Bruno Kerouanton

As any IT security professional should do, I have gathered some useful utilities among the years. Some are linux based, some are windows based, some are useful for network security, while others are useful to ensure system security.

I always carry with me a small set of tools, that can be very useful for some purposes such as virus checking or other things. In order to select good tools, I am very strict and those must comply to several criteria :

• being standalone (no setup or installation procedure)
• being clean (the tool shouldn’t create files on the computer, or if so, be able to remove them properly when the program is stopped)
• have a small footprint (I try not to get apps that are more than 1Mb in size)
• being useful ! No bells and whistles, just the minimum to ensure it is properly doing its work.
• free, and if possible open source.

This set of small articles on my blog, starting from now, will present those small tools for Windows (in no particular order) that seems useful for me. The total size of the tools I use is less than 30Mb including all plugins and mandatory files, and easily fits into any USB key…

… Thus, the name µTools I gave to this set of small utilities.

Let’s start with a tool that I use from time to time to analyze files.

• Name :PEiD__
• Purpose :Executable files signature analysis, cryptographic algorithms scanner.
• Download URL : http://peid.has.it
• Size : 150Kb standalone, +185Kb with plugins.
• Category : Non resident

PeID PeID detects most common packers, cryptors and compilers. This small program is really useful when you have a strong conviction that there are viruses or malware on your PC. Just run a recursive scan and it will analyse all the files to check if there are packed executables.

Packing an executable is generally done for two reasons. The first one is to reduce the footprint of the program, just as you would do with a zipped document. When the packed program is run, it first starts a small unpacker routine that expands the main program itself in memory, then executes it. The second reason is to obfuscate the program itself. Since it is packed, it is much more difficult for an analyst (or an analyzer such an antivirus) to understand what is the real purpose of the program that will be executed.

The UPX opensource packer is the most frequently used for legitimate (footprint reduction) or weird (code hiding) reasons, and I myself use it sometimes to pack my own tools (such as all the tools I will present here, except some that cannot be packed). There are a lot of several other packers available, mostly done by small teams for illegitimate use. The good news is that PEiD is able to detect all those packers. Sometimes well known programs are also packed, such as Skype, Google Desktop or others !

When you have a suspicious file on the disk, just drag-n-drop it on PEiD, that will display the compiler and/or the packer that was used to generate this specific file. Most malware are packed, so if PEiD says so, just be careful and investigate more on that file. Tip : You can also drag-n-drop a folder containing executables, PEiD will recursively analyze all the files within the directory.

Another basic use of PEiD is crypto algorithms checking. Since most cryptographic algorithms are using initialisation vector tables and known constants, it isn’t too difficult to browse into the analyzed file to look for such sequences. If they are found, there are chances that the corresponding algorithm is used in the executable. PEiD is able to manage plugins and one of them is dedicated to such a task. Once the file to analyze is loaded into PEiD, just click into the Plugins Menu, and select “Krypto ANALyzer”, that will show you all the algorithms found. Obviously, it won’t find any of the algorithms if the program was carefully packed. Also keep in mind that some lazy (or nasty minded) developers sometimes embed a full cryptocraphic library into their program even if they intend to use only one or two algorithms. So that is a basic step (quite useful) but not sufficient.

Stay tuned for more of my favorite tools…