Home > Disassembly, Tech, Windows > Extract an Embedded EXE or DLL using FileInsight

Extract an Embedded EXE or DLL using FileInsight

December 30, 2012 Leave a comment Go to comments

FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

I use FileInsight on a regular basis when analyzing malware, and have found that its greatest asset to me is the Python based plugin system. One developer has already posted some very useful plugins for malware analysis on GitHub.

Drawing inspiration from those plugins, I decided to write a FileInsight plugin to aid in extracting embedded binaries. While this technique is popular with malware ‘droppers’, it is used by legitimate applications as well. I plan to walk through an example using the free (and legitimate) tool PsExec (from Microsoft SysInternals) to extract the embedded Windows service from it.

Let’s begin

NOTE: This requires that you have the Python interpreter installed. I install Python 2.7.x from https://www.python.org/.

First install my “Extract Embedded EXE” plugin by grabbing it from the GitHub repository: https://github.com/MicksMix/FileInsight

Please follow the instructions included in the README.txt to install it.

Next, download PsExec here: http://live.sysinternals.com/psexec.exe

Ok, we are ready to begin. Start FileInsight and open “psexec.exe”:

image

Search for the Embedded EXE / DLL

NOTE: Some EXE’s may have multiple embedded binaries, so you may want to repeat this process several times to get all the binaries extracted.

Now we need to search for an EXE embedded within this PsExec.exe. Click on the Search tab at the top of the screen and click Find. I suggest searching for This program and checking the Match Case checkbox. However, searching for MZ will work as well, but you might have to step over more false positive results in your search for the embedded EXE.

image

Run the Embedded EXE Extract plugin script

Once you have found it, you must highlight the M in the MZ header. With M still selected, click the Plugins tab and select the “Embedded EXE Extract” plugin.

image

After the script runs, a new tab will be opened containing the newly carved binary and in the Scripting window you will see some information about the size of the PE file, which was calculated by the script.

image

To save this new file, click on the Home tab and select Save File:

image

Advertisements
Categories: Disassembly, Tech, Windows
  1. March 19, 2014 at 9:48 AM

    maybe u should post that users need python to be installed in order for this to work, and not to mention the psexec file opens and closes, and does nothing

  2. February 23, 2016 at 6:10 AM

    There is a pefile module requirement now….and not much doucmentation on how to use it….fileinsight pretty much just hangs for me when i try any plugin

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s