A bit more of PE

7,414 views
6,656 views

Published on

Hack in Paris 2012

Published in: Technology
2 Comments
8 Likes
Statistics
Notes
No Downloads
Views
Total views
7,414
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
118
Comments
2
Likes
8
Embeds 0
No embeds

No notes for slide

A bit more of PE

  1. a bit more of PE (since Hashdays)Ange Albertini 22th June 2012
  2. Author● reverse engineer ● since dos 3.21● ashamed by a malware● back to my studies ● shared on my site
  3. http:// CORKAMI.com
  4. Fact → PoC
  5. made with love● Hand-made, from scratch ● patched generated compiled ● tedious – full control● Pin-pointed● Crystal clear● Clean
  6. technical
  7. be nice to your friends● ads log-in pay-wall columns● BSD/CC BY licence ● reusable commercially● free sources, using free tools ● reviews, comments, suggestions● free binaries ● downloadable in one click● free documents ● including all the graphics
  8. free
  9. goals● advertisement ● for my own use● a good reference ● learn. remember. teach.● a meaningful test set ● failed all tools ● clean
  10. enoughPoCs → Wiki Page → presentation
  11. a graphic is worth 1000 lines of doc
  12. useful
  13. Ange ↔ Corkami technical free useful
  14. Agenda1.Whats a PE? ● yet another doc?2.Static oddities3.Dynamic oddities
  15. Introduction
  16. Portable ExecutableCommon Object File Format
  17. PEuniversalwindows binary
  18. pe101.corkami.com
  19. questions?
  20. FASTEN YOUR SEATBELTS
  21. pe.corkami.com
  22. incompletespecs VS. reality of the OS
  23. FAIL
  24. is there a perfect documentation?
  25. Not at Microsoft, at least :)
  26. Other documentations?● mostly based on existing files● no PoCs anyway ● messy/limited/privateCorkamis is perfect? ● no! – just a hobby ● explain everything – highlight oddities
  27. just to make surestandard PE: ● Sections ● EntryPoint ● Imports
  28. Static oddities
  29. most basic PE● DataFile PE ● LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE● must be a PE● just a PE ● MZ / e_lfanew / PE. thats it ● machine magic imagebase alignments subsystem ● code! ● non-null! ● break parsers – Corrupt values/truncated headers
  30. back to classic PEs
  31. DOS header● Good old 16b stub ● still in Windows 7 64b !● “This program cannot be run in DOS mode.” ?
  32. ImageBase● multiple of 0x10000● user-mode ● any address except system DLLs ● 00000000 under XP● kernel-mode ● via relocation ● relocated to 10000 ● CVE-2012-2273
  33. EntryPoint● null ● MZ => dec ebp/pop edx
  34. EntryPoint● virtual ● 00 C0 => add al, al
  35. EntryPoint● external ● in a DLL / allocated via TLS
  36. EntryPoint● ignored ● via TLS
  37. Subsystem● no trick :( ● last required element of the header● no specific requirements ● low alignments – unpack drivers in user-mode – multi-subsystem PE
  38. Sections● 0-96/65536● oversized or not (up to 0x74xx0000)● sections in sections, duplicates, shuffled
  39. Dynamic oddities
  40. loading process 1/2● Headers are parsed on disk● Data directories are parsed in memory ● after section mapping
  41. loading process 2/2● sections overlap header ● true Data directories are revealed
  42. TLS 1/2● list of callbacks, updated on the fly● executed at threat start/stop ● before EntryPoint ● after ExitProcess● can trigger unhandled exceptions
  43. TLS 2/2● points to import● tricky execution conditions● different loading order● anything but ESI
  44. Relocations● rebase code if loaded at different address● not required in x64 ● empty relocations still in x64b binaries
  45. faked relocations
  46. manual relocations
  47. Relocations encryption● applied anywhere ● encryption ● on itself!● MIPS supported on Intel OS+PE
  48. Relocations on ImageBase● affects the EntryPoint
  49. one last...
  50. Conclusion● PE is a mess ● different OSes, different parsers ● no doc/tool is perfect● still many unknowns● simple http://pe101.corkami.com● advanced http://pe.corkami.com ● 160+ PoCs
  51. Acknowledgments● Peter Ferrie● Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, ReversingLabs, Walied Assar, ... Questions?
  52. Thank YOU! Ange Albertini @gmail.com @ange4771

×