ResourceHacker

From aldeid
Jump to: navigation, search

Description

Resource Hacker is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit & 64bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on all (Win95 - Win7) Windows operating systems.

Installation

Download the program from following location: http://www.angusj.com/resourcehacker/reshack_setup.exe

Usage

To analyze an executable, go to the file > open menu and select the executable you want to analyze. Here is an example of what it looks like:

Resourcehacker.png

  1. The left panel shows the different sections
  2. The right panel shows the content of the section that is selected
  3. The bottom right panel shows what the image looks like

The above example is the analysis of a variant from the Kazy trojan (https://www.virustotal.com/fr/file/904fae7a8d67b03f503de75dfd1db10cacfe7d47c4f63ce7d67717a1e4e4a87d/analysis/). Section 1 teaches us that the executable has been packed in a fake Mplayer (the default Windows Media Player) executable and that it seems to originate from Russia (section 2).