1) right click it, if you got winrar installed and you see
"open with winrar" then this means it was binded with winrar so def backdoored
2) open it with a resource editor such as resource hacker/restorator/pe explorer and check the rcdata section,if theres 1 & 2 entries in it then its binded
3) open it with a hex editor , at the start of a PE header theres always this line "This program cannot be run in DOS mode" , search for it,if it exists more then once then it might be binded it depends on the specific app,for example its not unusual for binders/crypters to have the stub file attached in the resources also search for .exe and inspect the results,a binded file drops the files to a temp folder before executing em , so if you find somethin like this: %.t.e.m.p.%.\.x.x...e.x.e or file1.exe/file2.exe then its def binded
4) run it in sandboxie ,when a file is ran'd in sandboxie its isolated (cant access your files/registry, unless the programer wanted to bypass sandboxie, if you think this 2 be true don't use this method but if your ok with this, you can try. first click the sandboxie tray icon to open up its Window , then right click the file and click "run with sandboxie" if you see another process name in the sandboxie Window then its probably backdoored (this doesnt include sandboxie rpcss/dcom launch processes,those are legit and needed for some programs) , thats not all , the file may drop another when one of the buttons in the program GUI is clicked or after you close it , so click all the buttons and close it just to make sure , if you do see other processes then immdiatly click file>terminate all processes from the sandboxie menu , if a file refuses to run in sandboxie or its suppose to be a program and it runs without GUI then it would probably be best to delete it
0 comments:
Post a Comment