FIRST METHOD:
Right click it, if you got winrar installed and you see
"open with winrar" then this means it was binded with winrar
so def backdoored
SECOND METHOD:
Open it with a resource editor such as resource hacker/restorator/pe explorer and check the rcdata section,if theres 1 & 2 entries in it
then its binded
THIRD METHOD:
Open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it
exists more then once then it might be binded
it depends on the specific app,for example its not unusual for
binders/crypters to have the stub file attached in the resources
also search for .exe and inspect the results,a binded file
drops the files to a temp folder before executing em , so if
you find somethin like this: %.t.e.m.p.%..x.x...e.x.e or file1.exe/file2.exe
then its def binded
FOURTH METHOD:
Run it in sandboxie ,when a file is ran'd in sandboxie its isolated (cant access your files/registry, first click the sandboxie tray icon to
open up its Window , then right click the file and click "run with sandboxie"
if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) , thats not all , the file may drop another when one of the buttons in the program GUI is clicked or after you close it , so click all the buttons and close it
just to make sure , if you do see other processes then immdiatly click file>terminate all processes from the sandboxie menu , if a file refuses to run in sandboxie or its suppose to be a program and it runs
without GUI then it would probably be best to delete it.
No comments:
Post a Comment
Please leave your comment after read it. Thank You