Wednesday, July 4, 2007

Exporting Program Icons EnScript

One of the other techniques I often use when looking for malware, hacking tools and other signs of malfeasance is to examine the program icons in various programs. Icons are embedded inside each executable file. Not all executables have icons, but ones that do might indicate something is wrong. For example:

You locate a file named svchost.exe and it does not match any hash set that you have. You scan it with anti-virus and nothing is detected. You export the file and see the following:

Obviously something is not right. Recognizing a icon like this is an easy way to identify problems. Now, there are other ways to probe a file and determine its purpose , but I wrote this script to kick out all the icons in selected (blue checked) executables so I could quickly visually scan them (low-hanging fruit). If the executable does not have an embedded icon, then nothing is exported.

Additionally this could have some very interesting applications by creating a hashset of just icons. Then, regardless of the file's hash itself, by extracting and hashing the icon, you could possibly identify files by the icon alone, regardless of what the overall hash is of the file. This possible negates the issue of different hashes caused by different versions of the file as well as if the file has been altered, packed or compressed with a runtime packer, thus altering the file's hash.

To install, just copy the EnScript to your EnCase EnScript directory and then double click. It will ONLY process files that are selected (blue checked. It skips files that are selected, but not EXE). All icons of selected executables are exported to your default export folder in .ico format so you can set your Windows Explorer folder view to thumbnails and view them quickly.

Download Here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles