X hits on this document

181 views

0 shares

0 downloads

0 comments

33 / 47

Orion Incident Response Live CD

Figure 22: McAfee FileInsight running in Orion under WINE

For a quick review of a suspected bit of malicious data, Orion provides a script called analyze-win-malware that currently uses the following tools to perform some quick checks:

  • feagent.exe: Nick Harbour’s tool for detecting packed and armored executables.

  • XORsearch.exe: Didier Stevens’ tool for searching for a string that has been XOR, ROL, or ROT encoded. Orion searches for “http” and “exe” in files.

  • extractscripts.py: A python script, also written by Stevens, to extract scripts from html files.

  • exiftool: A perl script written by Phil Harvey that extracts meta data information from a variety of file types.

  • xxd: Creates a hex dump of the file.

John Jarocki, john.jarocki@gmail.com

3

Document info
Document views181
Page views182
Page last viewedThu Jan 19 22:24:06 UTC 2017
Pages47
Paragraphs864
Words8806

Comments