Tuesday, August 4, 2020

Recent Reverse Engineering open source tools for Windows exe and dlls for malware/virus analysis

Let's back up a bit, what is a exe? 

.Exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows. The Portable Executable (PE) format is a file format for executables (exe), object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems.

How is exe created? 

Compilers take C/C++/C#/Python code and compile it into the PE format, which is not very human friendly to read. 

Why infect it? 

A computer virus is software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data). An example of this is a PE infection, a technique, usually used to spread malware, that inserts extra data or executable code into PE files. 

The PE Format Specification

Portable Executable (PE) format is a specification describes the structure of executable (exe) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively. 

Source : http://dandylife.net/blog/archives/date/2015/02/page/2

An Exe opened in a Hex Editor

How to reverse engineer exe? 

Some recent PE Reverse Engineering Tools of note; 

  • PE-bear is a freeware reversing tool for PE files.  Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files. The PE-bear’s  parser is open  source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander).  For windows requires Microsoft Visual C++ 2010 Redistributable Package. 

  • BlackBerry, PE Tree's https://github.com/blackberry/pe_tree , but requires Python to run.

Thursday, July 30, 2020

Phishing Email - Shopper's Drug Mart Customers Day

For the record, this is a Shopper's Drug Mart phishing email attempt that is recently going around.  What to do?  Report them, goto bottom of page.

From : Shoppers Drug Mart <###christophep@cpixxi.com>

Subject :  Shoppers Day Mart Customers!


1. http://u9779008.ct.sendgrid.net/............

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

  1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Wednesday, July 29, 2020

How to Delete Microsoft Edge Crash Reports (.dmp) Files

How to Delete Microsoft Edge Crash Reports (.dmp) Files

.dmp file hole
MS Edge .dmp hole

This post will deal with Microsoft Edge Crash Reports (.dmp) Files which get generated when Edge crashed and this report is generated and sent to Microsoft. 

BTW You can turn off that feature in Settings, search for "crash reports", and you get the following setting. A restart is required of the browser to take effect.

d data about how you use the browser

Microsoft Edge Crash Reports (.dmp) Files are generate in the following directory 

%HOMEPATH%\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports

These file are about 504Kb in size, but are not being cleanup. The good news is that these files can be analyze and viewed using WinDbg, check the following links; 

  • https://support.microsoft.com/en-us/help/315263/how-to-read-the-small-memory-dump-file-that-is-created-by-windows-if-a
  • https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

A deep discussion of these files is located at the Chromium Dev Group discussion, see

Here's how to do some spring cleaning of your Microsoft Edge Crash Reports (.dmp) Files.

DMP files are generated in following directory

%HOMEPATH%\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports

Copy and paste following batch file code and save it with .bat extension, and run it from a command line. 

REM Removing Microsoft Edge Crash Reports (.dmp) Files in a Batch Program
REM Wed 29-Jul-20 1:52pm MetadataConsulting.ca
REM /P  Prompts for confirmation before deleting each file.
REM /F  Force deleting of read-only files.
REM /S  Delete specified files from all subdirectories.
REM /Q  Quiet mode, do not ask if ok to delete on global wildcard
REM /A  Selects files to delete based on attributes
REM attributes  R Read-only files S System files H Hidden files A Files ready for archiving - Prefix meaning not
echo. Begin Edge Crash Reports (.dmp) Delete
cd "%HOMEPATH%\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports"
DEL /F /S /Q *.dmp
echo. End *.DMP Delete