Thursday, August 8, 2013

Tool release: MagicNumber Scanner v1.0

Hello everybody,

As you may know, for certain activities in Reversing -like malware analysis- require a lot of tasks that can be automated using scripting languages and a big question comes here: "How I can do it? How it works?". In order to try to find an answer to those questions I decided to start exploring in how to use Ruby from the "binary" perspective.

There are a lot of different ways to deal with binary data, in this case I found that the simple "File" method can do the job. One important thing here is that you should "open" such file in read-only AND binary mode, otherwise you will get a lot of bad stuff, in terms of processing the right data.

As a result of this little research I wrote a tool called: "MagicNumber Scanner v1.0" which is basically a tool that receive as input a file and try to identify the file-type based on file signatures or in other words, the "Magic numbers".

I didn't try to reinvent the wheel, since you can use the "file" *nix/linux command actually, but in this case I am adding a little bit more of information like the generated URL based on the file-extension that you can visit if you have any doubt about what the file is, what program you can use to open it, and so on.

Below some screen captures:

Screenshot #1: Results when scanning an EXE file


Here we have a second case in where I arbitrarily renamed a file from .gif to .zip, and the tool shows how the magic-number detection identify that the real file-type is in fact a GIF file.

Screenshot #2: Results when scanning a fake ZIP file (originally is a GIF file)


Features:
  • Magic-number scanning based on a simple signature list.
  • Automatically generates a URL with the identified extension pointing to the http://filext.com/ website. (e.g. http://filext.com/file-extension/EXE)
TODO:

  • Generation of HTML report that shows more information about the file extension.
I had great time researching how to do such *things* in Ruby, I did it the same in the past and I really liked as well, but is always good how to do it using different languages.

I would recommend you to download the code and see what I did, try to replicate the same but with other purpose. Remember, the sky is the limit.

How to install:

From git, or you can download the .rb file from here, or the .exe version from here.

If you find any bugs, let me know. 

...and like Jason Hawes from TAPS/GhostHunters says: Onto the next. 

Thanks! ]¬)

2 comments:

  1. Interesante esto de los Magic Numbers, vamos a probar tu tool :) saludos Chr1x

    ReplyDelete