[unisog] identifying packed executables
michael.holstein at csuohio.edu
Fri May 6 20:57:36 GMT 2005
... I should clarify :
before everyone blasts me for not reading "UNIX for Dummies", I know
what '/usr/bin/file' is for. There are bots being compressed with tools
for which header sigs are NOT in '/etc/magic'
On that note .. anyone have a better copy of /etc/magic than what comes
with Slackware? I know BSD's protocols and services files are better ...
Michael Holstein wrote:
> I know I've read an article which discusses a UNIX tool that can
> (attempt) to identify what a particular file was packed with. Just can't
> seem to make Google find it for me.
> This is of obvious use when doing virus/bot research.
> The standard UNIX 'file' command will always say "win32 executable" --
> what I need is a tool that can tell me if the first layer of compression
> is UPX or whatever -- without having to try and un[upx|rar|zip|etc] it
> with every tool in the belt.
> Anyone know the name of such a gem?
> Michael Holstein CISSP GCIA
> Cleveland State University
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog