GDPR and 3rd party components

Let’s say you in your project use 3rd party components — binaries, not the source code. If you don’t take these dependencies from a trusted repository (like Maven Central) how can you be sure that a selected external program or a library does what advertised and not bitcoin mining or stealing sensitive data?

Let’s say we want to extract text blocks from PDF files containing invoices. We found a cool program in the Internet. There is source code and binaries available for download. We can download the code, analyze it, compile and use own executable file. Quite time consuming. What are other options?

We may analyze provided binary. At first let’s use Dependency Walker. It’s a tool showing DLL imports used by Windows applications. When PE file is loaded by the Windows OS, these imports are resolved by name and dynamically linked — function pointers are made visible in the process space. Windows enforces Address Space Layout Randomization, what means that every application instance has different addresses at which the same function names are linked. Before ASLR malware was able to use constant addresses like 0x7c800000+1278 to call system functions. Nowadays every function must be looked up. If your executable being analyzed uses GetProcAddress a lot and then function pointers, it’s suspicious.

Our PDF text extractor doesn’t use GetProcAddress on any network related function. Good.

Analysis above might be not enough. The exe might be a file dropper. We can look for a concatenated another exe (MZ/PE header), but…. this payload might be encrypted — simple XOR does the job. So… we need to run the target executable monitoring it using Sysinternals Process Monitor written by Mark Russinovich. If it’s still OK there is always an option that the evil happens only in some specified time (like the last day of the month, 13:13). So we need to disassemble the file using IDA Pro.

If we weren’t able to spot anything suspicious we may want to scan the file using Virus Total.

Alibaba also has got own anti-malware tools.

Virus Total also lists used library imports.

If everything is OK we can document all steps in a report showing that we do risk management and we are compliant with GDPR.