Detect executable format using Python

In this article, I am sharing with you a small Python script that lets you detect if a file is an executable file and what platform the executable is targeting.

The following formats for 32 bits and 64bits processors are supported:

  • Mach-O files: both regular and universal formats
  • Windows PE files
  • Linux ELF files

The script

#---------------------------------------------------------------------
EXEFLAG_NONE        = 0x0000
EXEFLAG_LINUX       = 0x0001
EXEFLAG_WINDOWS     = 0x0002
EXEFLAG_MACOS       = 0x0004
EXEFLAG_MACOS_FAT   = 0x0008
EXEFLAG_32BITS      = 0x0010
EXEFLAG_64BITS      = 0x0020

# Keep signatures sorted by size
_EXE_SIGNATURES = (
    ("\x4D\x5A", EXEFLAG_WINDOWS),
    ("\xCE\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_32BITS),
    ("\xCF\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_64BITS),
    ("\xBE\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_32BITS | EXEFLAG_MACOS_FAT),
    ("\xBF\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_64BITS | EXEFLAG_MACOS_FAT),
    ("\x7F\x45\x4C\x46\x01", EXEFLAG_LINUX | EXEFLAG_32BITS),
    ("\x7F\x45\x4C\x46\x02", EXEFLAG_LINUX | EXEFLAG_64BITS)
)

def get_exeflags(filepath):
    try:
        with open(filepath, "rb") as f:
            buf = ""
            buf_len = 0
            for sig, flags in _EXE_SIGNATURES:
                sig_len = len(sig)
                if buf_len < sig_len:
                    buf += f.read(sig_len - buf_len)
                    buf_len = sig_len

                if buf == sig:
                    return flags
    except:
        pass

    return EXEFLAG_NONE

Continue reading

7 DLL injection techniques in Microsoft Windows

In this article, I am going to list half a dozen DLL injection techniques that can be used by a user mode process running on MS Windows. There could be more techniques but I am sharing with you the techniques that I had first hand experience with.

1. AppInit_DLLs

People used to rely on the AppInit_DLLs registry key. The OS loader queries this value and loads the DLLs specified there when a process is created. I have not used this technique in a long while (last time I used it was on Windows XP) and I heard it is now restricted or discontinued because it was widely used by malware.

2. SetWindowsHookEx API

The SetWindowsHookEx API installs an application-defined hook procedure into a given hook chain. There are various supported hook chains (CBT, Journal, Window messages, keyboard, mouse, etc).

When using the SetWindowsHookEx API, you are instructing the operating system to inject your custom hook DLL into other process where it is relevant. The Windows hooks work when the other processes import / use functionality from USER32.dll.

Continue reading

Microsoft Surface Studio – A cool All-in-one computer but what’s with 6:18?

During the October 2016 Microsoft event, Microsoft announced the Surface Studio all-in-one computer and I really like it! Good job Microsoft!

flower separator

flower separator

But…I could not help but notice the time and the date on the screen poster to be 6:18 (which is also Saturday, June 18th, 2016)…

 

six-eighteensix-eighteen-2

Any thoughts?

flower separator

 

You might also like:

 

 

Batchography: Changing the MAC address on Windows – A free Batch script

batchography-good-resIn a previous post entitled “How to get unlimited free Internet at Airports“, I showed you how to circumvent the time limit imposed by the “free” Wi-Fi connections in certain airports.

For that trick to work, you were required to update the MAC address of your computer each time the free time is over.

In this blog post, I am going to share with you the ChangeMACAddressBatch script that I wrote with the help and instructions from the excellent Batchography book.

The script makes use of various recipes illustrated in the Batchography book (in Chapter 4) and uses the various Batch scripting language syntax (Chapters 1 and 2) and methodologies (Chapter 3). Therefore, I will not be explaining the script’s contents or how it works because it will become evident if you read the Batchography book.

flower separator

Get the book from Amazon:

  • Paperback editionbtn-buy-on-amazon
  • E-book editionbtn-buy-on-amazon

flower separator

How to use the script interactively

To begin with, you need to run the script with administrative privileges.

Running the script as an administrator


On Windows 8 and above, just press Win+X and choose “Command Prompt (Admin)” like this:

chg-mac-run-elevated-command-prompt

Otherwise, if you are using the Windows Explorer window, then right-click on your script and choose “Run as Administrator”:

chg-mac-run-as-admin

Starting the script

When you first run the script, you will be presented with the main menu that will show you a list of all the adapters you have on your system.

On my laptop for instance, I have 4 adapters:

  • An Ethernet adapter
  • 2 x VMWare virtual adapters
  • A Wi-Fi adapter

Using the keyboard, type the adapter number that you want to inspect and/or change its MAC address:

chg-mac-main-menu

Let’s press “4” in this case and go inside that adapter’s information screen. Continue reading