X hits on this document

149 views

0 shares

0 downloads

0 comments

33 / 47

Orion Incident Response Live CD

Figure 22: McAfee FileInsight running in Orion under WINE

For a quick review of a suspected bit of malicious data, Orion provides a script called analyze-win-malware that currently uses the following tools to perform some quick checks:

  • feagent.exe: Nick Harbour’s tool for detecting packed and armored executables.

  • XORsearch.exe: Didier Stevens’ tool for searching for a string that has been XOR, ROL, or ROT encoded. Orion searches for “http” and “exe” in files.

  • extractscripts.py: A python script, also written by Stevens, to extract scripts from html files.

  • exiftool: A perl script written by Phil Harvey that extracts meta data information from a variety of file types.

  • xxd: Creates a hex dump of the file.

John Jarocki, john.jarocki@gmail.com

3

Document info
Document views149
Page views150
Page last viewedThu Dec 08 15:14:36 UTC 2016
Pages47
Paragraphs864
Words8806

Comments