File Type Identification

Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.

An example of a Windows executable file is the PE (Portable Executable).
- A PE could be in form of: .exe ; .dll ; etc

To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.

The file signature exists on the file header.

The file signature for PE files is represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).

PE programs also have the notice "This program cannot be run in DOS mode".

The PE header begins at hex 50 45.

Note

Attackers may use archiving/packing to evade signature based identification.

PreviousStatic Analysis NextGenerating Malware Hashes

Last updated 10 months ago