The PDB location would be embedded within RAT.exe, which can be extracted using a tool like pestudio as shown below: For example, if a program called RAT.exe was compiled in the following location: C:\Users\Nick\Programs\BadGuyStuff\RemoteAccess\v2\x86\, then that directory would contain the files RAT.exe and RAT.pdb. Additionally, embedded within the PE file is the location where its associated PDB file is stored. By default, this PDB file is created in the same directory the PE was compiled in. Symbols include information intended to make debugging easier such as information about global and local variables, and function names and their associated entry points. These files help developers debug their programs and typically store information called symbols. Some background on PDB Pathsĭuring the compilation of PE files, a Program Database (“PDB”) file may be generated depending on the project debugging settings. Our research led to the creation of PDBlaster, an open source tool for quickly bulk processing Portable Executable (“PE”) files, which we have made available on the PDBlaster GitHub.
To do any type of analysis on PDB paths we needed a method to quickly extract any PDB path details.
Specifically, we wanted to explore methods for a scalable approach to PDB path analysis. After the publication of FireEye’s recent blog series on Debug Details – we were inspired to take a closer look at what can be learned from one specific executable breadcrumb called Program Database (“PDB”) paths. Examining executable’s can provide insight into a samples family of malware, its origins, and potentially the entity behind it. These breadcrumbs can appear in a variety of locations ranging from the code they use (or reuse) to the metadata of what they publish. Malware developers often leave unintentional hints about their development practices, goals, and identities in the executables they publish.
0 kommentar(er)
