📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
danielf184
's Blog
Created: Monday, June 16 2008 01:56.40 CDT
Printer Friendly ...
Reverse Engineer a malicious GIF attachment
Author:
danielf184
# Views:
2617
I received an image attachment and want to analyze if it is a malicious attachment or not. I long time ago read about YAB (Yet Another Binder) and made some simple tests using that software, that attaches an image or any legitimate program with a malicious code, so am afraid that i recieved that kind of attachment that is why i want any body who can help me to analyse the attachment before i open it, at least if some one who can tell me an open software that can help to analyze an image before i open the image.
cheersssss
Horizon
Blog Comments
Sellmi
Posted: Monday, June 16 2008 03:29.11 CDT
>>Yet Another Binder ...that attaches an image
yup but then it is STILL a exe with an gif icon and when you double click it it will execute your backdoor AND the gif.
GynvaelColdwind
Posted: Monday, June 16 2008 03:48.58 CDT
As Sellami said - first check if it's an EXE file (2 first bytes == MZ) or a GIF file (3 first bytes == GIF). (If You know that, please ignore this line ;p I mean no disrespect ;>)
If the first - it's a simple case - if it pretends to be a GIF, then it's a malware ;p
If the later:
1) faster version - check if there is some shellcode looking thing in a hexeditor
2) download the GIF standard and check each fields value - how much does it differ from what the standard says it has to be
The best places to check would be:
a) chunk sizes (larger then what the standard says they have to be)
b) some bug in the compressed data (for example the max information chunk size is 12 bits in GIF, however it is technically possible to set the size larger - there were some buffer overflows regarding this - for example in SDL_image)
c) picture coordinates on canvas (the GIF contains one canvas and a series of pictures - the pictures technically can be larger then canvas or placed beyond it - on a wrong implementation it's a boundary condition error vuln.)
etc...
If it's something from the above - it's interesting then, because the attachment has to target one specific application. It would be interesting to see what application.
My guess is that it's a spam message in a GIF :DDD
As for software that would help you - Get some GIF loader implementation and play with it to output data (I've used SDL_Image GIF loader for it, it's can be modified with ease).
sovietskicpu
Posted: Monday, June 16 2008 15:45.39 CDT
Here is a Pascal code i've made some year(s) ago, maybe it can help you :p
PS : GynvaelColdwind hello ;)
Function ScanMSGifExploit(Const Buffer : Pchar; Const BufferSize : DWORD) : Boolean;
Type
TGIFHeader = Packed Record
Signature : Array[0..2] of BYTE; // magic ID 'GIF'
Version : Array[0..2] of BYTE; // '87a' or '89a'
end;
PGIFHeader = ^TGIFHeader;
TLogicalScreenDescriptor = Packed Record
ScreenWidth : WORD;
ScreenHeight : WORD;
PackedFields : BYTE;
BackgroundColorIndex : BYTE;
AspectRatio: BYTE;
end;
PLogicalScreenDescriptor = ^TLogicalScreenDescriptor;
TImageDescriptor = Packed Record
Separator : BYTE;
Left : WORD;
Top : WORD;
Width : WORD;
Height: WORD;
PackedFields : BYTE;
end;
PImageDescriptor = ^TImageDescriptor;
CONST
GIF_GLOBALCOLORTABLE = $80;
GIF_COLORTABLESIZE = $07;
GIF_PLAINTEXT = $01;
GIF_GRAPHICCONTROLEXTENSION = $F9;
GIF_COMMENTEXTENSION = $FE;
GIF_APPLICATIONEXTENSION = $FF;
GIF_IMAGEDESCRIPTOR = Ord(',');
GIF_EXTENSIONINTRODUCER = Ord('!');
GIF_TRAILER = Ord(';');
GIF_HEADER_SIZE = SizeOf(TGIFHeader) + SizeOf(TLogicalScreenDescriptor);
Function IterateBlock(Var GIFBlockID : Pchar; Const Limit : DWORD) : Pchar;
begin
Result := Nil;
While (BYTE(GifBlockID^) <> GIF_IMAGEDESCRIPTOR) AND (BYTE(GifBlockID^) <> GIF_TRAILER) do
begin
Case BYTE(GifBlockID^) of
GIF_EXTENSIONINTRODUCER : begin
Inc(GifBlockID);
if DWORD(GifBlockID) >= Limit then Exit;
Case BYTE(GifBlockID^) of
GIF_PLAINTEXT : While True do
begin
Inc(GifBlockID);
if DWORD(GifBlockID) >= Limit then Exit
else if GifBlockID^ = #00 then Break;
end;
GIF_COMMENTEXTENSION : While True do
begin
Inc(GifBlockID);
if DWORD(GifBlockID) >= Limit then Exit
else if GifBlockID^ = #00 then Break;
end;
GIF_GRAPHICCONTROLEXTENSION : begin
Inc(GifBlockID,BYTE((GifBlockID+1)^));
if DWORD(GifBlockID) >= Limit then Exit;
end;
GIF_APPLICATIONEXTENSION : begin
Inc(GifBlockID,BYTE((GifBlockID+1)^));
if DWORD(GifBlockID) >= Limit then Exit;
end;
end;
end;
end;
Inc(GifBlockID);
if DWORD(GifBlockID) >= Limit then Exit;
end;
Result := GifBlockID;
end;
Var
P : Pchar;
Limit : DWORD;
Label Infected;
begin
Result := False;
if (Buffer = Nil) OR (BufferSize <= GIF_HEADER_SIZE * 4) then Exit
else if not bla bla bla hehe... then Exit;
Limit := DWORD(Buffer) + BufferSize;
P := Buffer;
Inc(P,SizeOf(TGIFHeader));
if PLogicalScreenDescriptor(P)^.ScreenWidth = 0 then Goto Infected
else if (PLogicalScreenDescriptor(P)^.PackedFields AND GIF_GLOBALCOLORTABLE) <> 0 then
Inc(P,(3 *(1 SHL ((PLogicalScreenDescriptor(P)^.PackedFields AND GIF_COLORTABLESIZE) + 1) )));
Inc(P,SizeOf(TLogicalScreenDescriptor));
if DWORD(P) >= Limit then Goto Infected
else P := IterateBlock(P,Limit);
if (P = Nil) OR (BYTE(P^) <> GIF_IMAGEDESCRIPTOR) then Goto Infected
else if (PImageDescriptor(P)^.Width = 0) OR (PImageDescriptor(P)^.Height = 0) then
begin
Infected :
Result := True;
end;
end;
GynvaelColdwind
Posted: Monday, June 16 2008 17:00.12 CDT
Woah pascal.. hardcore ;D
PS. sovietskicpu hiii ;>
Add New Comment
Comment:
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}