As a malware analyst I sometimes receive Microsoft files which have been manipulated.
E.g. infected by a virus and cleaned afterwards.
Here are some indicators to recognize PE file manipulation. 🧵
Conversation
You missed a really cool one: For the last 5 or so years all Microsoft binaries are built using /Brepro. This includes a SHA256 hash inside the file in a debug directory. I intended to write a blogpost on this & publish verifying tool, but kind of forgot about it.
Thank you! I did not know this. Please let me know when you write your blog post.
1
4
Show replies
For native files hash calculation is rather straightforward: twitter.com/sixtyvividtail. But for msil there's some caveats, depending on strong name signing mode (possible a bug in the original implementation, which now has to persist).
Quote Tweet
Ever wondered how /bRepro "timestamps" for msvc reproducible build generated? It's just last 4 bytes of sha256 over binary file, with following defaults:
Show this thread
1
1
8
Show replies
4