psexec -ihs cmd.exeTuesday, October 1, 2013
Sunday, September 29, 2013
Auditing Mounted Windows Installations
RunScanner /t 1 /w G:\Windows /u G:\Users\john\NTUSER.DAT WinAudituFriday, May 14, 2010
Carving an PE executable out of an RTF file
I've seen quite a bit of malwares distributed via emails. Typically they contain a .doc file attachment or a link to one. Most of the time these files are really .rtf files misnamed with a .doc extension and within you'll find an OLE package containing an .exe file.
Sure you can just copy it out, but if you're paranoid like me or you somehow need to do bulk extraction, you can do it with a little script I wrote:
Sure you can just copy it out, but if you're paranoid like me or you somehow need to do bulk extraction, you can do it with a little script I wrote:
#!/usr/bin/perl
while (<>) { last if (/^01050000/); }
do { s/(..)/$exe .= chr(hex($1))/ge; } while (<>);
$exe =~ s/(.*)(....)MZ/MZ/;
$exelen = unpack('i4', $2);
$exe = substr($exe, 0, $exelen);
print($exe);
Subscribe to:
Comments (Atom)
