How do I modify an executable file to get it past email attachment filters?

I'm trying to email myself a utility (HJSplit) because I can't download it directly on my work computer. Of course, my company's filters are there to stop me from doing exactly this. But darn it I'm trying get some work done, and I can't open this 500 MB log file without splitting it first. (Notepad can't even handle 100 MB. And UltraEdit crashes for some reason, even though it should be able to handle it.)

I opened the ZIP of the utility in a hex editor (UltraEdit) and modified a few bits, and changed the extension to JPG. This made it past Gmail's no-executables rule, but still got blocked by my company's Exchange server.

Regardless the (a)morality of what I'm doing, I'm curious, what bits need to be changed to make the nature of a file indistinguishable or unidentifiable (or identifiable as a benign type) to a filter?

Andrew Cheong

Posted 2016-01-08T22:44:19.740

Reputation: 1 355

inb4 Moral Orel tells us to respect company policies and that I should talk to my IT staff. That's fine and I may very well end up doing that since this has taken longer than simply asking, but I'm still curious as to whether it's possible to change "magic bytes" to fool filters. – Andrew Cheong – 2016-01-08T22:46:34.280

Exchange server might be sniffing the file, zip it up and password protect it, see if goes through. – Moab – 2016-01-08T23:25:06.983

Answers

Something that will make it indistinguishable in most cases is encrypting the file. There are quite a few utilities that will perform this for you. I would recommend GPG for Linux or TrueCrypt for Windows. (Yes, I understand TrueCrypt is no longer supported, but because you just want to bypass a filter you should be good.)

And of course, you can open the utility in a HEX editor and delete some of the "Magic" bytes. I would say the first 100 values should work, and copy these into a separate file you will email with the utility itself (sans the first hundred bytes).

Hope this Helps!

Gamerb

Posted 2016-01-08T22:44:19.740

Reputation: 834

Ah, encryption makes sense. I did try what you suggested about cutting out the beginning, but I think because they were special characters they didn't paste correctly over Remote Desktop—so I couldn't restore the file without manually typing in the various hex bytes. Probably something I could have circumvented if I tried harder. – Andrew Cheong – 2016-01-08T23:02:42.117

I found that in my case of trying to sneak a zipped EXE, I had to change not only the first two bytes (known as "the magic number"), but also a sequence of bytes spelling out the zipped filename.

For example, the original ZIP began with PK, designating a zipped file:

I changed it to a BM, designating a bitmap file:

Also the original ZIP spelled out hjsplit.exe, so I changed it to hjsplit.bmp. I renamed the file itself to hjsplit.bmp as well.

Andrew Cheong

Posted 2016-01-08T22:44:19.740

Reputation: 1 355

uuencode it. That will turn the file into plain text. Then remove the first line (the one starting with something like begin 644 filename).

You now have only regular plain text.

Mail the text, add the first line again and uudecode it.

Hennes

Posted 2016-01-08T22:44:19.740

Reputation: 60 739