Category Archives: PE

CVE-2012-0158: RTF/OLE/CFBF/PE

Since support for the RTF file format has been added very recently with the version 0.9.4 of the Profiler, it’s a good idea to test it against real malware. I downloaded a pack of RTFs from contagiodump.blogspot.com and as I … Continue reading

Posted in CFBF, PE, Profiler, RTF | Tagged , | Comments Off on CVE-2012-0158: RTF/OLE/CFBF/PE

Detect broken PE manifests

In the previous post we’ve seen a brief introduction of how hooks work. If you haven’t read that post, you’re encouraged to do so in order to understand this one. What we’re going to do in this post is something … Continue reading

Posted in Hooks, PE, Profiler, Python, SDK | Tagged , | Comments Off on Detect broken PE manifests

Previews

The upcoming version 0.9.2 of the Profiler adds previews for various things: images (all supported formats), several Portable Executable resources and Office Word Documents (text-only). Since media elements are rendered through third-party code, the Profiler displays a warning box before … Continue reading

Posted in CFBF, PE, Profiler | Tagged , , , | Comments Off on Previews

.NET support

Although there haven’t been customer requests for this, the upcoming 0.9.0 version of the Profiler adds support for .NET, which includes format, layout ranges and an MSIL disassembler. As usual, let’s begin with the format itself. Since some users probably … Continue reading

Posted in PE, Profiler | Tagged , , | 3 Comments

Microsoft Authenticode

Based on RSA’s PKCS7 standard, Authenticode is the technology developed by Microsoft to digitally certify programs and drivers on Windows. Trusted signatures guarantee that the certificate owner is indeed the author of the signed executable, and also that the data … Continue reading

Posted in PE, Profiler | Tagged , , , | Comments Off on Microsoft Authenticode

Validation of Portable Executable resources

One of the new features of the upcoming 0.8.6 version of the Profiler is the validation of resources. This means the Profiler verifies the integrity of resources and lets the user inspect problems, making it easy to discover things like … Continue reading

Posted in PE, Profiler | Tagged , , , | Comments Off on Validation of Portable Executable resources

PE analysis (part 1)

This is the first of a series of posts which will be dedicated to PE analysis features. In previous posts we have seen how the Profiler has started supporting PE as a format and while it still lacks support for … Continue reading

Posted in PE, Profiler | Tagged , , | 1 Comment

Resource & Load Config Directory

The upcoming 0.8.3 version of the Profiler features two new directories. Most of the work went into implementing an efficient model view controller for the Resource Directory tree. Last year I was notified by Ange Albertini that his resourceloop.exe sample … Continue reading

Posted in PE, Profiler | Tagged , | Comments Off on Resource & Load Config Directory

Portable Executable: coming soon

In the upcoming 0.8.1 release of the Profiler initial support for PE files has been introduced. :) Most of the work went into optimizing the UI and allowing for complex custom views to be built easily, while maintaining great speed. … Continue reading

Posted in PE, Profiler | Tagged , , | Comments Off on Portable Executable: coming soon