Skip to content

A PoC PE dumper designed to pull (potentially malicious) extra binaries stored in programs.

License

Notifications You must be signed in to change notification settings

skidaim/byte_stinker

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

byte_stinker

A PoC PE dumper designed to pull (potentially malicious) extra binaries stored in programs.

Information

This program will do the following :

  • Loop through the entire size of the process
  • Look for "MZ" occurences
  • Verify it's not the main program (the first MZ header)
  • Copy the PE file to a desktop location.

Extra

Please note that this assumes that all binaries are .exe's, and supports x64 binaries only. (should be easy to implement within 3 minutes)

If the binary is packed you'll need to dump the process's memory before trying to use byte_stinker

It assumes that the binary is x64 (will release a update later to detect what type of file it is)

For more PE reference refer to : PE Format

Demonstration

Exampler

input args : byte_stinker pe_location output_path_name

Disclaimer : I do not plan on updating this anymore. I may plan on creating a seperate branch for runtime based scans through all modules of a specified process, but only If I have time. You can easily distinguish what is a DLL/EXE/System File by either it's imports, PE characteristics (IMAGE_FILE_DLL, IMAGE_FILE_SYSTEM, etc.).

About

A PoC PE dumper designed to pull (potentially malicious) extra binaries stored in programs.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 100.0%