Extracting EXE file (in HTTP stream) from captured packets file with Wireshark

2012.09.09

When You hunt for malware, it common situation when You got a lot of TCPDump files, where all the infecting process saved as step-by-step.

No matter what tool You use for dumping this stuff – You always can view it later with WireShark

Today I was in process of testing BHEK for malicious payload, when malware distributing host “suddenly” died. And part of samples i still not archived for future reversing!

But – wait a minute! sniffer dump file! just need to extract data. But how?

If You got a transfer via FTP – You can see post of Benjamin S. Williams about “Extracting Files from Packet captures”

Since malware rarely use FTP for payload deliver, I failed to use this way.

So I invented my own. , open WireShark, right-click on one of packets from the stream that contain exe file and choose “Follow TCP Stream”

In bottom drop menu, instead of “Entire conversation”, choose only server response, that contain exe file:

An then Choose “Save as”, to save the stream to disk. call it dump (without extension)

Ok, now we have file wwiyj server HTTP response, that contain HTTP header and executable.

We’ll need HEX-editor. I use GHex, You can choose whatever tool You like

We open dumped file and remove all HTTP header from it:

Before:

After:

If You don’t have reversing experience yet, You may see that usually executables in Microsoft systems start from MZ or 4D 5A in HEX, in name of Mark Zbikowski 🙂

Now – we need to save extracted file with proper extension and start to reverse\debug\execute in VM.

Save as – dump.exe

Done and done!

Good luck

D.L.

4 comments

  1. Did you know that, for files transferred over HTTP, Wireshark can do this automatically?
    File –> Export –> Objects –> HTTP

    Doug Burks, 10/09/2012
  2. HI Doug
    Saw it, nope – not work for me. Got strange Packet Num, same amount of bytes in each, none of them even close to packets that include required EXE file.
    Not looks like on WS help page at all
    https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html#ChIOExportObjectsDialog
    Possible reason, IMHO, dump don’t made by WireShark
    But thanks!

    Denis, 10/09/2012
  3. Did you try Unsniff ? You can even script such extraction by scripting the tool.

    vivekrj, 10/09/2012
  4. 2vivekrj
    I will try, thx!
    btw – nice try with email address 🙂

    Denis, 10/09/2012

Leave a comment