Tools
Tools
Bentley, Peter 
ORCID: 0000-0002-6438-0028
(2023)
The Use of File Size Parity of Windows .exes and .dlls as a Malware Indicator of Compromise.
Discussion Paper.
University of Gloucestershire, Cheltenham, UK.
(Unpublished)
|
Text
12778 BENTLEY Peter (2023) Executable File Sizes v1.0.pdf - Published Version Available under License All Rights Reserved. Download (163kB) | Preview |
Abstract
To gain persistence on Windows machines, some Advanced Persistent Threats (APTs) hide their malware in plain sight as standalone files. It is inferred from Microsoft documentation that Portable Executable (PE) file length should be even. This paper documents the analysis of .exe and .dll file length parity on three versions of Windows operating systems. It uses simple techniques to analyse the parity of .exe and .dll files and demonstrates that not all are of even length file. This may be used as an indicator of compromise and found such on one machine.
| Item Type: | Monograph (Discussion Paper) |
|---|---|
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science Q Science > QA Mathematics > QA76 Computer software |
| Divisions: | Schools and Research Institutes > School of Business, Computing and Social Sciences |
| Research Priority Areas: | Applied Business & Technology |
| Depositing User: | Peter Bentley |
| Date Deposited: | 25 May 2023 15:36 |
| Last Modified: | 31 Aug 2023 08:00 |
| URI: | https://eprints.glos.ac.uk/id/eprint/12778 |
University Staff: Request a correction | Repository Editors: Update this record
