE programs also have the notice “This program cannot be run in DOS mode”
- The PE header begins at hex 50 45.
Note: Attackers may use archiving/packing to evade signature based identification. We will cover this in the packing section.
Tools We Will Be Using
- HxD – Hex Editor
- Exeinfo PE – Retrieves the windows PE header information. It also detects if the executable has been packed and detects the paker version and how to unpack it.
- Pestudio
- CFF explorer