Conversation

As a malware analyst I sometimes receive Microsoft files which have been manipulated. E.g. infected by a virus and cleaned afterwards. Here are some indicators to recognize PE file manipulation. 🧵

425

1,436

namazso

@namazso

Sep 2, 2022

You missed a really cool one: For the last 5 or so years all Microsoft binaries are built using /Brepro. This includes a SHA256 hash inside the file in a debug directory. I intended to write a blogpost on this & publish verifying tool, but kind of forgot about it.

sixtyvividtails

@sixtyvividtails

Sep 2, 2022

For native files hash calculation is rather straightforward: twitter.com/sixtyvividtail. But for msil there's some caveats, depending on strong name signing mode (possible a bug in the original implementation, which now has to persist).

Quote Tweet

sixtyvividtails

@sixtyvividtails

Feb 13, 2020

Ever wondered how /bRepro "timestamps" for msvc reproducible build generated? It's just last 4 bytes of sha256 over binary file, with following defaults:

Show this thread

namazso

@namazso

oh, neat, you should really put this on some searchable site. when I was looking for prior work on search engines there wasn't anything available besides useless articles that state the obvious ("there is a debug directory")

7:33 AM · Sep 2, 2022

Bookmark

The Leyrer said so. "Schreibt's a blog"

sixtyvividtails

@sixtyvividtails

Sep 2, 2022

Hah, may be some day. Meanwhile, I'm expecting someone else >_> to write a blogpost and link to the tweet - that should make it indexable.