Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: sowhat-x on October 20, 2007, 03:58:19 am

Title: GT2
Post by: sowhat-x on October 20, 2007, 03:58:19 am
GT2 is a file detection utility that detects all kind of file types according to their binary signature.
It is different from standard Windows filetype detection,
since it does not consider the file's extension by default.
So if you ever stumble across a file that you don't know what it is,
run GT2 on it and you will hopefull know what it is.

Very cool utility,say something in between TrID and PEiD...
It's signature database is kind of limited, won't detect packers recently released...
It has more than a lot of available options to be used though,and as it is a cli tool,
it can easily be scripted to run over lots of executables etc...
Title: Re: GT2
Post by: tjs on November 07, 2007, 11:36:18 pm
Be careful with this tool, i've noticed it crash due to buffer issues while analyzing malware samples on several occasion. The same is true of PEiD. Always run these tools in a 'safe' virtual machine at a bare minimum.

Title: Re: GT2
Post by: sowhat-x on November 08, 2007, 03:57:26 am
Yeah,I can confirm it has crashed on me a couple of times or so...
What I like in GT2,besides the colored screen output that reminds me of *nix terminals,lol...
is that it can detect older DOS-based or pre-eliminary win32 packers not widely in use nowadays,
eg.a lot of those that can still be found in the repository etc...

As for PEiD...well,since you raised this topic...
I've seen quite a lot of people complaining about bugs in PEiD,and well...
as BoB from Team PEiD says somewhere in his webpages:
"A program without bugs has either too few users, or too few uses"   8)

Meaning,if people don't report back "weird" behavior,then how are bugs supposed to get fixed?...
After all,it's a project done in their freetime,aiming to make life easier to the community...
ie.the community has also to give some feedback regarding it's operation:
they can't automagically have access to every single packer/cryptor/protector available,
and even more,they can't be aware of every sample out there that exhibits "weird" behavior... :P

Regarding the "crash" behavior you described above...
personally,I haven't encountered a "direct" crash bug in PEiD.
I've found quite a few bugs,some of them actually important,others not that much...
all of them which have been reported back.What I do know though,
is that Team PEiD themselves have came across samples that "directly" crash PEiD...
and thereby they had the ability to fix these bugs internally since latest v0.94.
And more or less,at the current moment,v0.95 seems to be in the final stages...

So,to keep it you have access to any samples that exhibit this behavior?
If yes,then please upload/submit them...
_pusher_ from Team PEiD visits us here on occasion...  ;)
Or even better,just send a private message to the PEiD team directly via their forum,
it doesn't take more than 5 minutes after all to do so... :)
Title: Re: GT2
Post by: tjs on November 12, 2007, 12:42:30 am
Both PEiD and GT2 have been known to have severe security bugs. Obviously, everyone is encouraged to report bugs to the respective dev teams (I always do). I'll post on this forum the next time I find a gt2 crashing bug (i seem to run into them quite often these days-- i think it doesnt like unicode filenames, but didnt do a thorough investigation... yet).

My biggest problem with PEiD is how easy it is to trick. I can very easily make it think that some packed sample is in fact packed with a different packer. Sometimes simply renaming a section is enough. That said, I do know that it's a very difficult problem to solve and the PEiD team and all the people contributing signatures are doing a great job.

Title: Re: GT2
Post by: sowhat-x on November 12, 2007, 08:32:15 am
...getting rid of sig fakers is in the 'todo" list,but when is this gonna happen...
that,I'm certainly not the person to know about/speak of...  ::)
Generally speaking though,I'm under the impression,
that this doesn't seem to be planned for the near future/next version...

...lots of faker techniques,and thereby,
lots of possible false positives to take care of...
note that I'm more than confident they can handle them,lol... 8)
What I mean with the above is,
that when/if they decide to implement something like this,
I would most probably expect a "generic fakers" detection or so,
than listing individually everyone that floats out there...
Title: Re: GT2
Post by: _pusher_ on November 13, 2007, 07:24:30 am
yucky... faker discussion, well.. i simply dont beleive you when you say.. all you have todo is rename section names..
to my knowledge there's no signature based on the section names.. anyways..
and about crash bugs... ive done my best job to find theese.. we have 1-3 ppl trying theese things to crash peid.. and in my latest beta.. there's no crash bugs at all.. we've found them all  :)
but thats peid.. ppl always say peid is easy to fool... hehe give me another tool.. i'll make it think a .exe is its mother
ex.. ProtectionID super easy to make it think a .exe is Securom... DiE .. super easy to both crash and fool.. "RedCurtain" also very easy to fool.. even tho it says its not.. and its better than peid.. (with its signatures and tricks).. eh.. so there's a GT2 .. i will try it too, ah yes "ExeInfo PE".. also easy to fool.   
Title: Re: GT2
Post by: JohnC on November 13, 2007, 09:11:26 am
I've uploaded some file detectors I had saved from a while back, I think a lot of these I haven't even used before. Might be good for comparative purposes. If you know of any recent detection utilities which are publicly released and I don't have please can you mention it. I'll upload it then :) Or if there are updated versions of any of them please let me know.

One final note, as I say I haven't used most of these and I can't take any responsibility if any of these aren't "clean". They have all come from public sources over time. If you suspect any of them are not legitimate please let me know.

Title: Re: GT2
Post by: sowhat-x on November 13, 2007, 02:56:35 pm
...he-he,I'd like to add one more,lol... :D
I find ARiD to be a nice complement to TrID:
(maybe I could also add the "file" utility from *nix systems...)

Ok,a small review regarding some of them...

PEPirate / SCANiT / gAPE
-> PEiD Rip-offs,mixed with tons of false entries...
blindly adding whatever questionable semi-working sig someone finds on the net,
can only cause further confusion,by returning false positives...

PE Detective / CFF Explorer
-> PE Detective just uses PEiD sigs,converted from plain old good text file to XML.
Once again,signatures are gathered from all over the net...
and in order to avoid confusion/colliding sigs,it has a "Best Match" feature:
exactly the same thing can be done in PEiD,
by using the excellent "Advanced Scan" plugin from diablo2oo2...
CFF Explorer is the 2nd generation/incarnation of it...
which is a very nice and useful PE editing suite of tools.
Personally,I prefer it from say using Procdump,I find it more "modern",
but that's just a matter of personal taste...let's not forget...old school is cool! :D
Packer detection is obviously the same as PE Detective described above.

-> ...not even gonna comment on this.Honestly.Period.  >:(

A-Ray Scanner
-> It's meant only for CD protection schemes,and furthermore,it is abandoned:
ProtectionID can do this and also detect quite a few popular packers/cryptors as well,
so I don't really see a reason of preferring it instead...

...I could go on comparing various other tools (and rip-offs) out there,
but there's a variety of reasons I don't wanna do it...
it's the general idea that matters in the final end,and that's what I'm gonna describe.

Point is...well,just check the date stamps in the archives:
all these years,identifiers come and go...and what's left?
Buggy semi-working apps,which are rendered obsolete as time passes by.
The only app which somehow has turned itself to be considered as a standard,
it's the (although somehow limited) Unix 'file' tool.
My guess,because Linux systems slowly but steadily,
get adopted by even more people everyday... 8)

Plurality is one thing...having a generally accepted standard though,is very different.
It's something that is earned through the challenges in time...and on win32 systems,
the only apps that have PROVED they can fulfill the requirements,
are TRiD for general files,and for executables,PEiD obviously...

...there is absolutely no need to waste time re-inventing the wheel here:
if there's one thing that needs to be done,is making the car better...
with that been said...I don't think anyone would visit his/her car sales representative,
complaining that the automobile he/she got doesn't fly...  :)

ppl always say peid is easy to fool...
hehe give me another tool...i'll make it think a .exe is its mother

...felt that I should also add a few words regarding fakers,
from a simple end-user's perspective...if it was that much easy to trick PEiD,
there wouldn't be a whole "trend" of releasing them,even commercial ones...
that's part of the game,a bet between reversers...what would be the fun after all?
What's not funny at all obviously,is when these are used on malware:
not really because they make unpacking that much more difficult,
as most of them just add an extra layer of "security through obscurity",
and not an actual protection...
It's the taxonomy of the samples that actually becomes a pain in the... :P

A good proof of this is all the fakers out there,
that don't actually make use of advanced techniques,
just simpler hacks/tricks like the section renaming mentioned above...
Even if they might appear to seem successful at a first glance,
meaning they were not flagged directly by original name as...
[Blahblahfaker 0.0.25012 beta -> PEiDFaker Corp. Inc]  ;D

Poof...and the 'magic' is gone,simply by right-clicking in Deep Scan option...  8)
Title: Re: GT2
Post by: tjs on November 16, 2007, 08:23:50 pm
GT2 Crash:

MD5: 78a1f07319d8ef1a53837c7317d212c0
I can provide a sample if necessary.

The sample causes an exception which crashes GT2.

gt_filebuffer.cxx line 430: Occured in 104.exe
Filed to read C like string at 16896

Title: Re: GT2
Post by: sowhat-x on November 17, 2007, 09:15:42 am
I can provide a sample if necessary.
...well,you provided the http link,thereby... ;)

Ok,actually that's certainly not funny,
wish I had kept my problematic samples also...
I'll try mailing Philip Helger,the gt2 author,
in an attempt to see what is his point of view currently...
assuming of course that the mail address is reachable at the moment,
plus that he's willing to speak of further plans regarding gt2's development...
Title: Re: GT2
Post by: sowhat-x on January 03, 2008, 09:50:22 pm
...Thought that some people might also be interested in the fact,
that newer ARiD 0.07 has been released...and now it's open source also  :)
Same address as above...
Title: Re: GT2
Post by: tjs on March 03, 2008, 09:07:37 pm
In case anyone is still looking for a repro almost all these samples cause g2 to crash with an exception in gt_filebuffer.cxx (line 430).


Title: Re: GT2
Post by: sowhat-x on March 04, 2008, 01:23:10 pm
Rotfl...they're all processed with UPack,v0.39,v0.36,a couple of v0.399...
Many exe analyzers have troubles with the way Upack handles import table,
thereby I'd bet the crash bug above is related to this...
Official PEiD v0.94 also lists nothing in the import table it if you check,
doesn't crash though...this has been fixed internally since quite some...

What makes me really wonder though,is why that many malware uses UPack:
it certainly has an excellent compression ratio,without doubt one of the best packers currently.
But other than this,I really don't get's goal is maximum compression,
it doesn't provide any protection features...and furthermore,
there are too many tutorials/tools out there in order to handle it.

Another thing that makes me laugh is...the exact opposite of the above:
the tons of malware that are protected with Themida...
which is surely not the easiest thing in the world to unpack/fix properly.
But most of today's malware authors seem to lack even the most common logic,
because Themida-protected binaries are huge and thereby it's a dead give-away,
even to the least suspicious end-user out there... they really believe there's actually anyone out there,
except maybe 12-yrs old kids,that would actually run their crap?...

PS:For those interested,ARiD above has also been updated to v0.09...