Monday, July 21, 2008

Magic bytes

File type detection is crucial when attempting to block specific file types from being downloaded in a corporate environment for security or legal reasons. File extension renaming is a rudimentary method of bypassing security filters but yet it is surprisingly still effective in certain scenarios. Ever tried sending an executable file over the MSN network? The Windows Live Messenger client will display an error message "The file you attempted to send has been detected as potentially unsafe and was not sent.". Have you tried renaming .exe to .doc? OMG... it works!!!
Perfect example why filtering by file extension name is weak. The more sophisticated and effective method of file type detection is "magic bytes" matching. Certain files can be uniquely identified by either their file header or file header and file footer combination. An executable file will have the hex values of "4D 5A" or its ASCII equivalent of "MZ" at the beginning of the file.

PDF files on the other hand can be identified by their file header and footers.

Don't believe me? Give it a go. Download HxD Hex Editor to view files in Hex format. Try renaming file extensions and you will see that the file contents do not change.

No comments:

Post a Comment