My Road to Digital Forensics Excellence

PE Extraction

Posted by Paul Bobby on November 4, 2008

In a recent case I am working I had the need to extract executable files from captured physical memory and from unallocated space. The Volatility framework is capable of extracting from Physical Memory (yep even captured memory from Encase with a couple of steps thrown in), but accurate executable carving from UA is not accurate.

Whether using the File Carving enscript or Scalpel, or whatever, the process of extraction does not attempt to validate the PE prior to extraction, and to extract only the correct filesize. I didn’t have time to mess with this system, I wanted actual executables I could hash, analyze and compare against known malware sets.

The only problem with extraction from UA is that the executable could be fragmented across UA – and there’s nothing I can do about that unfortunately.

Here’s my algorithm; it’s somewhat simplistic I know, so please, offer suggestions for improvement.

1. Search for the signature ‘MZ’ (Case sensitive) or ‘\x4d\x5a’ (GREP)

2. For each search hit, perform the following two tests to determine if we have an executable

2a. Does the word ‘Program’ exist in the 64bytes Offset 64 from the search hit


I’ve seen two possibilities for this section, either

  • This program cannot be run in DOS mode, or
  • This program must be run under Win32

2b. Verify that the PE signature is in the right place

  • The Address of the EXE header is found 60 bytes from the start of the file


  • Determine if the PE signature is at this location


  • These are just two simple tests, that if the search hit passes, we proceed to the next step.

3. Exporting a validated Executable is a matter of calculating the number of Code Sections present in the Executable, the size of each section, and then exporting enough bytes to cover it (plus 1024bytes for the PE header structure).

3a. How many sections?


We have three sections to enumerate. Here’s what I mean by sections:


8 bytes for each section name, 40 bytes per section name.

The section length is found 16bytes from the start of any given section:


This section is 00007800bytes (hex) in length or 30,720bytes.

4. Once the final count is known, it is a simple matter of creating a LocalFileClass object in Enscript, and writing out each byte to a local file.

The complete source code is tracked in this thread. The enscript is more of a demonstration; I plan on expanding the usefulness to carving out specific Executable files, such as Packed files etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: