windows file encryption

by peadmin on January 5, 2017

Evolution Of The Windows File Encryption

As far as the computer world goes. File security is a big deal that is handled with utmost concern. File encryption is one of many ways by which operating systems ensure file security. It is a transparent form of totally restricting attackers from gaining access to files.

Encryption is a form of security that has evolved over the years on Windows systems. However, Windows systems did not have file encryption until the advent of Windows 2000. It was on the NFTS version 3.0 that the Windows file encryption was introduced.

As encryption can be performed on a file, directory or drive; A group policy can also be used to enforce some file encryption settings on some Windows system. Every version of Windows from 2000 has been enabled with a Windows file encryption mechanism.

Drawbacks of Windows File Encryption

Based on the outcome of research and popular opinion, encrypted files can be lost infinitely on systems. Should a reinstallation fail, there is a chance that the key used for encryption will be lost. The encrypted files may be lost forever in such circumstances.

The encryption system on Windows 7 comes with a backward compatibility algorithm. It would be considered as a rigid system if backward compatibility is ever an issue. This is because files encrypted on an older version of windows would not be easily accessed on a newer version of it.

Added Values of Windows File Encryption

The general cover the encryption provides is absolute protection against attacks. This is beneficial to the because only a user that initiates a file encryption can have it decrypted.

Permissions become granted to files based on who has the key to decrypt the particular file. This is a very convenient to maintain a hierarchy of access to files, directories, and drives in an organization.

It means a different level of access can be enforced on a storage facility and whoever has permission to access every part of the system is the administrator. The administrator can also decide who gets access to what.

What this translates to is that; a supervisor’s access to a company’s database might not be as robust as that of the manager while that of the manager might be inferior to that of the director.

The flexibility and ease of configuration also ensure that someone with a particular permission might be assigned a higher level of access without access to a new permission key. This is because the administrator can easily upgrade the user’s status.

Going by the earlier example, a manager can be granted a director’s permission if such need arises. Someone with a higher permission key can readily access what someone with a lower permission can access. This means, the higher your permission, the wider your range of access.

Tagged as:

{ Add a Comment }

Open Port Check Tool

by peadmin on October 10, 2016

An open port check tool is a tool that check if port is open or close on a remote host.

An open port check tool can be an online port check tool that run from a website or a software that installed or direct run from a device, like computer or mobile phone,

Open Port Check Tool Site Examples:

  • Can You See Me is an online open port check tool that can be use to check if port is open or closed, it is also good for verify port forwarding and check if you have ports that block by firewall or the ISP.
  • Port Checker is a free online tool for checking open ports on your computer/device, and it also useful in testing port forwarding, they has some more useful tools, like Email Checker, Chrome Extension and Port Scanner.
  • Open Port is also an online open port check tool that can be use to check if port is open or closed, it also has some more online tools, like My IP Address and Online Ping Test, and some free Windows tools like Ping Tool, Whois Tool and DNS Lookup Tool.

An Open Port Scanner:

Port Scanner is a tool, can be an online tool or a software, that instead of checking the state of one port on a remote device, it can run on a list of ports or on all the ports on the target device.

A more advanced port scanner can bring in more information, like the service that open the port, example can be the web server on port 80 or on port 443 in case of secure server at the target host.

What is port forward?

A port forward, in related to open port check tool, is the ability to configure a router, switch or any other device to transfer the request into the network within the device.

Port forwarding also known as port mapping is the process of forwarding a package into an inner, private LAN, a good example may in P2P (Peer To Peer) software, that sending data from your computer and need to get back data from the web, or letting some one access your private LAN to fix your computer like using a remote control tool.

Tagged as: , , ,

{ 1 Comment }

The MZ Header

by peadmin on August 26, 2016

The MZ, at times, noted as ZM is a magic number for the file extension .exe supporting the binary and executable formats and can be extended to new, linear as well as the portable executable formats. The initials ZM or MZ refer to the name of Mark Zbikowski who put them into the original MS-DOS exec format. In as such, having the signature was necessary to create a distinguishing difference with other .EXE files from others that were considered much simpler like the .COM and the DOS formats.

The file can be easily identified by using the ASCII string MZ found at the beginning of the file. Compared to the COM format which is executable, the MZ Header is newer and different in that it contains information on relocation which allows users to access multiple segments that can be loaded on memory addresses as well as can support executable files slightly larger than the 64Kib. The only disadvantage of the MZ Header is that it requires little memory limits which apparently can be bypassed by the use of DOS extenders.

The executable found on the MZ Header can also run efficiently from DOS as well as 9x operating systems. Other 32 bit Windows can as well execute the MZ Header by using inbuilt virtual DOS machines. However, some of the graphical modes may not be supported by the MZ Header. On the other hand, 64-bit versions of Windows cannot execute the MZ Header. However, the DOSBox, Wine, and the DOSEMU are perfect alternative ways of running the MZ executable.

Moreover, it is considered that each and every PE file has a 16-bit DOS program. Due to that, when the file starts, it opens with the .EXE header. In the past, while people used the Microsoft Windows, The Windows 1.x, 2.x as well as 3.xx operating systems, they did not only exist in similar volumes as Microsoft DOS but equally ran with an MS-DOS operating system as well. As a matter of fact, it was highly likely that users found themselves attempting to run some of the programs in windows under the DOS.

Microsoft programmers, therefore, had to ensure that all windows programs had a 16-bit DOS program found at the front of each executable windows with the ability to alert users anytime they attempted to run any program under the Windows program operating under DOS. However, it cannot be considered to be more useful these days as it was back then when users and the world as a whole were transforming from the DOS to other systems and files that came after that. Notably, back then, it was not easy to find a program that could actually bind together a DOS version with a Win32 operating under the same single binary.

Additionally, users should know that the MZ Header is commonly used for backward compatibility. Moreover, it is considered the best to run on a program that has Win32 system as compared to others as well. Moreover, users should know that the MZ signature is commonly used by the MS-DOS relocatable 16-bit under the EXE format.

 

Don’t forget to check our pe file info tool and our file entropy article.

Tagged as: , , , ,

{ 1 Comment }

Windows File Analyzer

by peadmin on September 8, 2015

An Introduction To Windows File Analyzer

Windows File Analyzer (WFA) program was specifically designed for Windows XP. WFA can run on Windows Vista and Window 7 operating systems, but at a lower functional capability level than possible on Windows XP. This lower functionality is attributed to change of thumbnails, Recycle bin and shortcuts formats by Microsoft. Consequently, only WFA’s .dat functionality will run on Window 7 and Vista. However, the Recycle Bin can be accessed under C:\$Recycle.bBin\\ and allowing the viewing of concealed and system files.

WFA doesn’t require installation but run automatically after unzipping the download.

Don’t forget to check our pefile tool and our file entropy article.

Functions

File analyzer refers to a tool used for file analysis in computer technology. File analyzer helps a primary file analysis by displaying file contents and their properties in hexadecimal dump format. It’s capable of interpreting general file contents such as resources structures including graphics, media, text and PE.

Utilities

WFA has five distinct utilities including Analyze Prefetch, Analyze Index. DAT, Analyze Thumbnail database and Analyze Recycle Bin.

Analyzing thumbnails

This is the first utility database of WFA. Analyzing thumbnails analyzes files known as thumbs .db. As usual, Windows Explorer also known as My Computer helps the folders’ contents to be displayed in different formats. Among these formats, which is useful in display of folders with graphics or image files contents is the thumbnail view, which displays a series of miniature formats of the photo or graphic images. When thumbnail view is initially activated, it creates inside the folder a unique database known as thumbs .db. Thumbs.db is often updated for every request of the thumbnail view. Thumbnails are deferentially stored in Windows 7 and Windows Vista. A commercial product version for thumbnails demo known as ThumbnailExpert is always available for trial.

Usually, a thumbs.db file within a folder consist information on files, which are no longer available in that folder. Occasionally, the program can generate faulty results, whereby the pictures do not match with the file name. In such a case, you are should consider the reason for the anomaly for instance whether the thumbs.db file has been corrupted, or whether the program is not up to the perfection expected. You should hence run some tests to establish the type of information provided by a thumbnails program. This is because the program’s ability to gives results doesn’t guarantee that it can always be relied upon.

Analyze Prefetch

Prefetch files are the most critical artifacts for forensic analyzers attempting to analyze applications run on a system. Windows generate a prefetch file every time an application is initially run from a given site. Prefetch files bear critical data about a user’s application use on a computer. This allows fast loading of windows applications.

Evidence of program command are critical resources for forensic investigators and are used to show that a suspect operated a program such as CCleaner to hide any culpable offence.

Analyzing Shortcuts

Microsoft Windows invests heavily on shortcuts or lnk files. Majority of icons on the windows desktop and other items that popup from the start menu are shortcuts or lnk files. Lnk files comprises the documents item ‘My Recent Document’ or ‘Recent Items’, which catalogue recently accessed document-type files. Majority of individual applications likewise offer a catalogue of recently accessed files under that application.

WFA’s Shortcut Analyzer allows you view an lnk file properties by right-clicking the lnk file on your desktop.

Analyzing Index.dat

Analyze Index.dat option causes the program to catechize the usual sites on your major hard disk for index.dat files as well as folders containing cookies. Analyze Index.dat utility then list the entire URLs, which it can locate and choose a column to request the information based on that column. The ULRs are not listed in terms of all the sites visited but as all the files retrieved from the remote location, so that picture and text components of the page will be distinct. A number of the URLs are hence significantly long and shows requests to a remote website. Practically, other complex tools for analysis and examination of the internet cache are available.

Analyzing the Recycle Bin

This program exclusively runs on Windows XP. The format and site of the Recycle Bin shifted with Windows Vista to C:\$Recycle.Bin though the program is unable to analyze the new version. The Recycle Bin represents the windows facility, which helps you to rapidly retrieve file that is accidentally deleted. In order for Recycle Bin facility to function, there is a concealed file known as INFO2. Recycle Bin option hence helps you to view INFO2 contents for every Windows disk partition without necessarily starting the undelete operation.

Don’t forget to check our pefile tool and our file entropy article.

Tagged as: ,

{ 1 Comment }

The SvcHost File Example

by peadmin on August 25, 2015

The SvcHost File

Under the windows operation system the svchost (svchost.exe or Service Host) is a share way to host multi services under the same process; this method is in use to reduce the use of the host computing resources.

You may look under this registry key to get a list of share services that use the svchost.exe process:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost

Here is a dump of the file using the PEFile tool from this site:

File Name: svchost.exe
MD5 Hash: 54a47f6b5e09a77e61649109c6a08866
SHA1 Hash: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
File Entropy: 5.88
Overlay Count: 0
NT Offset: 000000d8
File-Overlay: 00000000 (0 bytes)

File Attributes:

  • [ ]System.
  • [X]Archive.
  • [ ]Read only.
  • [ ]Hidden.
  • [ ]Compressed.
  • [ ]Encrypted.
  • [ ]Normal.
  • [ ]Offline.

Time Stamp:

  • Creation Time: 2009.7.13 23:19:28
  • Last Access Time: 2009.7.13 23:19:28
  • Last Write Time: 2009.7.14 1:14:41
  • File Size: 20992 bytes

File Version Info:

  • Signature: 0xfeef04bdL
  • StrucVersion: 1.0
  • File Version: 6.1.7600.16385
  • Product Version: 6.1.7600.16385
  • FileType: 0x00000001L The file contains an application.
  • FileOS: 0x00040004L The file was designed for Windows NT.

Image ConfigInformation:

  • TimeDateStamp: 00000000
  • MajorVersion: 00000000
  • MinorVersion: 00000000
  • GlobalFlagsClear: 00000000
  • GlobalFlagsSet: 00000000
  • CriticalSectionDefaultTimeout: 00000000
  • DeCommitFreeBlockThreshold: 00000000
  • DeCommitTotalFreeThreshold: 00000000
  • LockPrefixTable: 00000000
  • MaximumAllocationSize: 00000000
  • VirtualMemoryThreshold: 00000000
  • ProcessAffinityMask: 00000000
  • ProcessHeapFlags: 00000000
  • CSDVersion: 00000000
  • Reserved1: 00000000
  • EditList: 00000000

Header Information:

  • Signature: 00004550
  • Is System Image: 0
  • Is DOS Image: 0
  • Size Of Image: 20992 bytes
  • Machine: x86 (0x014c)
  • NumberOfSections: 00000004
  • TimeDateStamp: 4A5BC100 [Tue Jul 14 02:19:28 2009 ]
  • PointerToSymbolTable: 00000000
  • NumberOfSymbols: 00000000
  • SizeOfOptionalHeader: 000000E0

Characteristics information:

  • The file is executable (there are no unresolved external references).
  • Computer supports 32-bit words.

Magic:

  • HDR, The file is an executable image.
  • MajorLinkerVersion: 00000009
  • MinorLinkerVersion: 00000000
  • SizeOfCode: 00003A00
  • SizeOfInitializedData: 00001400
  • SizeOfUninitializedData: 00000000
  • BaseOfData: 00005000
  • AddressOfEntryPoint: 00002104
  • BaseOfCode: 00001000
  • ImageBase: 01000000
  • SectionAlignment: 00001000
  • FileAlignment: 00000200
  • MajorOperatingSystemVersion: 00000006
  • MinorOperatingSystemVersion: 00000001
  • MajorImageVersion: 00000006
  • MinorImageVersion: 00000001
  • MajorSubsystemVersion: 00000006
  • MinorSubsystemVersion: 00000001
  • Win32VersionValue: 00000000
  • SizeOfImage: 00008000
  • SizeOfHeaders: 00000400
  • CheckSum: 000087D0

Subsystem:

  • Windows graphical user interface (GUI) subsystem…

Dll Characteristics:

  • SizeOfStackReserve: 00040000
  • SizeOfStackCommit: 00004000
  • SizeOfHeapReserve: 00100000
  • SizeOfHeapCommit: 00001000
  • LoaderFlags: 00000000
  • NumberOfRvaAndSizes: 00000010
  • VirtualAddress: 00003E90
  • Size: 000000B4
  • VirtualAddress: 00006000
  • Size: 00000810
  • VirtualAddress: 00007000
  • Size: 000003CC
  • VirtualAddress: 0000497C
  • Size: 00000038
  • VirtualAddress: 00003740
  • Size: 00000040
  • VirtualAddress: 00000270
  • Size: 0000011C
  • VirtualAddress: 00001000
  • Size: 000001A8
  • VirtualAddress: 00003DD4
  • Size: 00000040

Data directory sections:

Section Name: .text

    • Characteristics information:
    • Section contains executable code.
    • Section can be executed as code.
    • Section can be read.
    • VirtualSize: 000039DC (14812)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00000400 (1024)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00003A00 (14848)
    • VirtualAddress: 00001000 (4096)
    • Entropy: 6.29
    • MD5: 2eb5bad67734deb71cf023259153ef53

Section Name: .data

    • Characteristics information:
    • Section contains initialized data.
    • Section can be read.
    • Section can be written to.
    • VirtualSize: 000005A8 (1448)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00003E00 (15872)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00000600 (1536)
    • VirtualAddress: 00005000 (20480)
    • Entropy: 0.81
    • MD5: bdd64867dcbd8117aac049606aa40456

Section Name: .rsrc

    • Characteristics information:
    • Section contains initialized data.
    • Section can be read.
    • VirtualSize: 00000810 (2064)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00004400 (17408)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00000A00 (2560)
    • VirtualAddress: 00006000 (24576)
    • Entropy: 3.76
    • MD5: 66f21324fc812e3bf717c9aae7a151ee

Section Name: .reloc

  • Characteristics information:
  • Section contains initialized data.
  • Section can be discarded as needed.
  • Section can be read.
  • VirtualSize: 000003CC (972)
  • NumberOfRelocations: 00000000
  • NumberOfLinenumbers: 00000000
  • PointerToLinenumbers: 00000000
  • PointerToRawData: 00004E00 (19968)
  • PointerToRelocations: 00000000
  • SizeOfRawData: 00000400 (1024)
  • VirtualAddress: 00007000 (28672)
  • Entropy: 6.40
  • MD5: 7d35466317c0fe1186bb026254385afe

DOS Signature: 5A4D

  • PE Signature:4550
  • Optional Header Magic Number: 10B

Imported DLL List:

Imported DLL [0]: msvcrt.dll

    • func: __wgetmainargs (Address: 6FF64E7C)
    • func: _exit (Address: 6FFBB2C0)
    • func: _XcptFilter (Address: 6FF7DC75)
    • func: exit (Address: 6FF636AA)
    • func: _initterm (Address: 6FF5C151)
    • func: _amsg_exit (Address: 6FFBB2EF)
    • func: __setusermatherr (Address: 6FFE77AD)
    • func: memcpy (Address: 6FF59910)
    • func: _controlfp (Address: 6FF5E1E1)
    • func: _except_handler4_common (Address: 6FF73E27)
    • func: ?terminate@@YAXXZ (Address: 6FFA61CF)
    • func: __set_app_type (Address: 6FF62804)
    • func: __p__fmode (Address: 6FF627CE)
    • func: __p__commode (Address: 6FF627C3)
    • func: _cexit (Address: 6FF637D4)
    • 15 functions imported (0 ordinal)

Imported DLL [1]: API-MS-Win-Core-ProcessThreads-L1-1-0.dll

    • func: TerminateProcess (Address: 77E2509B)
    • func: GetCurrentProcess (Address: 77E3060C)
    • func: OpenProcessToken (Address: 074010BF)
    • func: GetCurrentProcessId (Address: 77E30D23)
    • func: GetCurrentThreadId (Address: 77E2F212)
    • 5 functions imported (0 ordinal)

Imported DLL [2]: KERNEL32.dll

    • func: LocalAlloc (Address: 77E30594)
    • func: CloseHandle (Address: 77E305B7)
    • func: DelayLoadFailureHook (Address: 77E001A4)
    • func: GetProcAddress (Address: 77E31837)
    • func: GetLastError (Address: 77E2F176)
    • func: FreeLibrary (Address: 77E319E9)
    • func: InterlockedCompareExchange (Address: 77E2F23C)
    • func: LoadLibraryExA (Address: 77E2BC8B)
    • func: InterlockedExchange (Address: 77E2F25E)
    • func: Sleep (Address: 77E2EF66)
    • func: SetUnhandledExceptionFilter (Address: 77E33142)
    • func: GetModuleHandleA (Address: 77E328D7)
    • func: QueryPerformanceCounter (Address: 77E2F2A7)
    • func: GetTickCount (Address: 77E2EF76)
    • func: GetSystemTimeAsFileTime (Address: 77E2FE44)
    • func: UnhandledExceptionFilter (Address: 77E42B35)
    • func: DeactivateActCtx (Address: 77E2911E)
    • func: LoadLibraryExW (Address: 77E2B6BF)
    • func: ActivateActCtx (Address: 77E290ED)
    • func: LeaveCriticalSection (Address: 77F06B40)
    • func: lstrcmpW (Address: 77E31814)
    • func: EnterCriticalSection (Address: 77F06B7E)
    • func: RegCloseKey (Address: 77E2F9D0)
    • func: RegOpenKeyExW (Address: 77E2F729)
    • func: HeapSetInformation (Address: 77E3C41A)
    • func: lstrcmpiW (Address: 77E2DB75)
    • func: lstrlenW (Address: 77E2FE37)
    • func: LCMapStringW (Address: 77E30E51)
    • func: RegQueryValueExW (Address: 77E2FCF1)
    • func: ReleaseActCtx (Address: 77E291BD)
    • func: CreateActCtxW (Address: 77E275A3)
    • func: ExpandEnvironmentStringsW (Address: 77E2B606)
    • func: GetCommandLineW (Address: 77E3ECAB)
    • func: ExitProcess (Address: 77E32ACF)
    • func: SetProcessAffinityUpdateMode (Address: 77E6F6A1)
    • func: RegDisablePredefinedCacheEx (Address: 77E15E7D)
    • func: InitializeCriticalSection (Address: 77F1F8BE)
    • func: GetProcessHeap (Address: 77E2F24C)
    • func: SetErrorMode (Address: 77E31297)
    • func: RegisterWaitForSingleObjectEx (Address: 77E15DFD)
    • func: LocalFree (Address: 77E3057C)
    • func: HeapFree (Address: 77E2F198)
    • func: WideCharToMultiByte (Address: 77E30F86)
    • func: HeapAlloc (Address: 77F1209D)
    • 44 functions imported (0 ordinal)

Imported DLL [3]: ntdll.dll

    • func: RtlAllocateHeap (Address: 77F1209D)
    • func: RtlLengthRequiredSid (Address: 77F191B0)
    • func: RtlSubAuthoritySid (Address: 77F1F0F4)
    • func: RtlInitializeSid (Address: 77F224A1)
    • func: RtlCopySid (Address: 77F1883A)
    • func: RtlSubAuthorityCountSid (Address: 77F1C6C5)
    • func: RtlInitializeCriticalSection (Address: 77F1F8BE)
    • func: RtlSetProcessIsCritical (Address: 77EC1FA4)
    • func: RtlImageNtHeader (Address: 77F1BD55)
    • func: RtlUnhandledExceptionFilter (Address: 77F7C2E2)
    • func: EtwEventWrite (Address: 77EDF5AB)
    • func: EtwEventEnabled (Address: 77EEDD62)
    • func: EtwEventRegister (Address: 77F25A12)
    • func: RtlFreeHeap (Address: 77F11F31)
    • 14 functions imported (0 ordinal)

Imported DLL [4]: API-MS-Win-Security-Base-L1-1-0.dll

    • func: SetSecurityDescriptorDacl (Address: 0DCE9218)
    • func: AddAccessAllowedAce (Address: 0DCEC31F)
    • func: SetSecurityDescriptorOwner (Address: 0DCEA861)
    • func: SetSecurityDescriptorGroup (Address: 0DCEFA7C)
    • func: GetTokenInformation (Address: 0DCE73F1)
    • func: InitializeSecurityDescriptor (Address: 0DCE91CB)
    • func: GetLengthSid (Address: 0DCE73CE)
    • func: InitializeAcl (Address: 0DCE91F0)
    • 8 functions imported (0 ordinal)

Imported DLL [5]: API-MS-WIN-Service-Core-L1-1-0.dll

    • func: StartServiceCtrlDispatcherW (Address: 02B285B2)
    • func: SetServiceStatus (Address: 02B24F9C)
    • 2 functions imported (0 ordinal)

Imported DLL [6]: API-MS-WIN-Service-winsvc-L1-1-0.dll

    • func: RegisterServiceCtrlHandlerW (Address: 02B27D47)
    • 1 functions imported (0 ordinal)

Imported DLL [7]: RPCRT4.dll

    • func: RpcMgmtSetServerStackSize (Address: 77BB818D)
    • func: I_RpcMapWin32Status (Address: 77BEABAF)
    • func: RpcServerUnregisterIf (Address: 77BE1132)
    • func: RpcMgmtWaitServerListen (Address: 77BB1CFA)
    • func: RpcMgmtStopServerListening (Address: 77C115FE)
    • func: RpcServerUnregisterIfEx (Address: 77BBAECA)
    • func: RpcServerRegisterIf (Address: 77BB24DE)
    • func: RpcServerUseProtseqEpW (Address: 77BD29DD)
    • func: RpcServerListen (Address: 77BB8205)
    • 9 functions imported (0 ordinal)

8 DLL s Imported.

Stream (ADS) Information:

  • No Stream Found.

Resource Information:

Types: MUI

    • Name: 1
    • Language: 1033
    • ResInfo: 35edf18
    • Size: 176

Types: VERSION

    • Name: 1
    • Language: 1033
    • ResInfo: 35edf28
    • Size: 94

Types: MANIFEST

      • Name: 1
      • Language: 1033
      • ResInfo: 1044d8
      • Size: 688

 

 

 

 

Tagged as: ,

{ Add a Comment }

What are dll files?

by peadmin on August 9, 2014

A dll is a short for dynamic link library, dll is a windows pe (portable executable) file that application writers use in software for several reasons, as dll files are widely in use in the windows operation system most of today software has between one to more dll files for the software to use, a dll file contain external function that the software can use the big advantage of using a dll file is in case of changes, instead of changing all the application the developer can change the function that need to be change and by that only replacing the dll can be the solution to the problem.

Reasons to use dll files:

  1. a dll file can be use in more then one application, like the file->save menu that windows operation system use in a lot of places.
  2. in case of a problem or error you can fix it in the dll and only update it.
  3. in case of new features you can add them to the dll and update it, this way older version that will use the new dll continue to work and new version will have the new features.

what is a dll?
Dynamic link library, or dll, is a normal pe file that the big difference from it to a normal pe file,re exe, is a small change in one bit in the structure of the file, a pe file contain a header and an external header and so on, so the big diff is a change in the header, this is from the inner structure of the dll, as you cant run it like a normal exe file you can load it in run time if it needed in your software.

There are a lot of api call that you use when developing application for the Windows operation system and a lot of the api (application programming interface) call are store in system dll files.

When there are missing dll files in the system you will get an error message that can indicate the missing required dll file name, and if your system is not crashing due to the missing dll files you can download the missing dll files from the internet or from the original installation disk and add them to the system to the right directory and from then the application will work.

Most of the service pack and software updates that the operation system and other installed software are doing are downloading new dll files that replace the old ones, some of them contains bug fix and new features to the installed application.

Tagged as: , ,

{ Add a Comment }

What is file entropy?

by peadmin on April 12, 2013

In general words, entropy is referred to as the measurement of particular data in digital values. Similar to this, the term File Entropy is the representation of data sets in a specific file.

What is file entropy?
What is file entropy? | Image by kalhh from Pixabay

That is, the phrase File Entropy is used to measure the amount of data that is present in a selected file. For example, if you have some files and desire to calculate the entropy value for that, then it will be very simple by accessing the methods of File Entropy and its calculation process.

If you are unfamiliar with what exactly means the entropy exactly and how to calculate an entropy value for particular files, just refer to the details that are present below. The following details will provide the complete info about what is entropy and how it is helpful to calculate the exact value of given data.

How it is work

In simple and exact terms, entropy is defined as the measurement of unpredictable value or informative content. This definition may include different changes according to the sector or platform that uses the feature of entropy value. But, all types of measurement that are related to entropy calculation include only digital format information. Usually, the File Entropy is denoted by using different formulas depending on the form of selected data. The equation which is used by Shannon is the simple format to calculate the entropy value of data sets in a particular file. This equation includes the measurement of random value, which will be calculated as a result by using the number of given data sets.

The result value of the Shannon equation is generally represented between the values of zero and eight. So, the entropy value of a particular file is represented by using the digital values of 0 to 8. The result is either near to 0 or 8 as well as in-between these two numeric values. The final result will be concluded on the basis of value which is derived from the given data sets. For example, if the measured value is closer to zero, then it represents that the value of the given data set is a non-random or orderly format. Otherwise, if the value is closer to eight, then the given set is a random or un-orderly format. This is the basic concept of File Entropy calculation, which is related to the Shannon equation.

Uses of entropy measurement

The feature of entropy calculation is applicable for different purposes. But, it is mainly applicable for finding the values of encrypted data and compressed files. Generally, the random data is not similar to the normal kind of user data. For this purpose, the users apply the feature of File Entropy to calculate the value of given data that is represented by the format of non-uniform. Due to the inconvenient format of random data when compared to typical user data, the executable files are generally encrypted with the feature of a synchronized decryption algorithm. So, the users can access the data volumes in an easy way and can find the entropy values for those files efficiently.

File Entropy and malware research

File Entropy is also used in the field of malware protection, in the process of malware analysis as there are all kinds of security-related tools that you check on the file to extract all kinds of information from the file, to determine if the file is malware or legit file, and if it is a malware this can be useful on the malware file entropy can be a useful method to quickly check if the malware file had been packed with one of the packed software it is also a good method to check if the file encrypted by one of the encryption algorithms.

Don’t forget to check our pe header tool and our Windows File Analyzer article.

Tagged as: ,

{ 9 Comments }

Why building a PE file dumper

by peadmin on June 5, 2012

So Why Build a PE file dumper

A question that I sound a lot lately is why building a PE file dumper, after all there are other out there that can do it batter.

So my answer is very simple, I wanted to learn and practice how to do it, from a developer view, I wanted to create a small command line base tool that will be able to get as much as information that it can from a PE base file.

The first version was able to get some basic information out from a PE file and just output it to the console. I was always able to use ‘>’ in the command line to output it into a text base file.

With time, I needed a tool that will be able to output it to other file types, so I updated the tool to also support an HTML and XML output and in the mean wile I added some more functionality to the tool, from some researches I did over the net.

By now it had some nice options and as expected some bugs, that I am about to fix in the new release of the tool, soon, with some new features that I will had with time.

I build it as a command line so any one that needs an add-on to his tool can take it, set it as a CreateProces with the relevant parameters and output it to his own tool.

Other Tools That I Build:

I have some other command line tools that I build from the same reason, learning and practice, I will release them in the near future ( you can find some of them on my old DarkLich site).

Tools includes:

  • Adsinfo – alternate data stream (ADS) information.
  • Dinfo – general disk information.
  • Openwnd – list of open windows.
  • Netinfo – general network devices information.
  • PrcScanner – hidden process scanner.
  • Sysinfo –general system information.
  • Srvinf –services information and control.

I will rerelease them soon as a toolbox for window.

The output of the current PE File version is:

  • File Name.
  • MD5 Hash.
  • File Attributes.
  • File Properties.
  • Time Stamp.
  • File Size.
  • Header Information.
  • Characteristics information.
  • Subsystem.
  • DLL Characteristics.
  • Imported DLL List (DLL name, function name and address).
  • Data directory sections.
  • Image Config Information.
  • List of file stream (ads).

You can also set the output to be in an XML or HTML file.

Tagged as: ,

{ Add a Comment }