检查文件签名/幻数 [英] Checking file signature/magic number
问题描述
嗨
我最近一直在搜索,并正在寻找一种文件类型的方法。
例如,我有一个名为myFile1.exe的文件,然后删除了文件的扩展名,因此它变为myFile1。
通过读取文件字节或其他方式,检查PE的幻数,它将显示4D 5A 00 ..完美无缺。但是,如果我创建一个空白文档文件并输入4D 5A ..,我的代码仍会将其识别为可执行文件,实际上,它只是一个空白文本文件。如何验证它实际上是文件的签名?
我正在使用C#。
感谢您的时间
我的尝试:
Hi
I've recently been searching, and working on a way to find a file type.
Say for example, I have a file called "myFile1.exe", and then the extension of the file were removed, so it became "myFile1".
By reading the file bytes or by other means, checking the "Magic number" of the PE it will show "4D 5A 00 .." which works perfectly. However, if I create a blank document file and type "4D 5A ..", my code will still recognize it as an executable file which in reality, it's just a blank text file. How to verify it is actually the signature of the file?
I am using C#.
Thanks for your time
What I have tried:
Dim arrayString As String = String.Join(" ", IO.File.ReadAllBytes("filePath").Select(Function(b) b.ToString("X2")).ToArray())
If arrayString.StartsWith("4D 5A") Then 'Checking against the signatures list
Msgbox("File is an executable file")
End if
推荐答案
不要将数据转换为字符串并进行比较:检查字节数直接。
Don't convert your data to strings and compare them: check the bytes directly.
Dim data As Byte() = File.ReadAllBytes("filePath")
If data.Length > 2 AndAlso data(0) = &H4d AndAlso data(1) = &H5a Then
Console.WriteLine("It's an EXE")
End If
在这种情况下,它没有帮助很多,因为带有第一个两个字母MZ的文本文件更容易伪造。
你不能轻易说出其他任何东西,因为一个可执行文件基本上只是一组字节,它可以由系统执行 - 并且没有什么能阻止你执行文本文件,前提是它们以MZ开头并具有.EXE扩展名。他们可能不会做任何有用的事情,但是......
您可以开始仔细查看潜在的EXE文件,并确保数据有效......但这会非常复杂,特别是考虑到EXE文件可以是16位(古老),32位或64位,并且数据组织对于它们都不相同。此外,并非所有MZ可执行文件都是EXE的 - DLL也以MZ开头,但不包含Main方法,因此无法直接执行。
如果你真的想这样做并且做对了,那么你可能想得到一份 Windows Internals Book [ ^ ]并做了很多长篇大论!
In this case, it doesn't help much, because a text file with the first tWo letters "MZ" is even easier to "fake".
You can't easily tell anything else, because an executable file is basically just a set of bytes, which can be executed by the system - and there is nothing stopping you executing text files, provided they start with MZ and have a .EXE extension. They probably won't do anything useful, but...
You could start looking closer at potential EXE files, and making sure the data is valid...but that gets very complex, especially given that an EXE file could be 16 bit (archaic), 32 bit, or 64 bit and the data organisation isn't the same for them all. Additionally, not all MZ "executable" files are EXE's - DLL's also start with "MZ", but don't contain a Main method so they can't be directly executed.
If you really want to do this and get it right, then you probably want to get a copy of the Windows Internals Book[^] and do a lot of long hard reading!
通过读取文件字节或通过其他方式,检查PE的幻数,它将显示4D 5A 00 ..,它完美地工作。但是,如果我创建一个空白文档文件并输入4D 5A ..,我的代码仍会将其识别为可执行文件,实际上,它只是一个空白文本文件。如何验证它实际上是文件的签名?
By reading the file bytes or by other means, checking the "Magic number" of the PE it will show "4D 5A 00 .." which works perfectly. However, if I create a blank document file and type "4D 5A ..", my code will still recognize it as an executable file which in reality, it's just a blank text file. How to verify it is actually the signature of the file?
这是魔术签名的问题,它不可靠!
为了提高可靠性,你还要检查文件的变量部分是否符合预期文件类型的结构。变量part id变量的内容和结构(没有固定大小)。
That is the problem with magic signatures it is not reliable!
To improve reliability, you have also to check that the variable part of the file conform to the structure of the expected type of file. The variable part id variable in content and in structure (no fixed size).
没有办法通过查看2个或更多的字节来将文件识别为有效的PE文件。
至于扩展,严格来说,这是一个仍然方便使用的历史概念。它来自历史文件系统,其中所有文件都具有扩展名。在现代系统中,只有文件名,并且没有文件名部分具有特殊含义。 PE文件使用许多命名模式,例如* .DLL,* .EXE,* .so等等: Portable Executable - Wikipedia ,免费的百科全书 [ ^ ]。
现在,0x54AD(MZ)无法保证这是一个有效的PE文件。这些是所谓的DOS幻数的前两个字节。我们的想法是检查签名和所有其他文件。如果您尝试加载整个文件,则确实验证该文件是否有效。有关文件布局的一些详细信息,请参阅可移植可执行文件格式从上到下 [ ^ ]。
-SA
There is no a way to recognize a file as a valid PE file by looking at 2 or few more bytes.
As to the "extension", this is, strictly speaking, the historical notion which is still conveniently used. It came from historical file systems where all files had "extension". In modern systems, there is only a file name, and none of the file name parts have special meaning. PE files use many naming patterns, such as *.DLL, *.EXE, *.so, and a lot more: Portable Executable — Wikipedia, the free encyclopedia[^].
Now, 0x54AD (MZ) cannot guarantee that this is a valid PE file. These are the first two bytes of so-called "DOS magic number". The idea is to check the signature and through out all other files. You really validate that the file is valid if you try to load the whole file. For some detail on the file layout, see, for example, The Portable Executable File Format from Top to Bottom[^].
—SA
这篇关于检查文件签名/幻数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
