If you have the password, it’s trivial to extract from there. The only difference is that our ending payload.7z archive will be password protected. Once we’ve created the new payload file from the copied bytes, we can open the file from any archive tool that supports 7z. After selection, we can copy those bytes and paste them into a new file to obtain the malicious payload. Once we find those magic bytes, we can select all the bytes of the file from that header to the end of the file. To unpack the content of a SFX file, we can open the file in a hex editor and look for the magic bytes of a 7z archive: 37 7A BC AF 27 1C. This means we can unpack the SFX by looking for the magic header bytes for a 7z archive to retrieve the malicious payloads inside. The SFX format assumes that all of these components are physically joined together, appended to the same file. These components fit together rather easily when a creator executes copy /b 7z-module.sfx + config.txt + archive.7z installer.exe.
Finally, the archive containing content is the actual payload we want to retrieve.
The configuration script contains plaintext commands in configuration stanzas, and this helps creators kick off specialized installations. The SFX module is a minimal Windows PE file designed to execute the contents of the configuration script and extract the archive included in the created SFX file.
0 kommentar(er)
