The Use of File Size Parity of Windows .exes and .dlls as a Malware Indicator of Compromise

Bentley, Peter ORCID: 0000-0002-6438-0028 (2023) The Use of File Size Parity of Windows .exes and .dlls as a Malware Indicator of Compromise. Discussion Paper. University of Gloucestershire, Cheltenham, UK. (Unpublished)

12778 BENTLEY Peter (2023) Executable File Sizes v1.0.pdf - Published Version
Available under License All Rights Reserved.

Download (163kB) | Preview


To gain persistence on Windows machines, some Advanced Persistent Threats (APTs) hide their malware in plain sight as standalone files. It is inferred from Microsoft documentation that Portable Executable (PE) file length should be even. This paper documents the analysis of .exe and .dll file length parity on three versions of Windows operating systems. It uses simple techniques to analyse the parity of .exe and .dll files and demonstrates that not all are of even length file. This may be used as an indicator of compromise and found such on one machine.

Item Type: Monograph (Discussion Paper)
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Q Science > QA Mathematics > QA76 Computer software
Divisions: Schools and Research Institutes > School of Business, Computing and Social Sciences
Research Priority Areas: Applied Business & Technology
Depositing User: Peter Bentley
Date Deposited: 25 May 2023 15:36
Last Modified: 31 Aug 2023 08:00

University Staff: Request a correction | Repository Editors: Update this record

University Of Gloucestershire

Bookmark and Share

Find Us On Social Media:

Social Media Icons Facebook Twitter Google+ YouTube Pinterest Linkedin

Other University Web Sites

University of Gloucestershire, The Park, Cheltenham, Gloucestershire, GL50 2RH. Telephone +44 (0)844 8010001.