binary art - byte-ing the pe that fails you (extended offline version)
DESCRIPTION
This is the extended offline version of an overview of the Portable Executable format and its malformations presented at Hashdays, in Lucerne, on the 3rd November 2012 direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zipTRANSCRIPT
![Page 1: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/1.jpg)
Binary artByte-ing the PE that fails you
3rd November 2012Lucerne, Switzerland
Ange Albertinihttp://corkami.com
![Page 2: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/2.jpg)
extended edition● the presentation deck had 60+ slides● this one has 140+
● many extra explanation slides● many extra examples
![Page 3: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/3.jpg)
agenda
what's a PE?the problem, and my approach
overview of the PE formatclassic tricksnew tricks
© ID software
![Page 4: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/4.jpg)
PPortable EExecutable
CCommon OObject FFile FFormatbased on
![Page 5: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/5.jpg)
Windows executables and more● since 1993, used in almost every executables
● 32bits, 64bits, .Net● DLL, drivers, ActiveX...
● also used as data container● icons, strings, dialogs, bitmaps...
omnipresent in Windowsalso EFI boot, CE phones, Xbox,...
(but not covered here)
![Page 6: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/6.jpg)
![Page 7: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/7.jpg)
![Page 8: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/8.jpg)
![Page 9: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/9.jpg)
PEuniversal universal Windows binaryWindows binarysince 1993
![Page 10: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/10.jpg)
pe101pe101.corkami.com.corkami.com
![Page 11: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/11.jpg)
the problem...
![Page 12: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/12.jpg)
sins & punishments● official documentation limited and unclear
● just describes standard PEs● not good enough for security
● crashes (OS, security tools)● obstacle for 3rd party developments● hinders automation, classification
● PE or not?● corrupted, or malware?
● fails best tools → prevents even manual analysis
![Page 13: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/13.jpg)
aka “the gentle guide to standard PEs”
![Page 14: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/14.jpg)
CVE-2012-2273
version_mini
ibke
rnel
![Page 15: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/15.jpg)
normal
![Page 16: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/16.jpg)
![Page 17: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/17.jpg)
![Page 18: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/18.jpg)
![Page 19: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/19.jpg)
...and my approach
![Page 20: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/20.jpg)
from bottom up● analyzing what's in the wild
● waiting for malware/corruption to experiment?● generate complete binaries from scratch● manually
● no framework/compiler limitation● concise PoCs
→ better coverage
I share knowledge and PoCs, with sources
![Page 21: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/21.jpg)
![Page 22: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/22.jpg)
block by block
![Page 23: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/23.jpg)
a completecomplete executable
![Page 24: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/24.jpg)
pepe.corkami.com.corkami.com
![Page 25: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/25.jpg)
![Page 26: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/26.jpg)
File
PE
(Appended data)
![Page 27: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/27.jpg)
PE PEde
fined
by
the
PE
hea
der
Appendeddata
![Page 28: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/28.jpg)
PEHeaderSections
code, data, <you name it>
![Page 29: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/29.jpg)
HeaderDOS header
'modern' headerssince IBM PC-DOS 1.0 (1981)
since Windows NT 3.1 (1993)
MZ
PE (or NE/LE/LX/...)
![Page 30: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/30.jpg)
HeaderDOS header
'PE headers'
(DOS stub) 16 bits
(Rich header) compilation info
![Page 31: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/31.jpg)
DOS Stub
PoC: compiled
● obsolete 16b code● prints msg & exits
● still present on all standard PEs● even 64b binaries
![Page 32: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/32.jpg)
'Rich' header
PoC: compiled
● compiler information● officially undocumented
● pitiful xor32 encryption● completely documented by Daniel Pistelli
http://ntcore.com/files/richsign.htm
![Page 33: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/33.jpg)
![Page 34: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/34.jpg)
Dos header● obsolete stuff
● only used if started in DOS mode● ignored otherwise
● tells where the PE header is
![Page 35: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/35.jpg)
![Page 36: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/36.jpg)
'PE Headers'
File header
Section tableOptional header
'NT Headers'
mapping layout
declares the rest
absent in .obj
PE\0\0
![Page 37: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/37.jpg)
File header● how many sections?● is there an Optional Header?● 32b or 64b, DLL or EXE...
![Page 38: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/38.jpg)
![Page 39: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/39.jpg)
NumberOfSections values● 0: Corkami :p● 1: packer● 3-6: standard
● code, data, (un)initialized data, imports, resources...
● 16: free basic FTW :D● what for ?
![Page 40: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/40.jpg)
![Page 41: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/41.jpg)
Optional header● geometry properties
● alignments, base, size● tells where code starts● 32/64b, driver/standard/console● many non critical information● data directory
![Page 42: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/42.jpg)
![Page 43: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/43.jpg)
Sections● defines the mapping:
● which part of the file goes where● what for? (writeable, executable...)
![Page 44: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/44.jpg)
![Page 45: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/45.jpg)
![Page 46: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/46.jpg)
Data Directory● (RVA, Size) DataDirectory[NumbersOfRvaAndSizes]● each of the standard 16 firsts has a specific use
→ often called 'Data Directories'
![Page 47: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/47.jpg)
![Page 48: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/48.jpg)
...call [API]…
Imports
PE
API: … ret
Exports
DLL
![Page 49: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/49.jpg)
Exports● 3 pointers to 3 lists● defining in parallel (name, address, ordinal)
● a function can have several names
![Page 50: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/50.jpg)
![Page 51: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/51.jpg)
Imports● a null-terminated list of descriptors
● typically one per imported DLL● each descriptor specifies
● DLL's name● 2 null-terminated lists of pointers
– API names and future API addresses
● ImportsAddressTable highlights the address table● for write access
![Page 52: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/52.jpg)
![Page 53: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/53.jpg)
Relocations● PE have standard ImageBases
● EXE: 0x400000, DLL 0x1000000→ conflicts between DLLs→ different ImageBase given by the loader
● absolute addresses need relocation● most addresses of the header are relative● immediate values in code, TLS callbacks● adds (NewImageBase - OldImageBase)
![Page 54: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/54.jpg)
![Page 55: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/55.jpg)
Resources● icons, dialogs, version information, ...● requires only 3 APIs calls to be used
→ used everywhere● folder & file structure
● 3 levels in standard
![Page 56: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/56.jpg)
![Page 57: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/57.jpg)
TThread LLocal SStorage● Callbacks executed on thread start and stop
● before EntryPoint● after ExitProcess
![Page 58: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/58.jpg)
![Page 59: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/59.jpg)
32 bits ↔ 64 bits● IMAGE_FILE_HEADER.Machine
● 0x14c I386 ↔ 0x8664 AMD64● IMAGE_OPTIONAL_HEADER.Magic
● 0x10b ↔ 0x20b● ImageBase, stack, heap
● double ↔ quad● sizeof(OptionalHeader): 0xe0 ↔ 0xf0
● TLS, import thunks also switch to qwords
![Page 60: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/60.jpg)
![Page 61: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/61.jpg)
NumberOfSections● 96 sections (XP)● 65536 Sections (Vista or later)
→ good enough to crash tools!
![Page 62: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/62.jpg)
65535sects
maxsecXP
![Page 63: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/63.jpg)
![Page 64: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/64.jpg)
SizeOfOptionalHeader● sizeof(OptionalHeader)
● that would be 0xe0 (32b)/0xf0 (64b)● many naive softwares fail if different
● offset(SectionTable) – offset(OptionalHeader)● can be:
● bigger– bigger than file (→ virtual table, xp)
● smaller or null (→ overlapping OptionalHeader)● null (no section at all)
![Page 65: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/65.jpg)
Section-less PE● standard mode:
● 200 ≤ FileAlignment ≤ SectionAlignment● 1000 ≤ SectionAlignment
● 'drivers' mode:● 1 ≤ FileAlignment == SectionAlignment ≤ 800
→ virtual == physical● whole file mapped as is● sections are meaningless
● can be none, can be many (bogus or not)
![Page 66: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/66.jpg)
nosection*
1 ≤ FileAlignment == SectionAlignment ≤ 800
![Page 67: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/67.jpg)
TinyPE
classic example of hand-made malformation● PE header in Dos header● truncated OptionalHeader
● doesn't require a section● 64b & driver compatible● 92 bytes
● XP only (no more truncated OptionalHeader)● extra padding is required since Vista
→ smallest universal PE: 268 bytes
![Page 68: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/68.jpg)
tiny*
![Page 69: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/69.jpg)
Dual 'folded' headers
DD only used after mappinghttp://www.reversinglabs.com/advisory/pecoff.php1.move down header2.fake DD overlaps starts of section (hex art FTW)3.section area contains real values● loading process:1.header and sections are parsed2.file is mapped3.DD overwritten with real value
● imports are resolved, etc...
![Page 70: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/70.jpg)
![Page 71: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/71.jpg)
foldedhdr
![Page 72: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/72.jpg)
null EntryPoint● for EXEs
● 'MZ' disassembled as 'dec ebp/pop edx'(null EP for DLLs = no DllMain call)
nullEP
![Page 73: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/73.jpg)
virtual EntryPoint● first byte not physically in the file
● 00 C0 => add al, al
virtEP
![Page 74: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/74.jpg)
TLS on the fly● the list of callbacks is updated on the fly
● add callback #2 during callback #1
tls_onthefly
![Page 75: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/75.jpg)
ignored TLS● TLS are not executed if only kernel32 is imported
● and if no DLL importing kernel32 is imported– Kaspersky & Ferrie
tls_k32
![Page 76: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/76.jpg)
imports' trailing dots● XP only● trivial
● trailing dots are ignored after DLL name● fails heuristics
![Page 77: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/77.jpg)
dll-ld
![Page 78: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/78.jpg)
Resources loops● (infinite) loops
● not checked by the loader● ignored if a different path is required to reach
resource
![Page 79: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/79.jpg)
resourceloop
![Page 80: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/80.jpg)
EntryPoint change via static DLLs
static DLLs are called before EntryPoint call● DllMain gets thread context via lpvReserved
● which already contains the future EntryPoint
→ any static DLL can freely change the EntryPoint
documented by Skywing (http://www.nynaeve.net/?p=127),but not widely known
![Page 81: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/81.jpg)
ctxt*ctxt*
![Page 82: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/82.jpg)
Win32VersionValue● officially reserved
● 'should be null'● actually used to override versions info in the PEB● simple dynamic anti-emu
● used in malwares
![Page 83: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/83.jpg)
winver
![Page 84: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/84.jpg)
★★NNeeww★★ tricks
![Page 85: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/85.jpg)
Characteristics● IMAGE_FILE_32BIT_MACHINE
● true for 64b● not required !!
● IMAGE_FILE_DLL● not required in DLLs
– exports still useable– no DllMain call!
● invalid EP → not an EXE● no FILE_DLL → apparently not a DLL
→ can't be debugged
![Page 86: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/86.jpg)
mininormal64
![Page 87: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/87.jpg)
dllnomain*
![Page 88: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/88.jpg)
Imports descriptor tricks● INT bogus or absent
● only DllName and IAT required● descriptor just skipped if no thunk
● DLL name ignored– can be null or VERY big
● parsing shouldn't abort too early● isTerminator = (IAT == 0 || DllName == 0)● terminator can be virtual or outside file
● first descriptor too
![Page 89: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/89.jpg)
imports_virtdesc
dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk
![Page 90: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/90.jpg)
Collapsed imports
advanced imports malformation● extension-less DLL name● IAT in descriptor
● pseudo-valid INT that is ignored● name and hint/names in terminator● valid because last dword is null
![Page 91: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/91.jpg)
corkamix
![Page 92: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/92.jpg)
Exceptions directory● 64 bits Structured Exception Handler
● usually with a lot of extra compiler code
● used by W32.Deelae for infection● Peter Ferrie, Virus Bulletin September 2011
● update-able manually, on the fly● no need to go through APIs
![Page 93: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/93.jpg)
exceptions
![Page 94: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/94.jpg)
seh_change64
![Page 95: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/95.jpg)
Relocations tricks● allows any ImageBase
● required on VAs: code, TLS, .Net● ignored if not required
● no ImageBase change (→ fake relocs!)● no code● 64 bits RIP-relative code● IP-independant code
● can relocate anything● relocate ImageBase → alter EntryPoint
![Page 96: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/96.jpg)
no_dd
ibknoreloc64
![Page 97: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/97.jpg)
ibreloc
fakerelocs
![Page 98: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/98.jpg)
Relocation types (in theory)
HIGHLOW● standard ImageBase delta
ABSOLUTE● do nothing● just for alignment padding
![Page 99: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/99.jpg)
● type 6 and 7 are entirely skipped● type 8 is forbidden
● type 4 (HIGHADJ) requires an parameter● that is actually not taken into account (bug)
● type 2 (LOW) doesn't do anything● because ImageBase are 64kb aligned
● type MIPS and IA64 are present on all archs● at last, some cleanup in Windows 8!
Relocation types in practice
![Page 100: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/100.jpg)
![Page 101: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/101.jpg)
relocations' archeology● HIGHADJ was there all along● MIPS was recognized but rejected by Win95● NT3.1 introduces MIPS – available in all archs.● LOW was rejected by Win95/WinME
● while it does nothing on other versions● Windows 2000 had an extra relocation type,
also with a parameterBonus:
Win95 relocations use 2 copies of the exact same code.code optimization FTW!
![Page 102: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/102.jpg)
![Page 103: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/103.jpg)
messing with relocations● 4 relocation types actually do nothing● All relocations can be applied on a bogus address
● HighAdj's parameter used as a trick● Relocations can alter relocations
● one block can alter the next● Relocations can decrypt data
● set a kernel ImageBase● default ImageBase is known
● No static analysis possible● but highly suspicious :D
![Page 104: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/104.jpg)
reloccrypt
![Page 105: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/105.jpg)
reloccrypt
![Page 106: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/106.jpg)
reloccrypt
![Page 107: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/107.jpg)
Code in the header● header is executable
● packers put some data or jumps there● many unused fields● many less important fields
● Peter Ferriehttp://pferrie.host22.com/misc/pehdr.htm
→ real code in the header
![Page 108: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/108.jpg)
maxvals
![Page 109: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/109.jpg)
hdrcode
![Page 110: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/110.jpg)
traceless
![Page 111: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/111.jpg)
.Net
Loading process:1.PE loader
• requires only imports (DD[1]) at this stage2.MSCoree.dll called3..Net Loader
● requires CLR (DD[13]) and relocations (DD[5])● forgets to check NumberOfRvaAndSizes :(
– works with NumberOfRvaAndSizes = 2
fails IDA, reflector – but already in the wild
![Page 112: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/112.jpg)
tinynet
PE
...imports
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.NET
...
...
...
...
...relocs
...
...
...
...
...
...
...
...CLR
...
![Page 113: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/113.jpg)
non-null PE● LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE
● data file PE only needs MZ, e_lfanew, 'PE\0\0'● 'PE' at the end of the file
● pad enough so that e_lfanew doesn't contain 00s
a non-null PE can be created and loaded
![Page 114: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/114.jpg)
d_nonnull-*
![Page 115: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/115.jpg)
Resources-only DLL● 1 valid section
● 65535 sections under XP!● 1 DataDirectory
![Page 116: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/116.jpg)
d_resource*
![Page 117: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/117.jpg)
subsystems● no fundamental differences
● low alignments for drivers● incompatible imports: NTOSKRNL ↔ KERNEL32● console ↔ gui : IsConsoleAttached
→ a PE with low alignments and no importscan work in all 3 subsystems
![Page 118: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/118.jpg)
multiss*
![Page 119: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/119.jpg)
a 'naked' PE with code● low alignments → no section● no imports → resolve manually APIs● TLS only → no EntryPoint
no EntryPoint, no section, no imports,but executed code
![Page 120: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/120.jpg)
nothing*nothing*
![Page 121: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/121.jpg)
external EntryPoint (1/2)● in a DLL (with no relocations)
dllextEP
![Page 122: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/122.jpg)
external EntryPoint (2/2)● allocated just before in a TLS
tls_virtEP
![Page 123: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/123.jpg)
skipped EntryPointignored via terminating TLS
tls_noEP
![Page 124: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/124.jpg)
from ring 0 to ring 3● kernel debugging is heavy
● kernel packers are limited1.change subsystem2.use fake kernel DLLs (ntoskrnl, etc...)
● redirect APIs– DbgPrint → MessageBoxA, ExAllocatePool → VirtualAlloc
→ automate kernel unpacking
![Page 125: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/125.jpg)
ntoskrnl
![Page 126: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/126.jpg)
TLS AddressOfIndex● pointer to dword● overwritten with 0, 1... on nth TLS loading● easy dynamic trick
call <garbage> on file → call $+5 in memory● handled before imports under XP, not in W7
same working PE, different loading process
![Page 127: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/127.jpg)
tls_aoiOSDET
![Page 128: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/128.jpg)
Manifest● XML resource
● can fail loading● can crash the OS ! (KB921337)
● Tricky to classify● ignored if wrong type
Minimum Manifest<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'/>
![Page 129: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/129.jpg)
DllMain/TLS corruption● DllMain and TLS only requires ESI to be correct
● Even ESP can be bogus● easy anti-emulator
● TLS can terminate with exception● no error reported● EntryPoint executed normally
![Page 130: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/130.jpg)
fakeregs
![Page 131: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/131.jpg)
a Quine PE● prints its source
● totally useless – absolutely fun :D
● fills DOS header with ASCII chars● ASM source between DOS and PE headers
● type-able manually● types itself in new window when executed
![Page 132: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/132.jpg)
quine
![Page 133: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/133.jpg)
a binary polyglot● add %PDF within 400h bytes
→ your PE is also a PDF (→ Acrobat)● add PK\03\04 anywhere
→ your PE is also a ZIP (→ PKZip)● throw a Java .CLASS in the ZIP
→ your PE is also a JAR (→ Java)● add <HTML> somewhere
→ your PE is also an HTML page (→ Mosaic)● Bonus: Python, JavaScript
![Page 134: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/134.jpg)
corkamix
![Page 135: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/135.jpg)
Conclusion
![Page 136: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/136.jpg)
Conclusion● the Windows executable format is complex● mostly covered, but many little traps
● new discoveries every day :(
http://pe101.corkami.comhttp://pe.corkami.com
![Page 137: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/137.jpg)
Questions?Thanks to
Fabian Sauter, Peter Ferrie, وليد عصرBernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert, Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, Lord Noteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, Daniel Plohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang, Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, Alex Ionescu, Alexander Sotirov, Cathal Mullaney
![Page 138: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/138.jpg)
Thank YOU!
@ange4771@ange4771Ange Albertini @gmail.com
http://corkami.com
![Page 139: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/139.jpg)
Bonus
![Page 140: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/140.jpg)
Not PE, but still fun
![Page 141: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/141.jpg)
older formats● 32b Windows still support old EXE and COM
● lower profile formats, evade detection● an EXE can patch itself back to PE
● can use 'ZM' signature● only works on disk :(
● a symbols-only COM file can drop a PE● using Yosuke Hasegawa's http://utf-8.jp/public/sas/
![Page 142: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/142.jpg)
exe2pe, dosZMXP
![Page 143: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/143.jpg)
aa86drop.com
![Page 144: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/144.jpg)
file archeology● bitmap fonts (.FON) are stored in NE format
● created in 1985 for Windows 1.0● vgasys.fon still present in Windows 8
● file unchanged since 1991 (Windows 3.11)● font copyrighted in 1984
● Properties show copyright name
→ Windows 8 still (partially) parsesa 16b executable format from 1985
![Page 145: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/145.jpg)
![Page 146: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/146.jpg)
Drunk opcode● Lock:Prefetch
● can't be executed● bogus behavior under W7 x64
● does not trigger an exception either● modified by the OS (wrongly 'repaired')● yet still wrong after patching!
infinite loop of silent errors
![Page 147: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/147.jpg)
![Page 148: Binary art - Byte-ing the PE that fails you (extended offline version)](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b7019e4a7959943a8b45db/html5/thumbnails/148.jpg)
this is the end...my only friend, the end...