Wir sind der weltgrösste, dedizierte Hersteller von Sicherheitslösungen. McAfee sichert weltweit Computer und Netzwerke präventiv gegen bekannte und bislang unbekannte Bedrohungen. Private Anwender, Unternehmen, Service Provider, Behörden und unsere Partner verlassen sich allesamt auf unser kompetentes Sicherheitswissen und vertrauen darauf, dass unsere umfassenden, bewährten Lösungen wirksam Angriffe abfangen und Störungen verhindern.

Quick Start Tutorial

Opening Files

FileInsight allows to open files for analysis both directly from the local harddisk, using the Open toolbar button, or by typing a URL into the Web toolbar and clicking the Get button (see screenshot below to the left). Files are displayed in either textual or hexadecimal format, which can be toggled easily via the View as Hex and View as Text toolbar buttons. Below screenshot shows parts of a malicious web site opened in FileInsight:

Navigating Binary Files

C/C++ data structure declarations (also see Structure Declarations on MSDN) can be directly imported into FileInsight. Simply click the Open toolbar button in the Structures window and choose the .h file to be opened. Using such data structures can significantly simplify navigating through binary file formats, such as the Windows^® Animated Cursor File Format (also see Icons in Win32 on MSDN):

struct ANIHeader {           DWORD cbSizeOf; // Num bytes in AniHeader           DWORD cFrames;  // Number of unique Icons           DWORD cSteps;   // Number of Blits           // ...      };

The Go To dialog allows not only to go to an absolute offset (or line, in text view mode), but also to jump relatively from the current position (see screenshot above to the right).

Analyzing Data

The Values window displays different interpretations of the data at the current cursor position (see screenshot below to the left). A toolbar button allows to toggle between Little-Endian and Big-Endian byte order.

When placing the cursor at a position that contains IA-32 machine code (also see Intel® 64 and IA-32 Architectures Software Developer's Manuals), the Disassembly window shows the disassembled code starting at (and relative to) the current offset. In this example, an exploit for the "Microsoft Windows Animated Cursor Remote Code Execution" (MS07-017) vulnerability has been opened into FileInsight, and below screenshot hilights its decoder loop:

Scripting

Modification of a file's content can be automated using the builtin JavaScript support (also see A re-introduction to JavaScript). Below screenshot (to the left) shows a simple decoder loop written to decode the given MS07-017 exploit's encoded payload. Modification using the setByteAt() script method is performed directly in the opened document. In the current example, running the decoder script reveals content that one would not expect to see in a normal ANImated cursor file ...

Copyright © 2010 McAfee, Inc. All Rights Reserved.