0

Is there a way to see the URL/IPs that are hard-coded in an exe or dll without installing or running it?

I once saw a tool that extracted URLs from dll or exes, but I can't remember what it was.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Bryro
  • 123
  • 3
  • If you want to check requests made without running the program, you decompile the code and analyze it [static analysis]. Hexrays is decent for that, but it'll be difficult unless tokens/debug symbols aren't stripped. Otherwise, you can sandbox the program and check requests made from there (however that requires execution) [dynamic analysis]. – belkarx Mar 30 '22 at 23:12

2 Answers2

3

Without executing the application, you can only find plain text and encoded urls. Finding dynamic created or encrypted urls is very difficult.

With a static analysis, it's only possible to find strings which are stored in plain text. When using Linux, this can be done with grep:

grep -aEo "(http|https)://[a-zA-Z0-9./?=_%:-]*" /bin/bash

But using grep only find urls, which are not encoded.

If the url was encoded with base64, you can try to search for base64 strings, but this is error prone:

for u in `grep -aEo '[A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)' FILE_TO_CHECK`; 
do 
  echo "$u" | base64 -d 2> /dev/null  | grep -aoEo "(http|https)://[a-zA-Z0-9./?=_%:-]*"
done

Base64 is the easiest method to hide the url. There might be other encodings like Base32 or Rot13. I have seen hardcoded urls in malware which were encoded with a custom encoding developed by the malware authors.

More complex applications might construct the url during runtime. Perhaps the url is encrypted and not encoded. Even in cases when the private key is available, it's hard to find encrypted urls in an application.

With decompiling the application you have a better chance to find hidden urls. You can reconstruct each function call and rebuild the strings.

The applications code might be obfuscated, which makes it even harder to find the urls in decompiled applications.

To find different information you have to use different regex for grep:

  • Regex for URLs: (http|https)://[a-zA-Z0-9./?=_%:-]*
  • Regex for Base64: [A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)
  • Regex for IPv4: (?:[0-9]{1,3}\.){3}[0-9]{1,3}
  • Regex for IPv6: (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))
Manfred Kaiser
  • 1,386
  • 2
  • 6
  • 20
0

strings command, grep or using a hex editor.

schroeder
  • 129,372
  • 55
  • 299
  • 340
twitter
  • 1
  • This answer is too light to be useful. This answer assumes Linux is being used, and it's not that simple. – schroeder Mar 31 '22 at 11:53