After writing the previous post, I started developing a quick script to spot anomalies inside a PE file. In addition to the things I already wrote about, I added a couple of extra anomalies to the script:
- Entry point falling out of the .text section.
- The .rsrc sections contains another PE file.
The code in a PE file is stored in the .text section. So the entry point must fall somewhere inside this section. An entry point out of the .text section may be an indicator of code injection in the PE file.
The code is pretty simple:
The .rsrc section is used to store resources needed by an executable file. Sometimes, launchers store pieces of malware in this section.
The check performed by the script is very straight forward. I just look for the “MZ” header and then check if in the following bytes there is a “PE” header.
This check is a bit weak, as most of the time the file will be encrypted, but if you find this, you will really have to take a look at that file.
Here is the link to the script. Ideas, anomalies and contributions are always welcome.