Download - Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04
![Page 1: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/1.jpg)
Windows PE files Infections and Heuristic DetectionNicolas BRULEZ / Digital River
PACSEC '04
![Page 2: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/2.jpg)
Introduction
![Page 3: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/3.jpg)
Evolution of Computer Viruses
• Not Encrypted
• Encrypted
• Oligomorphic
• Polymorphic
• Metamorphic
![Page 4: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/4.jpg)
PE File Format• MZ Header
• Le PE Header
• Le PE File Header
• Le PE optional Header
• Le Data Directory
• Les Sections Headers
![Page 5: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/5.jpg)
Position Independant Code
• Virus needs to be executable at any memory addresses.
• Calcul of a Delta Offset
![Page 6: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/6.jpg)
Windows PE Files Infections Techniques
![Page 7: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/7.jpg)
Virus Position
• Last Section:
- New Section
BEFORE : AFTER :
![Page 8: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/8.jpg)
Virus Position
• Last Section:
- New Section
![Page 9: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/9.jpg)
Virus Position
• Last Section:
- Last Section Expansion
BEFORE: AFTER:
![Page 10: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/10.jpg)
Virus Position
• Last Section:
- Last Section Expansion
![Page 11: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/11.jpg)
Virus Position
• Header Infection
![Page 12: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/12.jpg)
Virus Position
• CavityBEFORE: AFTER:
![Page 13: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/13.jpg)
Entry Point Position
• In the Last Section
![Page 14: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/14.jpg)
Entry Point Position
• In the First Section
![Page 15: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/15.jpg)
Entry Point Position
• Before the First Section
![Page 16: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/16.jpg)
e_lfanew Infection
• e_lfanew is a pointer to the PE Header Offset.
• You can find it at MZ+3Ch in the MZ HEADER.
• Infection by modification of e_lfanew is really straightforward.
• The virus is copied to the end of the file, but it doesn't need to have independant position code.
![Page 17: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/17.jpg)
e_lfanew Infection
• Program is modified so its e_lfanew points to the Virus' PE header.
• Windows will therefore load the virus rather than the infected file.
• The virus will then make a temporary copy of the infected program and patch back the original pointer to PE header.
• The virus will finally run the temp file using CreateProcessA for example and will delete the temp file when this one ends.
![Page 18: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/18.jpg)
Heuristic Detections on Windows PE Files
![Page 19: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/19.jpg)
PE Structure Analysis
Heuristic Detections are mainly based on the PE File Structure
Analysis of Windows Executables.
• Entry Point• Sections Characteristiques• Sections names (with specific Characteristics)• Values not Updated in the PE HEADER.• Position of the PE HEADER in the file etc
![Page 20: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/20.jpg)
PE Structure Analysis
• Entry Point in the Last Section
• Entry Point before the First Section
![Page 21: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/21.jpg)
PE Structure Analysis
• Sections Characteristics :- Last Section « Executable »
- First Section « Writeable »
• Section names AND their Characteristics
![Page 22: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/22.jpg)
PE Structure Analysis
• « SizeOfImage » incorrect in the PE Header
• PE Header near the end of the File
• « Size of Code » incorrect
![Page 23: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/23.jpg)
Code Analysis
• Non Standard Instruction at the Entry Point
• Calcul of a Delta Offset
• Suspicious Code Redirection:
- JUMP FAR
- PUSH RET
etc..
![Page 24: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/24.jpg)
Code Analysis
• Code Looking for PE Files
• Usage of PEB to gain system dlls Image Base
• Hardcoded value of systems important datas (PEB ...)
![Page 25: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/25.jpg)
Code Analysis
• Suspicious Strings Inside Code Sections.
- "*.exe"
- Name of Win Functions: FindFirstFileA, MapViewOfFile etc..
- Registry Keys : Run / RunOnce etc.
![Page 26: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/26.jpg)
Emulation
• JMP FAR
• PUSH / RET
• + Various ways to redirect code flow
• Decryptors Emulation ( Identification of loops)
![Page 27: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/27.jpg)
Anti Heuristic Techniques
![Page 28: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/28.jpg)
PE Structure
• Non Modification of Sections Characteristics
• More than one section added (fake reloc / imports)
• Part of code section overwriting to avoid suspicion.
• Packing of code section to place the virus is freed place
• EPO: Entry Point Obscuring
![Page 29: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/29.jpg)
Structure PE
• FF15/FF25 (call IAT slots) Patches
• Stack Frame Patches
• Updated Checksums
• Existing Sections are renamed (when possible)
• « Size of Code » Fixed
![Page 30: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/30.jpg)
Anti Emulation
• SEH - Structured Exception Handling.
• Co-Processor Instructions
• MMX / SSE Technology
• Undocumented Instructions
• Anti Virtual Machine Code
• Decryption Layers with Brute Forcing of Keys
• Threads
![Page 31: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/31.jpg)
Anti Heuristic Code
• Delta Offset is calculated differently
• Usage of Obfuscation to hide suspect actions. (PE files checking etc)
• No more strings in the virus loader: CRC / HASH
![Page 32: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/32.jpg)
Presentation of a Basic Heuristic Engine
![Page 33: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/33.jpg)
Presentation of a Basic Engine
• Standard Binaries : notepad, regedit, calc, MS Pain, WordPad etc…
![Page 34: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/34.jpg)
Presentation of a Basic Engine
![Page 35: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/35.jpg)
Presentation of a Basic Engine
![Page 36: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/36.jpg)
Presentation of a Basic Engine
![Page 37: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/37.jpg)
Presentation of a Basic Engine
• Analysis of infected Binaries : Polymorphic, Crypted, Standard, EPO etc
![Page 38: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/38.jpg)
Presentation of a Basic Engine
![Page 39: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/39.jpg)
Presentation of a Basic Engine
![Page 40: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/40.jpg)
Presentation of a Basic Engine
![Page 41: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/41.jpg)
Presentation of a Basic Engine
![Page 42: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/42.jpg)
Presentation of a Basic Engine
![Page 43: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/43.jpg)
Presentation of a Basic Engine
![Page 44: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/44.jpg)
Presentation of a Basic Engine
![Page 45: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/45.jpg)
Presentation of a Basic Engine
![Page 46: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/46.jpg)
Presentation of a Basic Engine
Notes:
Although, this is a basic engine, it detected heuristically every
viruses generated with a very recent Win32 Virus Generator.
(VCL32).
![Page 47: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/47.jpg)
Presentation of a Basic Engine
• Analyse of Packed Files : PE protect, PEShield etc…
![Page 48: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/48.jpg)
Presentation of a Basic Engine
![Page 49: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/49.jpg)
Presentation of a Basic Engine
![Page 50: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/50.jpg)
Presentation of a Basic Engine
![Page 51: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/51.jpg)
Live Disassembly Demo
![Page 52: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/52.jpg)
Live Demo
New Worm infected by a new Virus and PE packed.
Live Disassembly of a real virus.
This virus is very recent, and is not detected by most Anti Virus
vendors as im writing those slides.
![Page 53: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/53.jpg)
Conclusion
![Page 54: Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04](https://reader035.vdocuments.us/reader035/viewer/2022081520/56649ea75503460f94ba9a35/html5/thumbnails/54.jpg)
Any Questions ?Nicolas BRULEZ / Digital River
PACSEC '04