How to know if a file is binded

How to know if a file is binded

Table of content

• Introduction
• The hex editor
• How to check a non executable
• How to check an executable
• Conclusion

Introduction

I wrote this tutorial because I see many people asking if a file is binded or not. If you have a file which is not an executable it is very easy to detect otherwise it might be a bit harder. The tool we are going to use for this tutorial is an hex editor. Later on I'll go a bit more into detail regarding hex editors as there are many different to choose from and some people might find it hard to comprehend what all the code is in the hex editor. Everyday malware is changing and everyday malware coders find better ways to make their malware undetectable. With that said a method which is perfect today might be outdated tomorrow. Enjoy the the tutorial!

The hex editor

The first question you might ask yourself is "What the fuck is an hex editor?". An hex editor is a computer program which allows an user to view and manipulate the fundamental binary code from a specific file. Sounds difficult right? Well it isn't. We do not need to go very deep into the hex editor. 

The first thing we are going to do is to download and install an hex editor. There are many different hex editors from many different coders or companies. I personally use Hex Workshop by BreakPoint Software, Inc. however it is paid so you could purchase it or obtain it illegally. If you are interested this is the main site(click me!). There are also many free hex editors around for example HxD Hex Editor. It is one of the free hex editors I think is pretty good. To download the free hex editor click here. Because all the different types of hex editors I am not able to give you a step-by-step tutorial on how to install them and how to open a file. I am sure you'll find every information you need on google and if you still can't manage feel free to send me a message.

How to check a non executable

This is the easy part. Black hat's often try to let the possible victim think it is not an executable. What is an executable exactly? Well an executable is a specific file type just like .jpg and .mp3 are file types. To describe it how your mom will understand it: an executable is a program. The file types you have to look out for are .exe, .com and .SCR. So if you have a program which does not is one of those file extension we come to this part.

There are many different ways to let an user think an file is an executable. If you are unsure about a file our hex editor comes into play. Open up your hex editor and open the file. You mostly can right click a file and then press something along the lines "Open file with hex editor x" or you'll have to open the hex editor and search where you can open the file. When you open a file you get a similar screen like this one:

Spoiler (Click to Hide)

You probably have no idea what all the code means. It is the binary code of the program meaning we are now below coding level so to speak. I'll talk no longer about the code as it'll only confuse people. The only thing we want to check are the first two digits. These two or three digits tells the system what type of file it is. Meaning what file extension it is. In the picture I put a red box around it. Of course we do not know by heart which code belongs to which file format however we can find this very easy on this website(click me). When we open the web page we can search manually or press "control" + "f" and search for the code, in this case we type in "MZ". We then see it is a Windows/DOS executable file. Huh? I opened a picture and it is an executable? The file is infected! This is the method I use for checking the file extension.

How to check an executable

This is the hardest part. We can use our hex editor for a very basic test. If the conclusion of this test is the file is binded it is binded, however if the conclusion of the test is the file is not binded you cannot trust it! We again open up our hex editor. Instead of checking the first two lines we will check the line which says "This program cannot be run in DOS mode" as seen in the picture(it is highlighted in the picture):

Spoiler (Click to Hide)

If that line is in it once then it is OK, however do not trust this method solely, ever. If you use the search function of your hex editor, in my case by pressing "control" + "F", and search for that line or manually search it and you'll find it multiple times it is binded!

There are no other really easy ways to tell if a file is binded or if it isn't binded. One way I found very good is another tutorial about. If you are interested click here.

Conclusion

It is in in many cases very hard to detect malware and this will always be very difficult. If you aren't sure if a file is or isn't malware please let me or the members here help you before you infect yourself. Don't ever underestimate the damage malware can cause to you.

Enjoy!

Categories: Malware Analysis