windows,security,reverse-engineering,pe,malware-detection , Determining the country of origin for an exe/dll file

Determining the country of origin for an exe/dll file


Tag: windows,security,reverse-engineering,pe,malware-detection

I have a doubt, as to how does one come to the conclusion that an exe/dll is from a specific country? Is there a field in the PE structure that saves this information?

I know that such information(timestamp etc.) can be overwritten and there is no way that one can be 100% sure but still... There is always a statement in most analysis reports of malicious samples saying something like "This sample seems to have originated from xyz country".

I would love an answer which doesn't have a tool as a solution.


There are no fields or metadata within the PE/COFF format which gives away any indication of a program's country of origin. The PE specification is available here: - it does contain a timestamp field which should be set by the compiler, but this is easily forged.

I understand (though am uncertain) that the country-of-origin of malware is determined via the same means that biological epidemiology works: by tracing the infections back to the source, and given how the Internet works, it's very hard. Often infections spread via HTTP (for example) can be examined via the webserver logfiles which would have the source IP address, which can then be geolocated.

Other times malware contains direct clues as to its origin - with the old-school malware (think: ILOVEYOU) the hubris of the author is their downfall, in the ILOVEYOU case, the author actually put "by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines" directly in the VBScript source code that the virus was written in.

For viruses ostensibly written in China or North Korea (which you're probably aluding to - considering the recent news of the Sony Pictures attack), it's possible they're making an educated guess based on strings contained within the program that are in Chinese or Korean script/characters.

...the problem with relying on these kinds of heuristics is that it's easy to "frame" a country and throw someone off your trail. If I were lacking in the moral department I could conceivably commit a false-flag operation by composing a virus such that it contained foreign language strings and used Tor or some other network to launch the attack from within another country, leaving no hint as to its true origins.

In short, I don't believe anyone can really know for certain - most times it's guesses based on the target and who hates the target the most - or cases where entities inadvertently reveal that they wrote it (e.g. Israel and Stuxnet).


String manipulation with batch scripting

I need to save the variable in %%c temporarily which comes from a for loop. But when I try to do that, the content changes unexpectedly. Some space characters appear at the end of the string. The content of %%c is a.jpg by the way. echo %%ca REM prints a.jpga...

Why doesn't “go get…” work while “go get…” OK?

I try to use go get to install pool according to, but can't success: C:\Users\xiaona\Documents\GitHub> go get -v Fetching https fetch failed. Fetching import "": http/https fetch: Get l.v2?go-get=1: dial tcp ConnectEx tcp: A connection attempt failed because the connected party did not...

Why does Windows Server 2008 think Italy should be in W. European Time?

Why does MS Windows (specifically server 2008 here) consider Italy to be in W. European Time when (I think) it should be in Central European Time according to every other source I can find? TZUtil /g gives: W. Europe Standard Time The control panel shows: (UTC+01:00) Amsterdam, Berlin, Bern, Rome,...

Role concept in the authorization

I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

how to change Text to Speech voice and how to insert characters into char array

I need to change the voie of the Text To Speech engine. when a menu is selected ID_SPEAK_PLAY I get the text of an edit box and simply read it. my situation can be solved in two ways : insert the XML code at the begining of ptrData without using...

If exist and errorlevels in a batch (.bat) file

I'm trying to run a delete command on the result of an SQL command but only if it returns an error code of 0. Below is my code: SqlCmd command... REM if SqlCmd command is successful run the below if exist statement if errorlevel 0 ( REM if the file...

Listing directories by content size using C# [closed]

I'm trying to list all folders of my c drive excluding the document folder which i do not seem to have access to. This first seemed rather simple to me but i found myself still struggling with it despite the seemingly rich .net library. I can't post any code as...

How to use the contents of a text file(tab delimited format) to rename files in a folder?

I'm trying to make e-certificates to distribute for one of my college events. I used Photoshop to generate batch certificates with different names and roll nos. Now the files are named core_01Data Set 1.jpg, core_02Data Set 2.jpg, etc. In order to distribute them online, they need to renamed and sorted...

I cannot use the msg command in cmd (or batch for that matter). How can I fix this?

While in cmd or making a batch file, I cannot use the command msg. When I try to use it, it returns the error msg is not recognized as an internal or external command, operable program or batch file." I'm pretty sure the error is that im missing a msg.exe...

Suppressing system command called from awk script

I am currently running this script in Windows 7. So, I have a program that is meant to color-code output from another command (mkmk) and tally up varying numbers of errors and other notable stats, etc. So right now, it starts as a batch file which Turns off echo Sets...

What is the max length of a share path in windows?

As I read in the MSDN site, for example, the maximum path on drive D is "D:\some 256-character path string" where "" represents the invisible terminating null character for the current system codepage. But when I was created a share with a long path (more than 100 symbols) they trim...

Batch - Comparing two txt files

I have some difficulties comparing two txt files with batch. I used the "findstr" function with many option matchings but none works (for example FINDSTR /I /V /B /G:file1.txt file2.txt). I have a first txt file as following: File1.txt Object 1 Argument 50 Object 2 Argument 10 Object 3 Argument...

bat file script to check if string contains other string

I need to write a batch file that will check if a variable contains specific value. I tried to do the following: If "%%a"=="%%a:%pattern%" ( echo Yes ) else ( echo No ) input example: %%a="bob binson" %patern%="binson" I never get Yes printed! can anyone please tell what i missed...

Recording the time of the start of a screen touch in PsychoPy on Windows

I'm helping to implement an experiment using PsychoPy on a Windows 8 tablet. It doesn't seem to be possible to get direct access to touch events through either PsychoPy, or the pyglet or PyGame interfaces. Most other sources I've found have referred to using mouse move events in place of...

Parsing the text file line-by-line using batch script (batch file)

So, I am programming in the batch script and I came across this issue. The following code will take yourwords.txt file and parse it. The existedWord variable will have the last word of the text file. So, everytime when I run this program it will only compare the user's input...

How to set the classpath in Windows Command Line correctly

I have made many attempts to enter a command to run a JAR file correctly from the terminal, and I am 100% sure that all the JAR files and such are in the given paths, but I keep getting a ClassDefNotFoundException. Does it have anything to do with the way...

ffmpeg: wmv files generated on Mac can't be played in Windows

On Mac OS X 10.6.8, I converted a animated gif to a video file in wmv (a requested file format) by using ffmpeg -i File.gif -s 400x400 NewFile.wmv The video file played fine using VLC on Mac. The file can't be played on a Windows 7 machine using the Windows...

Unable to edit netbeans.conf

I am trying to modify 'netbeans.conf' located at following path: C:\Program Files\NetBeans 8.0.2\etc When i modify the file; add -J-Dfile.encoding=UTF-8 In Notepad, it is not allowing me to save the original file. In Notepad++, it says 'please echeck if this file is opened in another program'. Netbeans is installed in...

Override .gitattributes text=auto in Windows

This is pretty unintuitive: C:\python-tdl\examples\termbox>git config core.autocrlf false C:\python-tdl\examples\termbox>git commit warning: LF will be replaced by CRLF in examples/termbox/ The file will have its original line endings in your working directory. warning: LF will be replaced by CRLF in examples/termbox/ The file will have its original line endings in...

Execute a batch file before executing in a shortcut (.lnk)

I have multiple versions of a program called Siemens NX. NX uses environmental variables for configuration. I need NX 10.0 to use a different set of environmental variables than my NX 7.5 which uses the system environmental variables. Therefore, I have written a batch file that setups the environmental variables...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Iterate over all links/sub-links with Scrapy run from script

I want to run Scrapy Spider from my script, but it works only for 1 request. I cannot execute the procedure self.parse_product from scrapy.http.Request(product_url, callback=self.parse_product). I guess it's being due the command crawler.signals.connect(callback, signal=signals.spider_closed). Please advise how correctly go over all links and sub-links. Whole script is shown below. import...

UAC error while installing Xampp 1.8.35 on windows 8

I am trying to install xampp but before installation it gives me the following error: I have disabled UAC and it gives me this error.When I press ok and install the thing anyway it still won't let start apache and my sql up. Also installation was done in Program file...

Error when adding VideosLibrary capability in app's manifest file

According to the documentation, capabilities must be declared when an application requires programmatic access to certain user resources such as the Videos Library. This page of the documentation also states: All Windows Phone capabilities are not available for apps being developed specifically for Windows 10 Insider Preview. I am building... not reloading

So... trying to follow along the Bottle To-Do list tutorial, using WinPython 3.4.3. Basically, I was having fits with the script not reloading, despite having run(host='localhost', port=8080, reloader=True, debug=True) set at the end of the file. After trying the same tutorial @ home with no problems (using Linux), I figured...

Would using Vagrant be overkill? [on hold]

I'm a developer-hobbyist running Windows 8.1 on a Yoga 2 Pro. I mostly do Python/Django work but I think I'm gonna pick up Ruby soon. The thing is, Windows always seems to be the limiting factor for any project I want to pick up. Last time I tried to install...

Should I use different WSAOVERLAPPED struct for WSASend and WSARecv?

I'm developing a server-client application using WinSock. Does using the same WSAOVERLAPPED with both WSASend and WSARecv works well? Should I use different WSAOVERLAPPED struct for WSASend and WSARecv?...

Java read bytes from Socket on Linux

I'm trying to send a file from my Windows machine to my Raspberry-Pi 2, and I have a client and a server. The client should be able to send a zip file over the network to my server on my linux machine. I know my client and server work on...

Hide sensitive information from git changes

Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

Placing secure data in Java web application

The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

PHP parse int wrong in XAMPP windows

demo $code = '40001042901'; echo (int)$code; //intval($code) //same I test on linux (Ubuntu) that result is 40001042901 but on windows result is 2147483647, what wrong with that? XAMPP 1.8.3, PHP 5.5.15, Apache 2.4.10 (Win32)...

Programmatically close Windows console application c++

I need my windows console application to be run only in one instance (i.e. Only one instance of the application can be run at a time). Here's what I have: int _tmain(int argc, _TCHAR* argv[]) { PCTSTR Name = TEXT("AnyName"); HANDLE h = CreateMutex(NULL, FALSE, Name); if (GetLastError() == ERROR_ALREADY_EXISTS)...

Run server in cmd in Windows

I created a simple client server codes in PHP and I run it through Wamp server localhost in browser. It works but when I run it in cmd, the output looks like this : c:\wamp\www\Converter>php testserver.php PHP Fatal error: Call to undefined function socket_create() in C:\wamp\www\Converter\testserver.php on line 15 PHP...

Batch script ends after for loop

I've got a batch file that executes a program along with sequential (numbered) macros and calls another batch file that monitors when it is finished before it begins the next iteration. I can't use Start /wait or other "ordering" commands when launching the program because it is started with a...

Reverse ^ operator for decryption

I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Is client-side java intrinsically less secure than javascript?

Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Batch file to open multiple instances of cmd and run Ruby script in each instance

I'm trying to open multiple instances of cmd up which each run a ruby script at the same time. For background into the scripts, each of these ruby scripts run watir-webdriver and spawn new browser instances. All of this should happen instantaneously. Here's what I've tried: start cmd /k cd...

String parsing with batch scripting

I have a file called pictures.xml and it contains some pictures information like: <ResourcePicture Name="a.jpg"> <GeneratedPicture Name="b.jpg"/> <GeneratedPicture Name="c.jpg"/> </ResourcePicture> <ResourcePicture Name="z1.jpg"> <GeneratedPicture Name="z2.jpg"/> <GeneratedPicture Name="z3.jpg"/> <GeneratedPicture Name="z4.jpg"/> </ResourcePicture> What I want do do is to get each line in for loop and print the names of the pictures. Sample...

Apache - finding configuration file path

I have to migrate another apache instance from 2.2 to 2.4 but I have one problem. In Apache monitor I see multiple services running but I don't really know where apache .conf files are stored. In previous migrations from 2.2 to 2.4 I had them somewhere within conf folder. Apache...

How to execute four queries once and then check success or failure?,windows,visual-studio-2010,ms-access
I need to execute four queries and then if there is success must return true otherwise false. The queries affect the database but the function returns false Private Function save_to_data() Dim success As Boolean = False Dim conn As OleDbConnection = GetDbConnection() Dim total_due As Decimal = sanitize(txt_total_due.Text) Dim amount_paid...

How to secure configuration file containing database username and password

Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Increment Serial Number using EXIF

I am using ExifTool to change the camera body serial number to be a unique serial number for each image in a group of images numbering several hundred. The camera body serial number is being used as a second place, in addition to where the serial number for the image...

sys.argv in a windows environment

I'm attempting to learn python using the book 'a byte of python'. The code: import sys print('the command line arguments are:') for i in sys.argv: print(i) print('\n\nThe PYTHONPATH is', sys.path, '\n') outputs: the command line arguments are: C:/Users/user/PycharmProjects/helloWorld/ The PYTHONPATH is ['C:\\Users\\user\\PycharmProjects\\helloWorld', 'C:\\Users\\user\\PycharmProjects\\helloWorld', 'C:\\Python34\\', 'C:\\Python34\\DLLs', 'C:\\Python34\\lib', 'C:\\Python34', 'C:\\Python34\\lib\\site-packages']...

Android encryption and decryption of text fails

I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Code fails for decrypting without salt or iv in Java

I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Application is missing required files

Pic of Error: Cannot Download the Application. The Application is missing required Files. Contact Application Vendor For Assistance. So I'm building a windows form application using SharpDevelop 5.2 and I'm trying to make a standalone/version someone else would be able to use on another machine. In sharpdevelop (and visual...

How to send Ctrl+S through SendKeys.Send() method to save a file(save as dialog)

I need to save a file which is in an External application using SendKeys.Send() method. The keys needed to be sent are Ctrl+S. I wrote the below code, but its not working: SendKeys.SendWait("^%s?"); // to get the Save As dialog Thread.Sleep(5000); SetForegroundWindow(FindWindow(null, "Save As")); Thread.Sleep(5000); SendKeys.SendWait("xyz"); // Sending FileName ...

How to restrict file copying shared using Content Provider in Android?

Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Automate MySQL backup @localhost with mysqldump in Windows 8

I'm trying to set up a task in Windows 8 to automate my localhost db dump. I've created the task to run daily with the following command line: C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqldump.exe and parameters: --user=root --password=donttellya --result-file=dumped.sql mydb It works but doesn't terminate (running in the tasks list). Also, I'd...