Posts Tagged ‘windows’

Today, I’ll explain in short three alternatives for analysing binary files.

When we had suspected about binary file, we’ve had two options:

- First one and not recomendable, running and thinking that it only get “infected” the others

- Second one, to have a Windows system virtualized, run it there while we monitorize it with tools as Filemon, Regmon, wireshark…

Recently, I’ve found one quickly way, and it could help us in some cases.

• VirusTotal - http://www.virustotal.com/es/
• Joebox - http://www.joebox.org/
• Anubis - http://anubis.iseclab.org/

We can analyse files with several antivirus engines at the same time with Virustotal, it will give us a orientation about file types that you use. This web is a Hispasec Systems creation, very good reference from my point of view.

With Joebox, we’ll have a sandbox installed, we can run the executable in a secure virtual environment. It’ll give us traces with information about the behavior. This virtual environment is easy to deploy and with same security guarantees that a virtual machine with independent operating system.

Anubis online service will analyse the binary file, and it will send us a report about its behavior. A good complement to any sandbox, it’ll allow us to contrast the information.

Cual ha sido mi sorpresa hoy, leyendo un artículo sobre implementación de Bacula Client en entornos Windows, encontré el siguiente comando:

findstr

Leyendo más sobre él, puedo concluir que tiene la apariencia de grep, que ni hablo del sed , pero con menos potencia:

findstr [/b] [/e] [/l] [/r] [/s] [/i] [/x] [/v] [/n] [/m] [/o] [/p] [/offline] [/g:file] [/f:file] [/c:string] [/d:dirlist] [/a:ColorAttribute] [strings] [[Drive:][Path] FileName [...]]

Ey!, que nos deja poner algunas expresiones regulares:

Referencias – http://www.microsoft.com/