If you have a malicious upon execution ("running" it / double clicking on it) .exe , would extracting its contents with something like 7-Zip utility mitigate its effects? Or can it still do harm?
Asked
Active
Viewed 1,221 times
1 Answers
4
No, attempting to extract files from within a malicious EXE is not dangerous, unless there's a vulnerability in the tools you use and the malicious EXE is crafted to exploit that vulnerability. In general, for tools that are meant to be able to safely open files from arbitrary sources (and yes, unzip tools fall into this category), the only time opening a malicious file could be dangerous is if there's a bug in the tool's parser (and hopefully 7-Zip, etc. wouldn't have such an issue).
A program is an algorithm, like a recipe in a cookbook. A malicious program is one that tells you to do something like mix vinegar with chlorine bleach (don't do this!) and inhale deeply. Running a program is simply following the steps of the algorithm. If you run code that tells your computer to do a bunch of harmful stuff, you (or at least your computer) will be harmed, just as if you follow instructions in a cookbook telling you to breathe poisonous gas or create an explosion.
On the other hand, merely reading the program (in a hex editor, or an archive extractor, or something else) shouldn't do you any harm. It should be as safe as reading a recipe or other list of instructions - no matter how malicious, such as the bleach-and-vinegar example above - in a cookbook.
With all that said, you're talking about running an algorithm (7-Zip, for example) that takes another algorithm (the malicious EXE) as input, and does something with it. That "something" usually won't be "follow its instructions", but it's still possible for there to be security vulnerabilities in the program you use, such that somebody who knew what program you would use and where its vulnerabilities are could create a specially-crafted EXE that, when unpacked by your program, exploits a bug in the program to do something harmful. Bugs like that do exist, but they're relatively rare and exploits for them usually need to be pretty targeted at one specific program.
If you're trying to analyze a known or suspected malicious file and had this question, I can't really recommend you go ahead without doing a lot more research, because if your level of computer knowledge is such that you had to ask this question then you probably don't know enough to usefully perform malware analysis (for example, opening an EXE in 7-Zip will usually not tell you much of use) and also don't know what other precautions to take while doing so (at a minimum, mark the malicious file as non-executable so it won't run even if you accidentally double-click it and/or use a VM without network or host disk access so that even if it does do some harm the harm is contained).
On the other hand, tinkering is fun and a good way to learn things. Just, start with a "malicious" program that does something not-actually-harmful, and work your way up. Or, if you just want to know whether it's safe to open arbitrary files in 7-zip: probably yes, but make sure you're using an up-to-date version.
CBHacking
- 40,303
- 3
- 74
- 98
-
The algorithm-recipe analysis is spot on. I know this is a fairly basic question but I had an argument with someone that said it's dangerous to extract a malicious exe. I don't know what they really meant but it didn't make any sense to me how "unzipping" an exe would lead to any code execution. I mean, the only time I extracted an executable was to get the files for some drivers instead of letting it to its job and install them. – fibonaccipistacci May 20 '19 at 18:45
-
Ah, gotcha. I'll re-word the answer a bit in light of this info. – CBHacking May 20 '19 at 19:29