Magic bytes

File type detection is crucial when attempting to block specific file types from being downloaded in a corporate environment for security or legal reasons. File extension renaming is a rudimentary method of bypassing security filters but yet it is surprisingly still effective in certain scenarios. Ever tried sending an executable file over the MSN network? The Windows Live Messenger client will display an error message "The file you attempted to send has been detected as potentially unsafe and was not sent.". Have you tried renaming .exe to .doc? OMG... it works!!!
Perfect example why filtering by file extension name is weak. The more sophisticated and effective method of file type detection is "magic bytes" matching. Certain files can be uniquely identified by either their file header or file header and file footer combination. An executable file will have the hex values of "4D 5A" or its ASCII equivalent of "MZ" at the beginning of the file.

PDF files on the other hand can be identified by their file header and footers.

Don't believe me? Give it a go. Download HxD Hex Editor to view files in Hex format. Try renaming file extensions and you will see that the file contents do not change.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

dnssecaudit.py

Since I was on a roll with Copilot, I decided to automate DNSSEC auditing with the following Python script. Not the most creative tool name....

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Encrypted mails
    I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...