Analysis of (unknown) file formats
•
1 like•647 views
This document provides an analysis of various file formats. It discusses how file formats can be structured, compressed, encrypted or a combination. File formats are also categorized as being open, proprietary, or generalized container formats. The document outlines why analyzing file formats is important for anti-virus protection, computer forensics, software development and more. It describes how to analyze file formats through specifications, reverse engineering, and observation. Tips are provided for coding unpackers and validators including security risks, practical problems, and using core libraries.
Analysis of (unknown) file formats
- 1. ANALYSIS OF (UNKNOWN) FILE FORMATS 22nd September 2011 Mario Suvajac
- 3. FILE FORMATS http://www.tripleman.com/index.php?showimage=6
- 4. FILE FORMATS • Structured information storage/carriers – Compressed – Encrypted – All of the above
- 6. CATEGORIZATION • Availability – Open – Proprietary • Different for each information type or contained in generalized container format • Executables, archives...
- 7. Resources Overlay* UPX Overlay 1.25 Data1.cab Setup.ibt LZsetup.ibt*.* Data1.hdr Engine32.cab Layout.bin Engine32.cab Setup.exe Engine32*.* Setup.ibt Unpacked Setup.ini Setup.inx File N PE32
- 8. WHY IS ANALYSIS IMPORTANT? http://www.flickr.com/photos/marodesu/5932256377
- 9. WHY IS ANALYSIS IMPORTANT? • Writing unpackers & validators – Anti-virus protection – Computer forensics – General software development – ...
- 10. HOW TO DO IT? http://www.flickr.com/photos/karenilagan/2163284814
- 11. HOW TO DO IT? • Specifications • Reverse Engineering • Asking Please
- 13. FILE FORMAT PATTERNS • File header – Magic – Sizes – Offsets – Algorithm ids – Block descriptors – ... • Data
- 14. ZIP FILE FORMAT
- 15. Reverse engineering http://www.tripleman.com/index.php?showimage=520
- 16. BY Just Observing • Experience based • Hex editor • Diffing’
- 17. BY Debugging • Watching reads & further data manipulation • Compression & encryption algorithms reversing
- 19. CODING TIPS • Security risks • Problems in practice • corelib