This new version of my PE file analysis tool pecheck.py brings more info when location PE files inside arbitrary files (option -l P).
2 columns are added to the list of located PE files: original filename (version information) and DLL name (export section).
This can be used, for example, to detect Cobalt Strike beacons inside process dumps. Like in the following example, where the DLL name is beacon.dll:
pecheck-v0_7_12.zip (https)
MD5: 0AF2A99DD5AF742C9B688466EE3087C5
SHA256: 10B3B6903AB52381F7C8687F8284270CE060983CA001B4FC5DD88174744B705F
No comments yet.