[1] Right click on any suspicious tool and if you have Winrar installed
and if it shows "open with Winrar" then this means it was binded with
Winrar so that tool is backdoored.
[2] Open it with a Resource Editor such as Resource hacker/Restorator/Pe Explorer and check the rcdata section,if theres 1 & 2 entries in it then its binded.
[3] Open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it exists more then once then it might be binded it depends on the specific app,for example its not unusual for binders/crypters to have the stub file attached in the resources also search for .exe and inspect the results,a binded file drops the files to a temp folder before executing em , so if you find somethin like this: %.t.e.m.p.%.\.x.x...e.x.e or file1.exe/file2.exe then its binded.
[4] Run it in sandboxie ,when a file is executed in sandboxie its isolated (cant access your files/registry, first click the sandboxie tray icon to open up its Window , then right click the file and click "run with sandboxie"
if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) .
[2] Open it with a Resource Editor such as Resource hacker/Restorator/Pe Explorer and check the rcdata section,if theres 1 & 2 entries in it then its binded.
[3] Open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it exists more then once then it might be binded it depends on the specific app,for example its not unusual for binders/crypters to have the stub file attached in the resources also search for .exe and inspect the results,a binded file drops the files to a temp folder before executing em , so if you find somethin like this: %.t.e.m.p.%.\.x.x...e.x.e or file1.exe/file2.exe then its binded.
[4] Run it in sandboxie ,when a file is executed in sandboxie its isolated (cant access your files/registry, first click the sandboxie tray icon to open up its Window , then right click the file and click "run with sandboxie"
if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) .
No comments:
Post a Comment