Portable Executable format, TitaniumCore report and packersKatja Pericin

Portable Executable format

3/21/2018 2

Introduction

• file?• operating system abstraction for a data container

• segment(s) of physical space containing bytes

• file format?• layout of data inside a data container

• we give it meaning

• endianness

• file/memory alignment

3/21/2018 Introduction 3

Introduction

• common file format fields• format magic (“GIF89”, “PACK”, …)

• reserved fields (“should be” something = ignored)

• checksum fields (CRC)

• file table offset/address

• file size

• file names and/or paths

• timestamp

• program specific details (compression, image width, palette, …)

3/21/2018 Introduction 4

Introduction

• executable files - loaded into memory by OS• OS’s loader parses the file format

• arrange data in memory as needed

• load all additional dependencies

• execution starts from a specific point

• OS cleans up afterwards

3/21/2018 Introduction 5

Portable Executable format

• native Win32 / Win64 format

• PE32 / PE32+

• Official documentation

3/21/2018 PE Format 6

MZ Header

PE Header

Optional Header

Section Headers

Section 1

…

Section N

Overlay

MZ Header

• magic bytes: 0x4D 0x5A (“MZ”)

• size of header = 0x40 bytes

• at offset 0x3C• e_lfanew

• offset to PE header in file

3/21/2018 PE Format 7

PE Header

• magic bytes – 0x50 0x45 0x00 0x00 (“PE”)

• size of header = 0x14 bytes

• target machine (i386, AMD64, MIPS, PowerPC, …)

• number of sections

• characteristics – file attributes

• executable image

• DLL

• reversed endianness

• large address aware (x64)

• size of optional header

3/21/2018 PE Format 8

Optional Header

• magic = 0x010B\0x020B (32/64-bit)

• not optional for executables ☺

• provides info to the loader

• size not fixed• determined by SizeOfOptionalHeader in PE header

• field sizes differ for 32- and 64-bit executables

• usually 0xE0 for 32-bit if everything is included

3/21/2018 PE Format 9

Section Header

• header size = 0x28 bytes

• section name – can be whatever (8 bytes)

• usually .text, .CODE, .data, .DATA, .rdata, …

• section name DOES NOT define section content

• pointer to raw data – file offset

• size of raw data

• relative virtual address – address in memory

• virtual size – size in memory

• characteristics: attributes (readable, writeable, executable, …)

3/21/2018 PE Format 10

Data Directories

• (address, size) pairs

• list of tables used by Windows

• loaded into memory

• usually 0x10 data directories

• index in the table determines functionality

3/21/2018 PE Format 11

Data Directories

• common directories• export

• import

• resource

• relocation

• TLS

3/21/2018 PE Format 12

Export Table

Import Table

Resource Table

Exception Table

Certificate Table

Base Relocation Table

Debug

Architecture

Global Ptr

TLS Table

Load Config Table

Bound Import

IAT

Delay Import Descriptor

CLR Runtime Header

Reserved, must be zero

Export Directory

• usually present in DLLs, rarely in executables

• functions exported by ordinal and name

• we import other’s exports ☺

3/21/2018 PE Format 13

Import Directory

• describes additional dependencies which executable needs

• libraries and their APIs

• each entry• size = 0x14

• describes a single library

• points to a list of all APIs imported from the library

• points to locations where VAs of APIs should be stored

• empty entry = directory end

3/21/2018 PE Format 14

Resource Table

• multiple-level binary-sorted tree structure

• three levels (directories)• type

• name

• language

• pointers to• another directory table (lower level)

• data description (leafs)

3/21/2018 PE Format 15

Overlay

• found at the end of a file• “appended data”

• not loaded into memory

• must be read from file

• commonly used to

• store configuration data

• store additional program binaries or raw data

• change hash of an executable

3/21/2018 PE Format 16

TitaniumCore report

3/21/2018 17

TitaniumCore report

• JSON

• Static analysis of files

• PE Format analysis is the most interesting for us• Parsing of all headers

• Parsing of all data directories

• Example used in following slides is a part of the dataset, file fbe39061e9a75eb8da1d28d8c191f9c6581008ff.json

3/21/2018 TC Report 18

3/21/2018 TC Report 19

3/21/2018 TC Report 20

3/21/2018 TC Report 21

3/21/2018 TC Report 22

3/21/2018 TC Report 23

3/21/2018 TC Report 24

3/21/2018 TC Report 25

3/21/2018 TC Report 26

3/21/2018 TC Report 27

3/21/2018 TC Report 28

3/21/2018 TC Report 29

Reverse Engineering

3/21/2018 30

RE tools

• Debuggers/Decompilers• OllyDbg, x64Dbg, IDAPro

• PE parsing• TitaniumCore report

• LordPE

• PEView

• Format identification • PEID (often wrong, not reliable)

3/21/2018 Reverse Engineering 31

Packers

• Single or multiple code layers

• Multiple compression algorithms in use

• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…

• Custom PECOFF table processing (if present and selected by the user)

• Imports are usually compressed

• Resources are usually compressed

• Relocations are usually compressed

• TLS can be emulated

• Can pack x86/x64/.net files

• No anti-reversing protection

3/21/2018 Reverse Engineering 32

Crypters

• Multiple protection layers

• Polymorphic decryptors / entry

• Custom encryption algorithms

• Numerous anti-reversing protections

• Anti-debugging

• Import protection (redirections)

• Original entry point protection

3/21/2018 Reverse Engineering 33

Protectors

• Multiple encrypted code layers

• Multiple compression algorithms in use

• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…

• Custom PECOFF table processing (if present and selected by the user)

• Imports are usually protected

• Resources are usually protected

• Relocations are usually protected

• TLS can be emulated

• Can protect x86/x64/.net files

• Usually come with integrated licensing

• Numerous anti-reversing protection

3/21/2018 Reverse Engineering 34

3/21/2018 Reverse Engineering 35

Original file layout Packed file layout

DOS

PE

Sections

STUB

Overlay

Resources

DOS

PE

Sections(code, data,

imports)

Overlay

Resources

(compression)

Resource and Overlay

• If categorized by functionality can be in any of previous categories

• Protected data is stored in resources or overlay• Packers/Crypters/Protectors usually store data in sections

• Can use any of previously described methods• Encryptions

• Compressions

• Anti-reversing protections

3/21/2018 Reverse Engineering 36

www.reversinglabs.com All rights reserved ReversingLabs © 2018

Questions?