File Type Identification
Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.
An example of a Windows executable file is the PE (Portable Executable).
A PE could be in form of: .exe ; .dll ; etc
To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.
The file signature exists on the file header.
The file signature for PE files is represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).
PE programs also have the notice "This program cannot be run in DOS mode".
The PE header begins at hex 50 45.
Note
Attackers may use archiving/packing to evade signature based identification.
Last updated