- ASCII Hex and Overlays

Last month there was an interesting forum discussion on OpenRCE about carving and converting ASCII Hex encoded executable to binary.
ASCII HEX Encoded Executable
We can see the start of MZ header at offset 0x16. 'M' = 0x4d, 'Z' = 0x5a. This encoding technique is commonly used by malicious Microsoft Documents (Excel, PowerPoint, etc) for encoding an executable payload. This technique can be a little annoying because we will have to manually carve out the data and then convert it from ASCII hex to bin. Along with a couple of other options has been updated to help with carving out encoded executables in the ASCII Hex format.
Usage: [options] <carving.file>

  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        output file name
  -a, --ascii_blob      read as hex ascii blob
  -v, --verbose         print MZ location
  -l, --overlay         get overlay, default 1024 bytes
  -s SIZE, --size=SIZE  size of overlay

Quick overview. -o, --output can used to name the output file. -a, --a can be used to convert the whole file from ascii hex to binary (if not ascii hex the byte will be ' '), -v --verbose prints the offset of the where the executable was found, -l --overlay will read 1024 bytes after what Pefile finds as the file size, -s --size is used along with overlay to define a custom size. For example, let's say we have a binary file that contains a ASCII hex executable, an embedded executable and then another ASCII hex executable. Different encodings will have to be handled separately. -o hello -v -a -l -s 10 test.bin
        * exe found at offset 0xb
        * exe found at offset 0x8ed83

03/09/2013  10:52 PM    <DIR>          .
03/09/2013  10:52 PM    <DIR>          ..
03/09/2013  10:52 PM           525,834 hello-1.exe
03/09/2013  10:52 PM           525,834 hello-2.exe
03/09/2013  10:17 PM             5,483
03/09/2013  10:17 PM         2,270,982 test.bin

-o hello is the output file name. A count is added in case there are multiple file names. -v is for verbose to show where the files are located . -a is for treating the file as an ascii blob. -l is to get the overlay with a size of 10. The size is specified by the -s 10 (int) and the file name. The -a is a little slower than the other options. This is due to the file being read and converted two bytes at a time. Not the most efficient way. Now for a simple example of grabbing an embedded executable with no options. test.bin

03/09/2013  10:57 PM    <DIR>          .
03/09/2013  10:57 PM    <DIR>          ..
03/09/2013  10:57 PM            69,120 1.exe
03/09/2013  10:17 PM             5,483
03/09/2013  10:17 PM         2,270,982 test.bin

 If there are any suggestions or feedback please shoot me an email. My email address is in the code. Please download the code from the repo.

BitBucket Repo - LINK

Thank you gN3mes1s, legola, anonymouse and others on OpenRCE.

No comments:

Post a Comment