Say, if you run into a situation where malware is downloaded as one file type, but subsequently rewritten on the target infection point for the sake of bypassing defense mechanisms.
In the first example, we use xxd to examine the first two bytes of a file. In this case, the file is presented as a .JPG, but suppose it's actually an executable. In order to analyze the file, we overwrite the header from its current state of ff d8 to 4d 5a.
Here, we've piped the 4d 5a bytes into dd, overwriting the first two bytes of the already-existing an.jpg file, specifying a byte size of 1 and a count of 2. We can verify the over-write worked by re-running the xxd command to look at the first two bytes.
We can also use Python's print functionality:
In Powershell, the process is almost as simple. First, read the file into a byte array with the system.io assembly, then overwrite the 0 and 1 position bytes and write the array back to disk. Verify with get-content that the ordinals returned are 77 and 90. :
No comments:
Post a Comment