After writing the last post on bringing malware down to a manageable size for analysis, I got some good feedback on different ways to achieve the same results outside of using pecheck. In this post I’ll go over an alternative method that moves much faster than pecheck which was recommended (and loved) by @AndreGironda.
Foremost for the win
For this post I’m using the same 300 MB+ sample from VT: 218efc289854e3ef9086e9c3db36cf627d2171ceaece2c26085250c6203b31cd. In the last post we took extra steps to triage, so we’ll skip straight to extraction in this instance.
If you’ve never used foremost before, it’s an awesome forensic utility that allows you to carve different files from blobs of data. Two of the file types it supports are Windows Executables and DLLs. The best thing about this tool is that it moves extremely fast, which you can see in the output below.
1
2
3
4
5
6
7
8
9
10
11
12
13
remnux@remnux:~/cases/heavyweight$ time pecheck -g s -D GoogleDrive.exe > lighter_GoogleDrive.exe
real 0m40.663s
user 0m39.736s
sys 0m0.878s
remnux@remnux:~/cases/heavyweight$ time foremost -t exe -o o1 -i GoogleDrive.exe
Processing: GoogleDrive.exe
|****|
real 0m0.804s
user 0m0.616s
sys 0m0.171s
With the appropriate parameters, foremost cut a 300MB+ binary in less than a second where pecheck took about 40 seconds. After verifying file hashes, we even see that foremost achieved the same result as pecheck.
1
2
3
4
5
remnux@remnux:~/cases/heavyweight$ md5sum lighter_GoogleDrive.exe
5af35bc75c8c4697b34b5645bdbbd559 lighter_GoogleDrive.exe
remnux@remnux:~/cases/heavyweight$ md5sum o1/exe/00000000.exe
5af35bc75c8c4697b34b5645bdbbd559 o1/exe/00000000.exe
Files with multiple EXEs
To top things off, foremost even works quickly on files containing multiple executables such as this Ducktail sample I previously wrote about.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
remnux@remnux:~/cases/ducktail$ ls -lh ducktail.exe
-rw-rw-r-- 1 remnux remnux 54M Aug 7 21:14 ducktail.exe
remnux@remnux:~/cases/ducktail$ time foremost -t exe -o o1 -i ducktail.exe
Processing: ducktail.exe
|*|
real 0m0.146s
user 0m0.082s
sys 0m0.061s
remnux@remnux:~/cases/ducktail$ tree o1/
o1/
├── audit.txt
├── dll
│ ├── 00001107.dll
│ ├── 00002547.dll
...
│ ├── 00107210.dll
│ ├── 00108104.dll
│ └── 00108293.dll
└── exe
└── 00000000.exe
2 directories, 90 files
All in all, foremost is faster and probably my favorite method to carve EXEs/DLLs from data so far. Thanks for reading!