HomeHow to detect backdoored files [TUT]
Page 1 of 1
![How to detect backdoored files [TUT] Empty](https://2img.net/i/empty.gif)
How to detect backdoored files [TUT]
by Admin Tue Feb 04, 2014 11:08 am
1) right click it, if you got winrar installed and you see
"open with winrar" then this means it was binded with winrar
so definitively backdoored
2) open it with a resource editor such as resource hacker/restorator/pe explorer and check the rcdata section,if theres 1 & 2 entries in it
then its definitively binded
3) open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it
exists more then once then it might be binded
it depends on the specific app,for example its not unusual for
binders/crypters to have the stub file attached in the resources
also search for .exe and inspect the results,a binded file
drops the files to a temp folder before executing em , so if
you find somethin like this: %.t.e.m.p.%..x.x...e.x.e or file1.exe/file2.exe
then its definitively binded
4) run it in sandboxie ,when a file is ran'd in sandboxie its isolated (cant access your files/registry, first click the sandboxie tray icon to
open up its Window , then right click the file and click "run with sandboxie"
if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) , thats not all , the file may drop another when one of the buttons in the program GUI is clicked or after you close it , so click all the buttons and close it
just to make sure , if you do see other processes then immdiatly click file>terminate all processes from the sandboxie menu , if a file refuses to run in sandboxie or its suppose to be a program and it runs
without GUI then it would probably be best to delete it
"open with winrar" then this means it was binded with winrar
so definitively backdoored
2) open it with a resource editor such as resource hacker/restorator/pe explorer and check the rcdata section,if theres 1 & 2 entries in it
then its definitively binded
3) open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it
exists more then once then it might be binded
it depends on the specific app,for example its not unusual for
binders/crypters to have the stub file attached in the resources
also search for .exe and inspect the results,a binded file
drops the files to a temp folder before executing em , so if
you find somethin like this: %.t.e.m.p.%..x.x...e.x.e or file1.exe/file2.exe
then its definitively binded
4) run it in sandboxie ,when a file is ran'd in sandboxie its isolated (cant access your files/registry, first click the sandboxie tray icon to
open up its Window , then right click the file and click "run with sandboxie"
if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) , thats not all , the file may drop another when one of the buttons in the program GUI is clicked or after you close it , so click all the buttons and close it
just to make sure , if you do see other processes then immdiatly click file>terminate all processes from the sandboxie menu , if a file refuses to run in sandboxie or its suppose to be a program and it runs
without GUI then it would probably be best to delete it
Admin- Admin
- Posts : 107
Join date : 2013-12-07
Age : 40
Location : United Kingdom -
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum