ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » Virus Database Updates
Reply to topic
Extracting PE Sections into separate files ?
cameraboy


Joined: 21 Jan 2009
Posts: 0
Post Posted: Fri May 01, 2009 3:55 am Reply with quote
How can I generate MD5 based section signatures by extracting PE sections into separate files ? Please advise.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Fri May 01, 2009 4:09 am Reply with quote
Some debuggers give a sectional analysis of the PE file with MD5 hashes. The primary section you want is the one that has Execute Access. You have to be careful, however. Most malware is packed now, and sometimes it is obscured/scrambled to prevent analysis. And sometimes the debugger just gets it wrong. And every once in a while, you find code/sections in malware that is also used in non-malware programs.

Regards.
View user's profileSend private message
Re: Extracting PE Sections into separate files ?
b0ne


Joined: 26 Oct 2006
Posts: 0
Post Posted: Fri May 01, 2009 4:24 am Reply with quote
The program PETools has a pe editor in it, which if you click the sections button, you can dump them to disk. You could also use any pe viewer and a hex editor to save the start offset + length of the section to disk. Some hex editors like HxD support performing calculations on any of the bytes selected.
View user's profileSend private message
Extracting PE Sections into separate files ?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » Virus Database Updates
 Reply to topic