The malware I'm trying to analyze is saved without a file extension and just the hash. I would like to know basic info about this file, such as whether it is .dll vs .exe and whether it is 64bit or 32bit. What is the best way to do this?
I would suggest to use pestudio www.winitor.com as Malware Initial Assessment tool. This tool shows many details of any Portable Executable file (aka. PE). Additionally, it queries Virustotal (submitting the hash of the file and NOT the file itself) to check whether the file is already known.
Related
I'm trying to use a software library to run some computations. These computations can be customized using a few configuration files in its share directory. Unfortunately this library only provides hard coded paths to specific files in its (read-only) share directory which store these default configurations. Thus right now only a super-user or administrator could modify them. The library doesn't search for any user-local versions of these configuration files. I'd like to develop a wrapper tool which additionally takes a path to an alternate version of one of these configuration files in the users home directory and have that file somehow appear to "mask" the original file on the file system for the duration of process execution without actually modifying the original file in any way (since it can't). Is there a Linux tool I could use to do this sort of thing?
I have a windows desktop application which is currently available on a Linux server for download on user's machine. I want to automate the process of MSI packaging on the same Linux server using any EXE/DLL.
I have an App.exe and App.txt file. Some information should be read from text file and injected into exe before creating an MSI package. This entire process has to happen dynamically in the Linux server only after the user clicks on download.
Can anybody point me in the right direction as to how i can achieve my goal? I want to achieve the same by having minimum dependencies on any additional/3rd party tool. TIA for any time and effort.
p.s - I have done some R&D about various installers but none of them were matching the criteria as they have too many dependencies.
False Positive Risk: Creating a new binary for every user would seem to be very unwise because of malware scanners and their ability to recognize "known" versions of binaries (by hash).
If you create a new binary for each user, the malware suite might suddenly start to quarantine your setup without any warning or sense. This problem is not trivial anymore as malware control is hardened everywhere and setups that run with elevated rights are "prime suspects for risk management".
Digital signatures can help, but they are merely a guarantee that you made the setup, and not a guarantee that the setup doesn't contain anything harmful. Nothing worse than signed malware vectors. In fact it is proof positive that the malware came from you :-). Note: some people even manage to tamper with signed executables. The combination of the latter two fact is very troubling.
Application Setup: I like to eliminate such features and details from the setup and make the application itself responsible for it own configuration on first launch after installation. I find this more reliable and easier to debug.
Custom Configuration: You can apply custom configuration information at runtime via various mechanisms. You should add in a transform, or you can create a batch file next to the setup with this information embedded and pass to the MSI or the setup.exe.
Batch File?: The msiexec.exe command line supports passing parameters to the MSI. You can generate a batch file that will run the setup with such parameters if you design your setup to support these "incoming" parameters.
msiexec.exe /i myinstaller.msi ADDLOCAL="Program,Dictionaries" SERIALKEY="1234-1234" /qn
Transform: You can also create a transform to contain the parameters (a transform is a tiny MSI fragment with settings and changes to the original MSI):
msiexec.exe /i myinstaller.msi TRANSFORMS="mytransform.mst" /qn
A transform would be difficult to create on a Linux box, seeing as they are COM-structured storage files native to Windows only. I am not sure if it is even possible, but maybe.
Some Links:
Can the resulting command line be determined after running an .msi installer?
Change Program Name and Shortcut Title during installation
How to make better use of MSI files
We have had some success with wixl from msitools.
Also WiX will run under WINE.
However, in both cases we have not had EmbedCab="yes" work, which may or may not affect you.
Notepad++ acknowledged this DLL hijack vulnerability:
https://wikileaks.org/ciav7p1/cms/page_26968090.html
I don't get from the description how it works. As a Notepad++ user I am concerned and as a developer myself I am curious too.
There is a general DLL hijack explanation here - What is dll hijacking?. A bit too general.
Does it mean that to effectively exploit this vulnerability the attacker has to first have control over my PC, using a different vector of attack, to plant a malicious version SciLexer.dll (?) into DLL search path?
If the attacker have already such power over my PC why he would bother with Notepad++. Why not to go after more core libraries or even system ones?
I also don't get implications of this remark in the WikiLeak text: For the life of me, I couldn't get this function [Scintilla_DirectFunction(..)] to be called. If this is the only exported function in that DLL, the only one called by Notepad core, how come that is is not called? That would mean also that malicious code would not be called either.
Was hacked SciLexer.dll ever actually detected, hacked by CIA or anyone else, or it is only a discovered possibility?
Also Notepad++ team in the latest release 7.3.3, in release notes claims that they "Fix CIA Hacking Notepad++ issue". Any ideas how they could do it?
A DLL hijacking attack is simple: Consider your download directory that contains many files.
If someone manages to make you download the manipulated SciLexer.dll dll it will be most likely be downloaded into your download directory. You don't do anything with the file after download, the file just remains where it has been downloaded.
Later you download a txt file from somewhere on the net and this file is also placed in the download directory.
If you now open the explorer and double click the downloaded txt file the current directory is the download directory. The dll hijack vulnerable Notepad++ version would then search for the SciLexer.dll file to be loaded in the current directory (which is now the download directory). Therefore Notepad++ would load the manipulated SciLexer.dll that you downloaded previously.
Regarding the fix you can look at the source code changes that fixes the bug.
It seems like the Nodepad++ team changed the way this dll is loaded and additionally they added a certificate check of the SciLexer.dll.
I want to verify if certain exe files already exist in a merge module .ism (binary format). Is there a method of doing this without using InstallShield?
An *.ism file is really an MSI file with a changed extension. MSI files in turn are SQL databases stored as COM-structured storage files - a file system inside a single file with file streams for various content. This is the same format used in Office documents.
You can view MSI files with Orca from the Windows SDK: http://www.hass.de/content/how-install-microsoft-orca
Windows Installer XML (WiX) Deployment Tools Foundation (DTF) has an InstallPackage class available that exposes a FindFiles() method. This should be really easy to query the EXE. Just realize that being a merge module you won't know the full installation path as that's decided by the MSI generally.
Both of Chris's suggestions should work fine, as would using Orca. But it got me thinking there might be an even easier way using a tool called Merge Module Finder. It all depends on what you really want to do? Find files already in merge modules? Investigate what merge modules are in an Installshield file? It is not quite clear exactly what you want to do.
Though a bit clunky at times (I think the author hasn't updated it for the latest versions of Windows) it will help you look for a file in a bunch of merge modules interactively. You can also search for a registry value. Here is a screenshot:
I would like to start checking that the open source projects that I am using in my apps are what the developers released. I noticed that many projects have a SHA1 and MD5 digests presumably these can be easily tampered with for example if a hacker replaces the orginial zip file on a mirror they can also replace the .md5 and .sha1.
How can I check the integrity of third party open source libraries that I depend on?
I think , there is No trusted way for this, since the hacker may change the source files and its (md5 or sh1) files. He simply may replace the whole project with another one.
so , download the source from trusted sites such as sourceforg and code.google.com and codeproject and mirrors recommended by these sites.
typically an open source project, although open to all to download and modify themselves, the ability to actually change the uploaded files is restricted to certain individuals governed by the project owner.
A good example is https://github.com/thecodemine/formwizard, where you can see a read-only link, but cannot modify directly unless authorised.
However you can fork the project to your own account and modify as you wish, for example https://github.com/AlexKey/formwizard
I'm also guessig on large open source projects like linux distributions for example, even code / files uploaded by authorised individuals will also go through stringent reviews before official release.
A hacker of course on comprosising a system could change files at will, but this isn't a weakness of an opensource model but instead could be a problem for any project.
Also things like Code signing help detect unauthorised modification.
http://en.wikipedia.org/wiki/Code_signing
Code signing is the process of digitally signing executables and
scripts to confirm the software author and guarantee that the code has
not been altered or corrupted since it was signed by use of a
cryptographic hash.
You have not Googled your question. If you do so you'll get a lot of content about it. The link below will teach you how to check the integrity of a downloaded file.
https://help.ubuntu.com/community/HowToMD5SUM
You may also check the following link, which shows that it is very difficult to modify or replace the .md5 and .sh1 files.
Here's the link.